Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14 (aquasecurity#1649)

andypitcher · afdesk · deebhatia · commit 0bd41ce6a310 · 2024-10-14T23:09:13.000+05:30
* Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14

* Fix loop syntax for file paths

---------

Co-authored-by: afdesk &lt;work@afdesk.com&gt;
diff --git a/cfg/cis-1.9/master.yaml b/cfg/cis-1.9/master.yaml
@@ -189,7 +189,7 @@ groups:
       - id: 1.1.13
         text: "Ensure that the default administrative credential file permissions are set to 600 (Automated)"
         audit: |
-         for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \"permissions=%a %n\" $adminconf; fi; done
+         for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "permissions=%a %n" $adminconf; fi; done
         use_multiple_values: true
         tests:
           test_items:
@@ -207,7 +207,7 @@ groups:
       - id: 1.1.14
         text: "Ensure that the default administrative credential file ownership is set to root:root (Automated)"
         audit: |
-         for adminconf in /tmp/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done
+         for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done
         use_multiple_values: true
         tests:
           test_items:
@@ -219,7 +219,7 @@ groups:
           Run the below command (based on the file location on your system) on the control plane node.
           For example, chown root:root /etc/kubernetes/admin.conf
           On Kubernetes 1.29+ the super-admin.conf file should also be modified, if present.
-          For example, chmod 600 /etc/kubernetes/super-admin.conf
+          For example, chown root:root /etc/kubernetes/super-admin.conf
         scored: true
 
       - id: 1.1.15
