1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-24 07:28:06 +00:00

Issue 867: Updating CIS 1.1.9 and 1.1.10 (#877)

Mitigating "No such file or directory" related to CNI config directory

Signed-off by: Dave Hay <david_hay@uk.ibm.com>
This commit is contained in:
Dave Hay 2021-05-23 09:46:36 +01:00 committed by GitHub
parent 62d9045ec6
commit fb92680702
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -122,7 +122,7 @@ groups:
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
audit: | audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a
find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
@ -140,7 +140,7 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
audit: | audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G
find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items: