From 5ff32e55eb3c4332db35c3248d3d319e4ffe04a7 Mon Sep 17 00:00:00 2001
From: Huang Huang <mozillazg101@gmail.com>
Date: Mon, 3 Aug 2020 15:38:22 +0800
Subject: [PATCH] Check PodSecurityPolicy when test 1.2.13 of cis-1.5 (#651)

---
 cfg/cis-1.5/master.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml
index c1c0c2c..c6c949a 100644
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@@ -520,12 +520,18 @@ groups:
         text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)"
         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
         tests:
+          bin_op: or
           test_items:
             - flag: "--enable-admission-plugins"
               compare:
                 op: has
                 value: "SecurityContextDeny"
               set: true
+            - flag: "--enable-admission-plugins"
+              compare:
+                op: has
+                value: "PodSecurityPolicy"
+              set: true
         remediation: |
           Edit the API server pod specification file $apiserverconf
           on the master node and set the --enable-admission-plugins parameter to include
-- 
GitLab