diff --git a/cfg/rke-cis-1.23/master.yaml b/cfg/rke-cis-1.23/master.yaml index ae67774d8..3a818d901 100644 --- a/cfg/rke-cis-1.23/master.yaml +++ b/cfg/rke-cis-1.23/master.yaml @@ -152,7 +152,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd + audit: stat -c %a /var/lib/etcd tests: test_items: - flag: "700" @@ -959,15 +959,11 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" - set: true - - flag: "--bind-address" - set: false remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and ensure the correct value for the --bind-address parameter @@ -996,15 +992,11 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" - set: true - - flag: "--bind-address" - set: false remediation: | Edit the Scheduler pod specification file $schedulerconf on the control plane node and ensure the correct value for the --bind-address parameter diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml index 2b2ee61a3..403118d98 100644 --- a/cfg/rke-cis-1.24/master.yaml +++ b/cfg/rke-cis-1.24/master.yaml @@ -155,7 +155,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd + audit: stat -c %a /var/lib/etcd tests: test_items: - flag: "700" @@ -962,15 +962,12 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" set: true - - flag: "--bind-address" - set: false remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and ensure the correct value for the --bind-address parameter @@ -999,15 +996,12 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" set: true - - flag: "--bind-address" - set: false remediation: | Edit the Scheduler pod specification file $schedulerconf on the control plane node and ensure the correct value for the --bind-address parameter diff --git a/cfg/rke-cis-1.24/node.yaml b/cfg/rke-cis-1.24/node.yaml index 90a173866..941735bc1 100644 --- a/cfg/rke-cis-1.24/node.yaml +++ b/cfg/rke-cis-1.24/node.yaml @@ -319,7 +319,7 @@ groups: # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. - type: "manual" + type: "skip" audit: "/bin/ps -fC $kubeletbin " tests: test_items: @@ -410,7 +410,7 @@ groups: - id: 4.2.12 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" - type: "manual" + type: "skip" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " tests: diff --git a/cfg/rke-cis-1.7/master.yaml b/cfg/rke-cis-1.7/master.yaml index d988674ef..b8a4f02db 100644 --- a/cfg/rke-cis-1.7/master.yaml +++ b/cfg/rke-cis-1.7/master.yaml @@ -171,7 +171,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd + audit: stat -c %a /var/lib/etcd tests: test_items: - flag: "700" @@ -949,14 +949,12 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" - - flag: "--bind-address" - set: false + set: true remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and ensure the correct value for the --bind-address parameter @@ -984,14 +982,12 @@ groups: text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: - bin_op: or test_items: - flag: "--bind-address" compare: op: eq value: "127.0.0.1" - - flag: "--bind-address" - set: false + set: true remediation: | Edit the Scheduler pod specification file $schedulerconf on the control plane node and ensure the correct value for the --bind-address parameter diff --git a/cfg/rke-cis-1.7/node.yaml b/cfg/rke-cis-1.7/node.yaml index ad04fe238..f10882adc 100644 --- a/cfg/rke-cis-1.7/node.yaml +++ b/cfg/rke-cis-1.7/node.yaml @@ -322,6 +322,7 @@ groups: - id: 4.2.8 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" + type: "skip" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " tests: @@ -426,6 +427,7 @@ groups: - id: 4.2.12 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" + type: "skip" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " tests: