From 037bb147298548ce58f723431befc14982ebf0e3 Mon Sep 17 00:00:00 2001
From: LukasAuerbeck <lauerbeck@gmx.at>
Date: Wed, 22 Jan 2020 15:40:01 +0100
Subject: [PATCH] added 444, 440, 400 and 000 file permission checks for all
benchmarks (#563)
Co-authored-by: Liz Rice <liz@lizrice.com>
---
cfg/cis-1.3/master.yaml | 140 +++++++++++++++++++++++++++++++++++
cfg/cis-1.3/node.yaml | 104 +++++++++++++++++++++++---
cfg/cis-1.4/master.yaml | 160 ++++++++++++++++++++++++++++++++++++++++
cfg/cis-1.4/node.yaml | 104 +++++++++++++++++++++++---
cfg/cis-1.5/master.yaml | 140 +++++++++++++++++++++++++++++++++++
cfg/cis-1.5/node.yaml | 98 +++++++++++++++++++++---
cfg/rh-0.7/master.yaml | 80 ++++++++++++++++++++
cfg/rh-0.7/node.yaml | 80 ++++++++++++++++++++
8 files changed, 873 insertions(+), 33 deletions(-)
diff --git a/cfg/cis-1.3/master.yaml b/cfg/cis-1.3/master.yaml
index 45f64b4..b17e5c3 100644
--- a/cfg/cis-1.3/master.yaml
+++ b/cfg/cis-1.3/master.yaml
@@ -857,6 +857,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -902,6 +922,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -947,6 +987,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -992,6 +1052,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1094,6 +1174,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1138,6 +1238,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@@ -1180,6 +1300,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml
index 813e86f..4928416 100644
--- a/cfg/cis-1.3/node.yaml
+++ b/cfg/cis-1.3/node.yaml
@@ -362,20 +362,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -405,20 +425,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -445,20 +485,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -520,20 +580,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml
index c206623..fff55a8 100644
--- a/cfg/cis-1.4/master.yaml
+++ b/cfg/cis-1.4/master.yaml
@@ -859,6 +859,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -904,6 +924,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -949,6 +989,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -994,6 +1054,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1096,6 +1176,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1140,6 +1240,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@@ -1182,6 +1302,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
@@ -1241,6 +1381,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml
index f600a99..ed7ac42 100644
--- a/cfg/cis-1.4/node.yaml
+++ b/cfg/cis-1.4/node.yaml
@@ -345,20 +345,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -388,20 +408,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -428,20 +468,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
@@ -521,20 +581,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml
index 7207685..28e31ab 100644
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@@ -29,6 +29,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node.
@@ -72,6 +92,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -115,6 +155,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -158,6 +218,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -253,6 +333,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -296,6 +396,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -339,6 +459,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml
index e6cb34b..fc42b1f 100644
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@@ -14,20 +14,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
@@ -54,20 +74,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
@@ -93,20 +133,40 @@ groups:
tests:
test_items:
- flag: "644"
- set: true
compare:
op: eq
value: "644"
- - flag: "640"
set: true
+ - flag: "640"
compare:
op: eq
value: "640"
- - flag: "600"
set: true
+ - flag: "600"
compare:
op: eq
value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
@@ -173,6 +233,26 @@ groups:
compare:
op: eq
value: "600"
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
diff --git a/cfg/rh-0.7/master.yaml b/cfg/rh-0.7/master.yaml
index 2169685..d7c98e7 100644
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@@ -962,6 +962,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command.
@@ -1039,6 +1059,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command.
@@ -1082,6 +1122,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command.
@@ -1125,6 +1185,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command.
diff --git a/cfg/rh-0.7/node.yaml b/cfg/rh-0.7/node.yaml
index 9e0f0f4..23d116f 100644
--- a/cfg/rh-0.7/node.yaml
+++ b/cfg/rh-0.7/node.yaml
@@ -232,6 +232,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
@@ -273,6 +293,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command on each worker node.
chmod 644 $nodesvc
@@ -314,6 +354,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
@@ -355,6 +415,26 @@ groups:
op: eq
value: "600"
set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt
--
GitLab