Skip to content

Commit 2a8943c

Browse files
thheinenthheinen
authored
Change static file references to attributes (#27)
Signed-off-by: Thomas Heinen <theinen@tecracer.de>
1 parent 49add6f commit 2a8943c

File tree

4 files changed

+104
-39
lines changed

4 files changed

+104
-39
lines changed

controls/1_1_master_node_configuration_files.rb

Lines changed: 43 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,15 @@
11
title '1.1 Master Node: Configuration Files'
22

3+
apiserver_manifest = attribute('apiserver-manifest')
4+
controller_manager_manifest = attribute('controller_manager-manifest')
5+
scheduler_manifest = attribute('scheduler-manifest')
6+
etcd_manifest = attribute('etcd-manifest')
7+
etcd_regex = Regexp.new(attribute('etcd'))
8+
admin_conf = attribute('admin-conf')
9+
scheduler_conf = attribute('scheduler-conf')
10+
controller_manager_conf = attribute('controller_manager-conf')
11+
kubernetes_pki = attribute('kubernetes-pki')
12+
313
control 'cis-kubernetes-benchmark-1.1.1' do
414
title 'Ensure that the API server pod specification file permissions are set to 644 or more restrictive'
515
desc "Ensure that the API server pod specification file has permissions of `644` or more restrictive.\n\nRationale: The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
@@ -9,10 +19,10 @@
919
tag level: 1
1020

1121
only_if do
12-
file('/etc/kubernetes/manifests/kube-apiserver.yaml').exist?
22+
file(apiserver_manifest).exist?
1323
end
1424

15-
describe file('/etc/kubernetes/manifests/kube-apiserver.yaml').mode.to_s(8) do
25+
describe file(apiserver_manifest).mode.to_s(8) do
1626
it { should match(/[0246][024][024]/) }
1727
end
1828
end
@@ -26,10 +36,10 @@
2636
tag level: 1
2737

2838
only_if do
29-
file('/etc/kubernetes/manifests/kube-apiserver.yaml').exist?
39+
file(apiserver_manifest).exist?
3040
end
3141

32-
describe file('/etc/kubernetes/manifests/kube-apiserver.yaml') do
42+
describe file(apiserver_manifest) do
3343
it { should be_owned_by 'root' }
3444
it { should be_grouped_into 'root' }
3545
end
@@ -44,10 +54,10 @@
4454
tag level: 1
4555

4656
only_if do
47-
file('/etc/kubernetes/manifests/kube-controller-manager.yaml').exist?
57+
file(controller_manager_manifest).exist?
4858
end
4959

50-
describe file('/etc/kubernetes/manifests/kube-controller-manager.yaml').mode.to_s(8) do
60+
describe file(controller_manager_manifest).mode.to_s(8) do
5161
it { should match(/[0246][024][024]/) }
5262
end
5363
end
@@ -61,10 +71,10 @@
6171
tag level: 1
6272

6373
only_if do
64-
file('/etc/kubernetes/manifests/kube-controller-manager.yaml').exist?
74+
file(controller_manager_manifest).exist?
6575
end
6676

67-
describe file('/etc/kubernetes/manifests/kube-controller-manager.yaml') do
77+
describe file(controller_manager_manifest) do
6878
it { should be_owned_by 'root' }
6979
it { should be_grouped_into 'root' }
7080
end
@@ -79,10 +89,10 @@
7989
tag level: 1
8090

8191
only_if do
82-
file('/etc/kubernetes/manifests/kube-scheduler.yaml').exist?
92+
file(scheduler_manifest).exist?
8393
end
8494

85-
describe file('/etc/kubernetes/manifests/kube-scheduler.yaml').mode.to_s(8) do
95+
describe file(scheduler_manifest).mode.to_s(8) do
8696
it { should match(/[0246][024][024]/) }
8797
end
8898
end
@@ -96,10 +106,10 @@
96106
tag level: 1
97107

98108
only_if do
99-
file('/etc/kubernetes/manifests/kube-scheduler.yaml').exist?
109+
file(scheduler_manifest).exist?
100110
end
101111

102-
describe file('/etc/kubernetes/manifests/kube-scheduler.yaml') do
112+
describe file(scheduler_manifest) do
103113
it { should be_owned_by 'root' }
104114
it { should be_grouped_into 'root' }
105115
end
@@ -114,10 +124,10 @@
114124
tag level: 1
115125

116126
only_if do
117-
file('/etc/kubernetes/manifests/etcd.yaml').exist?
127+
file(etcd_manifest).exist?
118128
end
119129

120-
describe file('/etc/kubernetes/manifests/etcd.yaml').mode.to_s(8) do
130+
describe file(etcd_manifest).mode.to_s(8) do
121131
it { should match(/[0246][024][024]/) }
122132
end
123133
end
@@ -131,10 +141,10 @@
131141
tag level: 1
132142

133143
only_if do
134-
file('/etc/kubernetes/manifests/etcd.yaml').exist?
144+
file(etcd_manifest).exist?
135145
end
136146

137-
describe file('/etc/kubernetes/manifests/etcd.yaml') do
147+
describe file(etcd_manifest) do
138148
it { should be_owned_by 'root' }
139149
it { should be_grouped_into 'root' }
140150
end
@@ -223,7 +233,7 @@
223233
tag cis: 'kubernetes:1.1.12'
224234
tag level: 1
225235

226-
etcd_process = processes(Regexp.new(%r{/usr/bin/etcd}))
236+
etcd_process = processes(etcd_regex)
227237
data_dir = ''
228238

229239
catch(:stop) do
@@ -260,10 +270,10 @@
260270
tag level: 1
261271

262272
only_if do
263-
file('/etc/kubernetes/admin.conf').exist?
273+
file(admin_conf).exist?
264274
end
265275

266-
describe file('/etc/kubernetes/admin.conf').mode.to_s(8) do
276+
describe file(admin_conf).mode.to_s(8) do
267277
it { should match(/[0246][024][024]/) }
268278
end
269279
end
@@ -277,10 +287,10 @@
277287
tag level: 1
278288

279289
only_if do
280-
file('/etc/kubernetes/admin.conf').exist?
290+
file(admin_conf).exist?
281291
end
282292

283-
describe file('/etc/kubernetes/admin.conf') do
293+
describe file(admin_conf) do
284294
it { should be_owned_by 'root' }
285295
it { should be_grouped_into 'root' }
286296
end
@@ -295,10 +305,10 @@
295305
tag level: 1
296306

297307
only_if do
298-
file('/etc/kubernetes/scheduler.conf').exist?
308+
file(scheduler_conf).exist?
299309
end
300310

301-
describe file('/etc/kubernetes/scheduler.conf').mode.to_s(8) do
311+
describe file(scheduler_conf).mode.to_s(8) do
302312
it { should match(/[0246][024][024]/) }
303313
end
304314
end
@@ -312,10 +322,10 @@
312322
tag level: 1
313323

314324
only_if do
315-
file('/etc/kubernetes/scheduler.conf').exist?
325+
file(scheduler_conf).exist?
316326
end
317327

318-
describe file('/etc/kubernetes/scheduler.conf') do
328+
describe file(scheduler_conf) do
319329
it { should be_owned_by 'root' }
320330
it { should be_grouped_into 'root' }
321331
end
@@ -330,10 +340,10 @@
330340
tag level: 1
331341

332342
only_if do
333-
file('/etc/kubernetes/controller-manager.conf').exist?
343+
file(controller_manager_conf).exist?
334344
end
335345

336-
describe file('/etc/kubernetes/controller-manager.conf').mode.to_s(8) do
346+
describe file(controller_manager_conf).mode.to_s(8) do
337347
it { should match(/[0246][024][024]/) }
338348
end
339349
end
@@ -347,10 +357,10 @@
347357
tag level: 1
348358

349359
only_if do
350-
file('/etc/kubernetes/controller-manager.conf').exist?
360+
file(controller_manager_conf).exist?
351361
end
352362

353-
describe file('/etc/kubernetes/controller-manager.conf') do
363+
describe file(controller_manager_conf) do
354364
it { should be_owned_by 'root' }
355365
it { should be_grouped_into 'root' }
356366
end
@@ -365,10 +375,10 @@
365375
tag level: 1
366376

367377
only_if do
368-
directory('/etc/kubernetes/pki').exist?
378+
directory(kubernetes_pki).exist?
369379
end
370380

371-
describe directory('/etc/kubernetes/pki') do
381+
describe directory(kubernetes_pki) do
372382
it { should be_owned_by 'root' }
373383
it { should be_grouped_into 'root' }
374384
end
@@ -383,7 +393,7 @@
383393
tag level: 1
384394

385395
only_if do
386-
directory('/etc/kubernetes/pki').exist?
396+
directory(kubernetes_pki).exist?
387397
end
388398

389399
cert_files = command('find /etc/kubernetes/pki -type f -name *.crt').stdout.split
@@ -409,7 +419,7 @@
409419
tag level: 1
410420

411421
only_if do
412-
directory('/etc/kubernetes/pki').exist?
422+
directory(kubernetes_pki).exist?
413423
end
414424

415425
key_files = command('find /etc/kubernetes/pki -type f -name *.key').stdout.split

controls/2_etcd_node.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
title '2 Etcd Node'
22

3-
etcd_regex = Regexp.new(%r{/usr/bin/etcd})
3+
etcd_regex = Regexp.new(attribute('etcd'))
44
etcd_process = processes(etcd_regex)
55
etcd_env_vars = process_env_var(etcd_regex)
66

controls/4_1_worker_node_configuration_files.rb

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
kubelet = attribute('kubelet')
44
# fallback if kubelet attribute is not defined
55
kubelet = kubernetes.kubelet_bin if kubelet.empty?
6+
kubelet_conf = attribute('kubelet-conf')
67

78
only_if('kubelet not found') do
89
processes(kubelet).exists?
@@ -36,10 +37,10 @@
3637
tag level: 1
3738

3839
only_if do
39-
file('/etc/kubernetes/kubelet.conf').exist?
40+
file(kubelet_conf).exist?
4041
end
4142

42-
describe file('/etc/kubernetes/kubelet.conf') do
43+
describe file(kubelet_conf) do
4344
it { should be_owned_by 'root' }
4445
it { should be_grouped_into 'root' }
4546
end
@@ -109,10 +110,10 @@
109110
tag level: 1
110111

111112
only_if do
112-
file('/etc/kubernetes/kubelet.conf').exist?
113+
file(kubelet_conf).exist?
113114
end
114115

115-
describe file('/etc/kubernetes/kubelet.conf').mode.to_s(8) do
116+
describe file(kubelet_conf).mode.to_s(8) do
116117
it { should match(/[0246][024][024]/) }
117118
end
118119
end

inspec.yml

Lines changed: 55 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,21 +13,75 @@ attributes:
1313
- name: cis_level
1414
required: false
1515
description: 'CIS profile level to audit'
16-
default: 2
16+
value: 2
1717
type: numeric
1818
- name: apiserver
1919
required: false
2020
description: 'The name of the apiserver process'
2121
type: string
22+
value: kube-apiserver
23+
- name: apiserver-manifest
24+
require: false
25+
description: 'The path of the apiserver manifest'
26+
type: string
27+
value: '/etc/kubernetes/manifests/kube-apiserver.yaml'
2228
- name: controller_manager
2329
required: false
2430
description: 'The name of the controller manager process'
2531
type: string
32+
value: kube-controller-manager
33+
- name: controller_manager-conf
34+
require: false
35+
description: 'The path of the controller-manager.conf file'
36+
type: string
37+
value: '/etc/kubernetes/controller-manager.conf'
38+
- name: controller_manager-manifest
39+
require: false
40+
description: 'The path of the controller manager manifest'
41+
type: string
42+
value: '/etc/kubernetes/manifests/kube-controller-manager.yaml'
2643
- name: scheduler
2744
required: false
2845
description: 'The name of the kube scheduler proces'
2946
type: string
47+
value: kube-scheduler
48+
- name: scheduler-conf
49+
require: false
50+
description: 'The path of the scheduler.conf file'
51+
type: string
52+
value: '/etc/kubernetes/scheduler.conf'
53+
- name: scheduler-manifest
54+
require: false
55+
description: 'The path of the kube scheduler manifest'
56+
type: string
57+
value: '/etc/kubernetes/manifests/kube-scheduler.yaml'
3058
- name: kubelet
3159
required: false
3260
description: 'The name of the kubelet process'
3361
type: string
62+
value: kubelet
63+
- name: kubelet-conf
64+
require: false
65+
description: 'The path of the kubelet.conf file'
66+
type: string
67+
value: '/etc/kubernetes/kubelet.conf'
68+
- name: etcd
69+
required: false
70+
description: 'The name of the etcd process'
71+
type: string
72+
value: /usr/bin/etcd
73+
- name: etcd-manifest
74+
require: false
75+
description: 'The path of the etcd manifest'
76+
type: string
77+
value: '/etc/kubernetes/manifests/etcd.yaml'
78+
- name: admin-conf
79+
require: false
80+
description: 'The path of the admin.conf file'
81+
type: string
82+
value: '/etc/kubernetes/admin.conf'
83+
- name: kubernetes-pki
84+
require: false
85+
description: 'The path of the Kubernetes PKI directory'
86+
type: string
87+
value: '/etc/kubernetes/pki'

0 commit comments

Comments
 (0)