From 3926ba3977822c2964881a48eb2dc465eb13652f Mon Sep 17 00:00:00 2001
From: Roberto Rojas <robertojrojas@gmail.com>
Date: Thu, 11 Jul 2019 12:05:24 -0400
Subject: [PATCH] issue #337: Adds comment for properties detected thru parsing
command line. Fixed Audit for test 2.1.8 (#354)
---
cfg/1.11-json/node.yaml | 3 +++
cfg/1.13-json/node.yaml | 10 ++++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml
index f85687d..9f0b454 100644
--- a/cfg/1.11-json/node.yaml
+++ b/cfg/1.11-json/node.yaml
@@ -10,6 +10,9 @@ groups:
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
tests:
test_items:
diff --git a/cfg/1.13-json/node.yaml b/cfg/1.13-json/node.yaml
index 7140943..a061dc4 100644
--- a/cfg/1.13-json/node.yaml
+++ b/cfg/1.13-json/node.yaml
@@ -160,7 +160,10 @@ groups:
- id: 2.1.8
text: "Ensure that the --hostname-override argument is not set (Scored)"
- audit: "cat $kubeletconf"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
+ audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
@@ -221,7 +224,10 @@ groups:
- id: 2.1.11
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
- audit: "cat $kubeletconf"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
+ audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
--
GitLab