From 6684979741919bdbf495d29102f26845ae517e5a Mon Sep 17 00:00:00 2001
From: Huang Huang <mozillazg101@gmail.com>
Date: Mon, 10 Aug 2020 04:44:42 +0800
Subject: [PATCH] =?UTF-8?q?Add=20tests=20for=201.1.19=E3=80=811.1.20=20and?=
 =?UTF-8?q?=201.1.21=20of=20cis-1.5=20(#641)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5

* Avoid division by 0

* Use bitmask instead of lte

* Change to use multiple values via `use_multiple_values: true`

* Use find in 1.1.20 and 1.1.21
---
 cfg/cis-1.5/master.yaml                      | 33 ++++++++++++++++----
 integration/testdata/cis-1.5/job-master.data | 22 +++----------
 integration/testdata/cis-1.5/job.data        | 22 +++----------
 3 files changed, 37 insertions(+), 40 deletions(-)

diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml
index c6c949a..58806cd 100644
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@@ -287,8 +287,15 @@ groups:
 
       - id: 1.1.19
         text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)"
-        audit: "ls -laR /etc/kubernetes/pki/"
-        type: "manual"
+        audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "root:root"
+              compare:
+                op: eq
+                value: "root:root"
+              set: true
         remediation: |
           Run the below command (based on the file location on your system) on the master node.
           For example,
@@ -297,8 +304,15 @@ groups:
 
       - id: 1.1.20
         text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
-        audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
-        type: "manual"
+        audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
+              set: true
         remediation: |
           Run the below command (based on the file location on your system) on the master node.
           For example,
@@ -307,8 +321,15 @@ groups:
 
       - id: 1.1.21
         text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)"
-        audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key"
-        type: "manual"
+        audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "600"
+              set: true
         remediation: |
           Run the below command (based on the file location on your system) on the master node.
           For example,
diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.5/job-master.data
index df42aed..a274118 100644
--- a/integration/testdata/cis-1.5/job-master.data
+++ b/integration/testdata/cis-1.5/job-master.data
@@ -18,9 +18,9 @@
 [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
 [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
-[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
-[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
-[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
+[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
+[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
+[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
 [INFO] 1.2 API Server
 [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
 [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@@ -84,18 +84,6 @@ ps -ef | grep etcd
 Run the below command (based on the etcd data directory found above).
 For example, chown etcd:etcd /var/lib/etcd
 
-1.1.19 Run the below command (based on the file location on your system) on the master node.
-For example,
-chown -R root:root /etc/kubernetes/pki/
-
-1.1.20 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod -R 644 /etc/kubernetes/pki/*.crt
-
-1.1.21 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod -R 600 /etc/kubernetes/pki/*.key
-
 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --anonymous-auth=false
@@ -182,7 +170,7 @@ on the master node and set the below parameter.
 
 
 == Summary ==
-41 checks PASS
+44 checks PASS
 13 checks FAIL
-11 checks WARN
+8 checks WARN
 0 checks INFO
diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data
index a11293c..fdfd568 100644
--- a/integration/testdata/cis-1.5/job.data
+++ b/integration/testdata/cis-1.5/job.data
@@ -18,9 +18,9 @@
 [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
 [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
-[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
-[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
-[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
+[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
+[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
+[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
 [INFO] 1.2 API Server
 [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
 [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@@ -84,18 +84,6 @@ ps -ef | grep etcd
 Run the below command (based on the etcd data directory found above).
 For example, chown etcd:etcd /var/lib/etcd
 
-1.1.19 Run the below command (based on the file location on your system) on the master node.
-For example,
-chown -R root:root /etc/kubernetes/pki/
-
-1.1.20 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod -R 644 /etc/kubernetes/pki/*.crt
-
-1.1.21 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod -R 600 /etc/kubernetes/pki/*.key
-
 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --anonymous-auth=false
@@ -182,9 +170,9 @@ on the master node and set the below parameter.
 
 
 == Summary ==
-41 checks PASS
+44 checks PASS
 13 checks FAIL
-11 checks WARN
+8 checks WARN
 0 checks INFO
 [INFO] 2 Etcd Node Configuration
 [INFO] 2 Etcd Node Configuration Files
-- 
GitLab