|
|
|
@ -122,7 +122,7 @@ groups:
|
|
|
|
|
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
|
|
|
|
|
audit: |
|
|
|
|
|
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a
|
|
|
|
|
find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a
|
|
|
|
|
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
|
|
|
|
|
use_multiple_values: true
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
@ -140,7 +140,7 @@ groups:
|
|
|
|
|
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
|
|
|
|
|
audit: |
|
|
|
|
|
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G
|
|
|
|
|
find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G
|
|
|
|
|
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
|
|
|
|
|
use_multiple_values: true
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|