From a6036bcfcf9652dfb850754d32a583686420e492 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Thu, 31 Aug 2017 17:39:40 +0100
Subject: [PATCH] =?UTF-8?q?Corrections=20to=20config=20file=20substitution?=
 =?UTF-8?q?s.=20Use=20=E2=80=9Ckubernetes=E2=80=9D=20as=20a=20fake=20compo?=
 =?UTF-8?q?nent=20name=20so=20we=20can=20more=20easily=20substitute=20?=
 =?UTF-8?q?=E2=80=9Ckubernetesconf=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cfg/config.yaml | 11 ++++++++---
 cfg/master.yaml |  8 ++++----
 cfg/node.yaml   | 14 +++++++-------
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/cfg/config.yaml b/cfg/config.yaml
index 6836fd5..8ad2e89 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -14,8 +14,7 @@ master:
     - controllermanager
     - etcd 
     - flanneld
-    # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the 
-    # benchmark but is believed to now be obselete
+    # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
     - kubernetes
 
   kubernetes:
@@ -74,6 +73,11 @@ node:
   components:
     - kubelet
     - proxy
+    # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
+    - kubernetes
+
+  kubernetes:
+    defaultconf: /etc/kubernetes/config    
 
   kubelet:
     bins:
@@ -81,7 +85,8 @@ node:
       - "kubelet"
     confs:
       - /etc/kubernetes/kubelet.conf
-      - /etc/kubernetes/kubelet
+      - /etc/kubernetes/kubelet 
+    defaultconf: "/etc/kubernetes/kubelet.conf"
   
   proxy:
     bins:
diff --git a/cfg/master.yaml b/cfg/master.yaml
index f54bf6a..dc9295e 100644
--- a/cfg/master.yaml
+++ b/cfg/master.yaml
@@ -636,7 +636,7 @@ groups:
 
     - id: 1.4.3
       text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
+      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
       tests:
         bin_op: or
         test_items:
@@ -656,12 +656,12 @@ groups:
             value: "600"
           set: true
       remediation: "Run the below command (based on the file location on your system) on the master node. 
-              \nFor example, chmod 644 $config"
+              \nFor example, chmod 644 $kubernetesconf"
       scored: true
 
     - id: 1.4.4
       text: "Ensure that the config file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
+      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
       tests:
         test_items:
         - flag: "root:root"
@@ -670,7 +670,7 @@ groups:
             value: "root:root"
           set: true
       remediation: "Run the below command (based on the file location on your system) on the master node. 
-              \nFor example, chown root:root $config"
+              \nFor example, chown root:root $kubernetesconf"
       scored: true
 
     - id: 1.4.5
diff --git a/cfg/node.yaml b/cfg/node.yaml
index a146baa..0a1c0b6 100644
--- a/cfg/node.yaml
+++ b/cfg/node.yaml
@@ -17,7 +17,7 @@ groups:
               op: eq
               value: false
             set: true
-      remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV 
+      remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV 
               parameter to \"--allow-privileged=false\""
       scored: true
 
@@ -199,7 +199,7 @@ groups:
               op: eq
               value: true
             set: true
-      remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
+      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
               to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
       scored: true
 
@@ -213,7 +213,7 @@ groups:
               op: eq
               value: true
             set: true
-      remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
+      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
               to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
       scored: true
 
@@ -222,7 +222,7 @@ groups:
   checks:
     - id: 2.2.1
       text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
+      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
       tests:
         bin_op: or
         test_items:
@@ -242,12 +242,12 @@ groups:
               value: "600"
             set: true
       remediation: "Run the below command (based on the file location on your system) on the each worker node. 
-              \nFor example, chmod 644 $config"
+              \nFor example, chmod 644 $kubernetesconf"
       scored: true
 
     - id: 2.2.2
       text: "Ensure that the config file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
+      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
       tests:
         test_items:
           - flag: "root:root"
@@ -256,7 +256,7 @@ groups:
               value: root:root
             set: true
       remediation: "Run the below command (based on the file location on your system) on the each worker node. 
-              \nFor example, chown root:root $config"
+              \nFor example, chown root:root $kubernetesconf"
       scored: true
 
     - id: 2.2.3
-- 
GitLab