diff --git a/cfg/1.11/master.yaml b/cfg/1.11/master.yaml
index 02ebd471fc76fdcbe2ef36dc6d2b204c67136ccc..bb0cd286542b26868cd87c259289802d3e155a00 100644
--- a/cfg/1.11/master.yaml
+++ b/cfg/1.11/master.yaml
@@ -10,7 +10,7 @@ groups:
checks:
- id: 1.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -26,7 +26,7 @@ groups:
- id: 1.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--basic-auth-file"
@@ -40,7 +40,7 @@ groups:
- id: 1.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-allow-any-token"
@@ -53,7 +53,7 @@ groups:
- id: 1.1.4
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -71,7 +71,7 @@ groups:
- id: 1.1.5
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-bind-address"
@@ -84,7 +84,7 @@ groups:
- id: 1.1.6
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-port"
@@ -100,7 +100,7 @@ groups:
- id: 1.1.7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -119,7 +119,7 @@ groups:
- id: 1.1.8
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -135,7 +135,7 @@ groups:
- id: 1.1.9
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--repair-malformed-updates"
@@ -151,7 +151,7 @@ groups:
- id: 1.1.10
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -170,7 +170,7 @@ groups:
- id: 1.1.11
text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -187,7 +187,7 @@ groups:
- id: 1.1.12
text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -204,7 +204,7 @@ groups:
- id: 1.1.13
text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -221,7 +221,7 @@ groups:
- id: 1.1.14
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -241,7 +241,7 @@ groups:
- id: 1.1.15
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
@@ -255,7 +255,7 @@ groups:
- id: 1.1.16
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
@@ -271,7 +271,7 @@ groups:
- id: 1.1.17
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
@@ -288,7 +288,7 @@ groups:
- id: 1.1.18
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
@@ -305,7 +305,7 @@ groups:
- id: 1.1.19
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -322,7 +322,7 @@ groups:
- id: 1.1.20
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
@@ -336,7 +336,7 @@ groups:
- id: 1.1.21
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
@@ -351,7 +351,7 @@ groups:
- id: 1.1.22
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -370,7 +370,7 @@ groups:
- id: 1.1.23
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-lookup"
@@ -386,7 +386,7 @@ groups:
- id: 1.1.24
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -405,7 +405,7 @@ groups:
- id: 1.1.25
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
@@ -420,7 +420,7 @@ groups:
- id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -439,7 +439,7 @@ groups:
- id: 1.1.27
text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -461,7 +461,7 @@ groups:
- id: 1.1.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -480,7 +480,7 @@ groups:
- id: 1.1.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
@@ -494,7 +494,7 @@ groups:
- id: 1.1.30
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cipher-suites"
@@ -510,7 +510,7 @@ groups:
- id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
@@ -525,7 +525,7 @@ groups:
- id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -542,7 +542,7 @@ groups:
- id: 1.1.33
text: "Ensure that the admission control plugin NodeRestriction is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -561,7 +561,7 @@ groups:
- id: 1.1.34
text: "Ensure that the --experimental-encryption-provider-config argument is
set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--experimental-encryption-provider-config"
@@ -576,7 +576,7 @@ groups:
- id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
@@ -597,7 +597,7 @@ groups:
- id: 1.1.36
text: "Ensure that the admission control plugin EventRateLimit is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -615,7 +615,7 @@ groups:
- id: 1.1.37a
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -635,7 +635,7 @@ groups:
- id: 1.1.37b
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
@@ -652,7 +652,7 @@ groups:
- id: 1.1.38
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -668,7 +668,7 @@ groups:
- id: 1.1.39
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers ( Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cipher-suites"
@@ -687,7 +687,7 @@ groups:
checks:
- id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $schedulerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -703,7 +703,7 @@ groups:
- id: 1.2.2
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
- audit: "ps -ef | grep $schedulerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -725,7 +725,7 @@ groups:
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
@@ -738,7 +738,7 @@ groups:
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -754,7 +754,7 @@ groups:
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--use-service-account-credentials"
@@ -770,7 +770,7 @@ groups:
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-private-key-file"
@@ -784,7 +784,7 @@ groups:
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--root-ca-file"
@@ -798,7 +798,7 @@ groups:
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--feature-gates"
@@ -815,7 +815,7 @@ groups:
- id: 1.3.7
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1205,7 +1205,7 @@ groups:
checks:
- id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--cert-file"
@@ -1222,7 +1222,7 @@ groups:
- id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
@@ -1238,7 +1238,7 @@ groups:
- id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1257,7 +1257,7 @@ groups:
- id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -1275,7 +1275,7 @@ groups:
- id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--peer-client-cert-auth"
@@ -1291,7 +1291,7 @@ groups:
- id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1310,7 +1310,7 @@ groups:
- id: 1.5.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests:
test_items:
diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml
index 12b7e3be71587cae1f6fa92b04026e7faa2dbe9b..e8e0d9fed6882f4a893812573113c6fff1aa8160 100644
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -10,7 +10,7 @@ groups:
checks:
- id: 2.1.1
text: Ensure that the --allow-privileged argument is set to false (Scored)
- audit: "ps -fC $kubeletbin "
+ audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --allow-privileged
@@ -29,8 +29,8 @@ groups:
- id: 2.1.2
text: Ensure that the --anonymous-auth argument is set to false (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --anonymous-auth
@@ -53,8 +53,8 @@ groups:
- id: 2.1.3
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
@@ -76,8 +76,8 @@ groups:
- id: 2.1.4
text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
@@ -97,8 +97,8 @@ groups:
- id: 2.1.5
text: Ensure that the --read-only-port argument is set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --read-only-port
@@ -120,8 +120,8 @@ groups:
- id: 2.1.6
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
@@ -148,8 +148,8 @@ groups:
- id: 2.1.7
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
@@ -171,8 +171,8 @@ groups:
- id: 2.1.8
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
@@ -198,8 +198,8 @@ groups:
- id: 2.1.9
text: Ensure that the --hostname-override argument is not set (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --hostname-override
@@ -216,8 +216,8 @@ groups:
- id: 2.1.10
text: Ensure that the --event-qps argument is set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
@@ -239,8 +239,8 @@ groups:
- id: 2.1.11
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cert-file
@@ -266,8 +266,8 @@ groups:
- id: 2.1.12
text: Ensure that the --cadvisor-port argument is set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --cadvisor-port
@@ -291,8 +291,8 @@ groups:
- id: 2.1.13
text: Ensure that the --rotate-certificates argument is not set to false (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
@@ -316,8 +316,8 @@ groups:
- id: 2.1.14
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: RotateKubeletServerCertificate
@@ -337,8 +337,8 @@ groups:
- id: 2.1.15
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cipher-suites
diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml
index 57fc20d4bc35e35a725a905d9fc09b589e47eef4..c10ead728f7458eefa1abdd04e892acf7d7f32bb 100644
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@@ -10,7 +10,7 @@ groups:
checks:
- id: 1.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -26,7 +26,7 @@ groups:
- id: 1.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--basic-auth-file"
@@ -40,7 +40,7 @@ groups:
- id: 1.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-allow-any-token"
@@ -53,7 +53,7 @@ groups:
- id: 1.1.4
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -71,7 +71,7 @@ groups:
- id: 1.1.5
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-bind-address"
@@ -84,7 +84,7 @@ groups:
- id: 1.1.6
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-port"
@@ -100,7 +100,7 @@ groups:
- id: 1.1.7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -119,7 +119,7 @@ groups:
- id: 1.1.8
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -135,7 +135,7 @@ groups:
- id: 1.1.9
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--repair-malformed-updates"
@@ -151,7 +151,7 @@ groups:
- id: 1.1.10
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -170,7 +170,7 @@ groups:
- id: 1.1.11
text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -187,7 +187,7 @@ groups:
- id: 1.1.12
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "skip"
tests:
test_items:
@@ -205,7 +205,7 @@ groups:
- id: 1.1.13
text: "Ensure that the admission control plugin SecurityContextDeny is set (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -222,7 +222,7 @@ groups:
- id: 1.1.14
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -242,7 +242,7 @@ groups:
- id: 1.1.15
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
@@ -256,7 +256,7 @@ groups:
- id: 1.1.16
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
@@ -272,7 +272,7 @@ groups:
- id: 1.1.17
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
@@ -289,7 +289,7 @@ groups:
- id: 1.1.18
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
@@ -306,7 +306,7 @@ groups:
- id: 1.1.19
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -323,7 +323,7 @@ groups:
- id: 1.1.20
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
@@ -337,7 +337,7 @@ groups:
- id: 1.1.21
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
@@ -352,7 +352,7 @@ groups:
- id: 1.1.22
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -371,7 +371,7 @@ groups:
- id: 1.1.23
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -390,7 +390,7 @@ groups:
- id: 1.1.24
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -409,7 +409,7 @@ groups:
- id: 1.1.25
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
@@ -424,7 +424,7 @@ groups:
- id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -443,7 +443,7 @@ groups:
- id: 1.1.27
text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -465,7 +465,7 @@ groups:
- id: 1.1.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -484,7 +484,7 @@ groups:
- id: 1.1.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
@@ -498,7 +498,7 @@ groups:
- id: 1.1.30
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cipher-suites"
@@ -514,7 +514,7 @@ groups:
- id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
@@ -529,7 +529,7 @@ groups:
- id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -546,7 +546,7 @@ groups:
- id: 1.1.33
text: "Ensure that the admission control plugin NodeRestriction is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -564,7 +564,7 @@ groups:
- id: 1.1.34
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
tests:
test_items:
@@ -581,7 +581,7 @@ groups:
- id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
@@ -602,7 +602,7 @@ groups:
- id: 1.1.36
text: "Ensure that the admission control plugin EventRateLimit is set (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -620,7 +620,7 @@ groups:
- id: 1.1.37a
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -640,7 +640,7 @@ groups:
- id: 1.1.37b
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
@@ -657,7 +657,7 @@ groups:
- id: 1.1.38
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -673,7 +673,7 @@ groups:
- id: 1.1.39
text: "Ensure that the --authorization-mode argument includes RBAC (Scored)"
- audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -690,7 +690,7 @@ groups:
checks:
- id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $schedulerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -706,7 +706,7 @@ groups:
- id: 1.2.2
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
- audit: "ps -ef | grep $schedulerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -728,7 +728,7 @@ groups:
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
@@ -741,7 +741,7 @@ groups:
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -757,7 +757,7 @@ groups:
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--use-service-account-credentials"
@@ -773,7 +773,7 @@ groups:
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-private-key-file"
@@ -787,7 +787,7 @@ groups:
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--root-ca-file"
@@ -801,7 +801,7 @@ groups:
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--feature-gates"
@@ -818,7 +818,7 @@ groups:
- id: 1.3.7
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
- audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1270,7 +1270,7 @@ groups:
checks:
- id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--cert-file"
@@ -1287,7 +1287,7 @@ groups:
- id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
@@ -1303,7 +1303,7 @@ groups:
- id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1322,7 +1322,7 @@ groups:
- id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -1340,7 +1340,7 @@ groups:
- id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--peer-client-cert-auth"
@@ -1356,7 +1356,7 @@ groups:
- id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -1375,7 +1375,7 @@ groups:
- id: 1.5.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
- audit: "ps -ef | grep $etcdbin | grep -v grep"
+ audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests:
test_items:
diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml
index e0c7355ab81e26746e056de86c4c509efc399e72..ae581a486b64cba195b5ab44073d39d2c920ca21 100644
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@@ -10,8 +10,8 @@ groups:
checks:
- id: 2.1.1
text: Ensure that the --anonymous-auth argument is set to false (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -34,8 +34,8 @@ groups:
- id: 2.1.2
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
@@ -57,8 +57,8 @@ groups:
- id: 2.1.3
text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
@@ -78,8 +78,8 @@ groups:
- id: 2.1.4
text: Ensure that the --read-only-port argument is set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
@@ -101,8 +101,8 @@ groups:
- id: 2.1.5
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
@@ -129,8 +129,8 @@ groups:
- id: 2.1.6
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
@@ -152,8 +152,8 @@ groups:
- id: 2.1.7
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
@@ -182,7 +182,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
- audit: "ps -fC $kubeletbin "
+ audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
@@ -198,8 +198,8 @@ groups:
- id: 2.1.9
text: Ensure that the --event-qps argument is set to 0 (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
@@ -221,8 +221,8 @@ groups:
- id: 2.1.10
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cert-file
@@ -251,7 +251,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
- audit: "ps -fC $kubeletbin "
+ audit: "/bin/ps -fC $kubeletbin "
type: skip
tests:
test_items:
@@ -274,8 +274,8 @@ groups:
- id: 2.1.12
text: Ensure that the --rotate-certificates argument is not set to false (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
@@ -299,8 +299,8 @@ groups:
- id: 2.1.13
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: RotateKubeletServerCertificate
@@ -320,8 +320,8 @@ groups:
- id: 2.1.14
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
- audit: "ps -fC $kubeletbin"
- audit_config: "cat $kubeletconf"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cipher-suites
diff --git a/cmd/util.go b/cmd/util.go
index 2a49b109752a5f2d5a477547fc26003ed8da80f2..184c47912a00a18dfafde401bff063ee0068579c 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -78,7 +78,7 @@ func cleanIDs(list string) map[string]bool {
func ps(proc string) string {
// TODO: truncate proc to 15 chars
// See https://github.com/aquasecurity/kube-bench/issues/328#issuecomment-506813344
- cmd := exec.Command("ps", "-C", proc, "-o", "cmd", "--no-headers")
+ cmd := exec.Command("/bin/ps", "-C", proc, "-o", "cmd", "--no-headers")
out, err := cmd.Output()
if err != nil {
continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "")