Skip to content

Commit

Permalink
Issue: The initial command produces "root:root" as its output only wh…
Browse files Browse the repository at this point in the history 
…en the file is present. However, if the file is missing, the command will still run successfully, though the desired output of "root:root" won't be obtained. (#1538)

Fix: To address this, we've modified the command to achieve the following:

Verify the existence of the file.

If the file is found, show the user and group ownership in the "username:groupname" format.

If the file is not found, display the message "File not found."

To accommodate this change, we've integrated the expected output "File not found" for instances where the file is absent. This adjustment ensures the successful execution of the test.

Co-authored-by: mjshastha <[email protected]>
  • Loading branch information
@mjshastha @ManojShastha
mjshastha and ManojShastha authored Dec 18, 2023
1 parent f353bc4 commit 7a55d5d
Show file tree
Hide file tree
Showing 8 changed files with 46 additions and 31 deletions.
10 changes: 6 additions & 4 deletions cfg/ack-1.0/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
10 changes: 6 additions & 4 deletions cfg/cis-1.20/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
10 changes: 6 additions & 4 deletions cfg/cis-1.23/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
10 changes: 6 additions & 4 deletions cfg/cis-1.24/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
13 changes: 7 additions & 6 deletions cfg/cis-1.5/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,17 @@ groups:
scored: true

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
set: true
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
4 changes: 3 additions & 1 deletion cfg/cis-1.6/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
Expand Down
10 changes: 6 additions & 4 deletions cfg/cis-1.7/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down
10 changes: 6 additions & 4 deletions cfg/cis-1.8/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ groups:

- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true

- id: 4.1.3
Expand Down

0 comments on commit 7a55d5d

Please sign in to comment.