From 66692951c8985aad0b9ab92743840058c705aa6c Mon Sep 17 00:00:00 2001
From: Huang Huang <mozillazg101@gmail.com>
Date: Tue, 21 Jul 2020 22:32:13 +0800
Subject: [PATCH] 4.1.7 of cis-1.5 should not be marked as manual (#640)

* 4.1.7 of cis-1.5 should not be marked as manual

* Making the test posix compliant like #643
---
 cfg/cis-1.5/node.yaml                      | 12 +++++++++++-
 integration/testdata/cis-1.5/job-node.data |  7 +++----
 integration/testdata/cis-1.5/job.data      |  7 +++----
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml
index 1b787c3..bdf0ffc 100644
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@@ -99,7 +99,17 @@ groups:
 
       - id: 4.1.7
         text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
-        types: "manual"
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
+          if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
+        tests:
+          test_items:
+            - flag: "permissions"
+              set: true
+              compare:
+                op: bitmask
+                value: "644"
         remediation: |
           Run the following command to modify the file permissions of the
           --client-ca-file chmod 644 <filename>
diff --git a/integration/testdata/cis-1.5/job-node.data b/integration/testdata/cis-1.5/job-node.data
index 5de99b8..843a247 100644
--- a/integration/testdata/cis-1.5/job-node.data
+++ b/integration/testdata/cis-1.5/job-node.data
@@ -6,7 +6,7 @@
 [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
 [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
-[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
 [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
@@ -33,7 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf
 4.1.4 Run the below command (based on the file location on your system) on the each worker node.
 For example, chown root:root /etc/kubernetes/proxy.conf
 
-4.1.7 audit test did not run: There are no tests
 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
 If using command line arguments, edit the kubelet service file
 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@@ -81,7 +80,7 @@ systemctl restart kubelet.service
 
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 6 checks FAIL
-2 checks WARN
+1 checks WARN
 0 checks INFO
diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data
index 4800169..a11293c 100644
--- a/integration/testdata/cis-1.5/job.data
+++ b/integration/testdata/cis-1.5/job.data
@@ -231,7 +231,7 @@ minimum.
 [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
 [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
-[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
 [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
@@ -258,7 +258,6 @@ chmod 644 /etc/kubernetes/proxy.conf
 4.1.4 Run the below command (based on the file location on your system) on the each worker node.
 For example, chown root:root /etc/kubernetes/proxy.conf
 
-4.1.7 audit test did not run: There are no tests
 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
 If using command line arguments, edit the kubelet service file
 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@@ -306,9 +305,9 @@ systemctl restart kubelet.service
 
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 6 checks FAIL
-2 checks WARN
+1 checks WARN
 0 checks INFO
 [INFO] 5 Kubernetes Policies
 [INFO] 5.1 RBAC and Service Accounts
-- 
GitLab