Fix check types: rke2 cis-1.24

andypitcher · Aug 22, 2024 · 1c72f2f · 1c72f2f
1 parent af7b5a7
commit 1c72f2f
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 18 deletions.
diff --git a/package/cfg/rke2-cis-1.24-hardened/master.yaml b/package/cfg/rke2-cis-1.24-hardened/master.yaml
@@ -146,7 +146,7 @@ groups:
         scored: false
 
       - id: 1.1.10
-        text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
+        text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
         audit: |
           ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
           find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
@@ -270,7 +270,7 @@ groups:
         scored: true
 
       - id: 1.1.20
-        text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)"
+        text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"
         audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.crt"
         use_multiple_values: true
         tests:
@@ -283,7 +283,7 @@ groups:
         remediation: |
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
-          chmod -R 644 /var/lib/rancher/rke2/server/tls/*.crt
+          chmod -R 600 /var/lib/rancher/rke2/server/tls/*.crt
         scored: false
 
       - id: 1.1.21
@@ -300,7 +300,7 @@ groups:
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
           chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key
-        scored: false
+        scored: true
 
   - id: 1.2
     text: "API Server"
@@ -881,7 +881,7 @@ groups:
           and set the --terminated-pod-gc-threshold to an appropriate threshold,
           kube-controller-manager-arg:
             - "terminated-pod-gc-threshold=10"
-        scored: true
+        scored: false
 
       - id: 1.3.2
         text: "Ensure that the --profiling argument is set to false (Automated)"

diff --git a/package/cfg/rke2-cis-1.24-hardened/node.yaml b/package/cfg/rke2-cis-1.24-hardened/node.yaml
@@ -324,10 +324,10 @@ groups:
           Not Applicable.
           By default, RKE2 does set the --hostname-override argument. Per CIS guidelines, this is to comply
           with cloud providers that require this flag to ensure that hostname matches node names.
-        scored: false
+        scored: true
 
       - id: 4.2.9
-        text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Automated)"
+        text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
         audit: "/bin/ps -fC $kubeletbin"
         audit_config: "/bin/cat $kubeletconf"
         tests:
@@ -408,7 +408,7 @@ groups:
           If this check fails, edit the RKE2 config file /etc/rancher/rke2/config.yaml, remove any RotateKubeletServerCertificate parameter.
           Based on your system, restart the RKE2 service. For example,
           systemctl restart rke2-server.service
-        scored: false
+        scored: true
 
       - id: 4.2.13
         text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"

diff --git a/package/cfg/rke2-cis-1.24-hardened/policies.yaml b/package/cfg/rke2-cis-1.24-hardened/policies.yaml
@@ -134,7 +134,7 @@ groups:
         remediation: |
           Add policies to each namespace in the cluster which has user workloads to restrict the
           admission of `hostIPC` containers.
-        scored: false
+        scored: true
 
       - id: 5.2.5
         text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
@@ -202,7 +202,7 @@ groups:
         remediation: |
           Ensure that `allowedCapabilities` is not present in policies for the cluster unless
           it is set to an empty array.
-        scored: false
+        scored: true
 
       - id: 5.2.10
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
@@ -268,7 +268,7 @@ groups:
               set: true
         remediation: |
           Follow the documentation and create NetworkPolicy objects as you need them.
-        scored: false
+        scored: true
 
   - id: 5.4
     text: "Secrets Management"

diff --git a/package/cfg/rke2-cis-1.24-permissive/master.yaml b/package/cfg/rke2-cis-1.24-permissive/master.yaml
@@ -146,7 +146,7 @@ groups:
         scored: false
 
       - id: 1.1.10
-        text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
+        text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
         audit: |
           ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
           find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
@@ -303,7 +303,7 @@ groups:
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
           chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key
-        scored: false
+        scored: true
 
   - id: 1.2
     text: "API Server"

diff --git a/package/cfg/rke2-cis-1.24-permissive/node.yaml b/package/cfg/rke2-cis-1.24-permissive/node.yaml
@@ -51,7 +51,7 @@ groups:
           Run the below command (based on the file location on your system) on the each worker node.
           For example,
           chmod 600 $proxykubeconfig
-        scored: false
+        scored: true
 
       - id: 4.1.4
         text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Automated)"
@@ -325,7 +325,7 @@ groups:
           Not Applicable.
           By default, RKE2 does set the --hostname-override argument. Per CIS guidelines, this is to comply
           with cloud providers that require this flag to ensure that hostname matches node names.
-        scored: false
+        scored: true
 
       - id: 4.2.9
         text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
@@ -363,7 +363,7 @@ groups:
           kubelet-arg:
             - "tls-cert-file=<path/to/tls-cert-file>"
             - "tls-private-key-file=<path/to/tls-private-key-file>"
-        scored: false
+        scored: true
 
       - id: 4.2.11
         text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
@@ -407,7 +407,7 @@ groups:
           If this check fails, edit the RKE2 config file /etc/rancher/rke2/config.yaml, remove any RotateKubeletServerCertificate parameter.
           Based on your system, restart the RKE2 service. For example,
           systemctl restart rke2-server.service
-        scored: false
+        scored: true
 
       - id: 4.2.13
         text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"

diff --git a/package/cfg/rke2-cis-1.24-permissive/policies.yaml b/package/cfg/rke2-cis-1.24-permissive/policies.yaml
@@ -146,7 +146,7 @@ groups:
         remediation: |
           Ensure that `allowedCapabilities` is not present in policies for the cluster unless
           it is set to an empty array.
-        scored: false
+        scored: true
 
       - id: 5.2.10
         text: "Minimize the admission of containers with capabilities assigned (Manual)"