Skip to content

Commit

Permalink
Rancher checks correction (aquasecurity#1563)
Browse files Browse the repository at this point in the history
1. Have modified test criteria such that it produces right output in case of there is no file exists.
2. Have modified the tests wherever root:root is checked multiple times.
  • Loading branch information
KiranBodipi authored Feb 12, 2024
1 parent faeceb5 commit 2374e7b
Show file tree
Hide file tree
Showing 9 changed files with 6 additions and 30 deletions.
3 changes: 0 additions & 3 deletions cfg/k3s-cis-1.23/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -149,9 +149,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/k3s-cis-1.24/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -118,9 +118,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/k3s-cis-1.7/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/rke-cis-1.23/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
12 changes: 6 additions & 6 deletions cfg/rke-cis-1.24/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,27 +94,27 @@ groups:

- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
- flag: "File not found"
remediation: |
Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>
scored: true

- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
compare:
op: eq
value: root:root
- flag: "File not found"
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/rke-cis-1.7/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/rke2-cis-1.23/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/rke2-cis-1.24/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down
3 changes: 0 additions & 3 deletions cfg/rke2-cis-1.7/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
Expand Down

0 comments on commit 2374e7b

Please sign in to comment.