Skip to content

Commit

Permalink
added 444, 440, 400 and 000 file permission checks for all benchmarks (
Browse files Browse the repository at this point in the history 
…#563)

Co-authored-by: Liz Rice <liz@lizrice.com>
  • Loading branch information
@LukasAuerbeck @lizrice
LukasAuerbeck and lizrice committed Jan 22, 2020
1 parent 89f8e45 commit 037bb14
Show file tree
Hide file tree
Showing 8 changed files with 873 additions and 33 deletions.
140 changes: 140 additions & 0 deletions cfg/cis-1.3/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -857,6 +857,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
Expand Down Expand Up @@ -902,6 +922,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
Expand Down Expand Up @@ -947,6 +987,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
Expand Down Expand Up @@ -992,6 +1052,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
Expand Down Expand Up @@ -1094,6 +1174,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
Expand Down Expand Up @@ -1138,6 +1238,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
Expand Down Expand Up @@ -1180,6 +1300,26 @@ groups:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
Expand Down
104 changes: 92 additions & 12 deletions cfg/cis-1.3/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,20 +362,40 @@ groups:
tests:
test_items:
- flag: "644"
set: true
compare:
op: eq
value: "644"
- flag: "640"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "600"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
Expand Down Expand Up @@ -405,20 +425,40 @@ groups:
tests:
test_items:
- flag: "644"
set: true
compare:
op: eq
value: "644"
- flag: "640"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "600"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
Expand All @@ -445,20 +485,40 @@ groups:
tests:
test_items:
- flag: "644"
set: true
compare:
op: eq
value: "644"
- flag: "640"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "600"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
Expand Down Expand Up @@ -520,20 +580,40 @@ groups:
tests:
test_items:
- flag: "644"
set: true
compare:
op: eq
value: "644"
- flag: "640"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "600"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
Expand Down
Loading

0 comments on commit 037bb14

Please sign in to comment.