From e6f2b4d4fed8d735a61281d80df24d982326d85f Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 15 Aug 2017 15:47:01 +0000
Subject: [PATCH] Add config checks for permissions stricter that 644 to
definition files.
---
cfg/master.yaml | 30 ++++++++++++++++++++++++++++++
cfg/node.yaml | 33 +++++++++++++++++++++++++++++++++
cmd/util.go | 6 ++++--
3 files changed, 67 insertions(+), 2 deletions(-)
diff --git a/cfg/master.yaml b/cfg/master.yaml
index 7005f95..e02f76f 100644
--- a/cfg/master.yaml
+++ b/cfg/master.yaml
@@ -599,12 +599,18 @@ groups:
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $apiserverconf"
scored: true
@@ -627,12 +633,18 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $config"
scored: true
@@ -655,12 +667,18 @@ groups:
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $schedulerconf"
scored: true
@@ -683,12 +701,18 @@ groups:
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $etcdconf"
scored: true
@@ -711,12 +735,18 @@ groups:
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $flanneldconf"
scored: true
diff --git a/cfg/node.yaml b/cfg/node.yaml
index 0b5b90b..5e43638 100644
--- a/cfg/node.yaml
+++ b/cfg/node.yaml
@@ -223,8 +223,17 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $config"
@@ -248,12 +257,18 @@ groups:
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $kubeletconf"
scored: true
@@ -273,8 +288,17 @@ groups:
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $proxyconf"
@@ -296,8 +320,17 @@ groups:
644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
tests:
+ bin_op: or
test_items:
- flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
set: true
remediation: "Run the following command to modify the file permissions of the --client-ca-file
\nchmod 644 <filename>"
diff --git a/cmd/util.go b/cmd/util.go
index 937e3e0..64950f2 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -69,7 +69,8 @@ func verifyConf(confPath ...string) {
for _, c := range confPath {
if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
- continueWithError(err, "")
+ e := fmt.Errorf("configuration file %s not found", c)
+ continueWithError(e, "")
missing += c + ", "
}
}
@@ -93,8 +94,9 @@ func verifyBin(binPath ...string) {
bin = bin + "," + b
binSlice = append(binSlice, b)
if err != nil {
+ e := fmt.Errorf("executable file %s not found", b)
+ continueWithError(e, "")
missing += b + ", "
- continueWithError(err, "")
}
}
bin = strings.Trim(bin, ",")
--
GitLab