From fb92680702787fab1b0e77220e51cbfb37fb6bb5 Mon Sep 17 00:00:00 2001 From: Dave Hay <david_hay@uk.ibm.com> Date: Sun, 23 May 2021 09:46:36 +0100 Subject: [PATCH] Issue 867: Updating CIS 1.1.9 and 1.1.10 (#877) Mitigating "No such file or directory" related to CNI config directory Signed-off by: Dave Hay <david_hay@uk.ibm.com> --- cfg/cis-1.6/master.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml index c354bd7..7ef7f94 100644 --- a/cfg/cis-1.6/master.yaml +++ b/cfg/cis-1.6/master.yaml @@ -122,7 +122,7 @@ groups: text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a - find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a + find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a use_multiple_values: true tests: test_items: @@ -140,7 +140,7 @@ groups: text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G - find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G + find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: -- GitLab