search

kubernetes-sigs / wg-policy-prototypes

A place for policy work group related proposals and prototypes.
Apache License 2.0
64 stars 39 forks source link

The policy and rule name is generic for multiple policy violation generation #101

Closed arundathi-nirmata closed 2 years ago

arundathi-nirmata commented 2 years ago

Today we using a generic name for policy and rule in multiple policy violation. Need to a have focused name for policy and rule each policy violations

- category: CIS Benchmarks
  message: Ensure that the controller manager pod specification file permissions are
    set to 644 or more restrictive (Automated)
  policy: Master Node Security Configuration
  properties:
    AuditConfig: ""
    AuditEnv: ""
    IsMultiple: "false"
    actual_value: permissions=600
    audit: /bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-controller-manager.yaml;
      then stat -c permissions=%a /etc/kubernetes/manifests/kube-controller-manager.yaml;
      fi'
    expected_result: permissions has permissions 600, expected 644 or more restrictive
    index: 1.1.3
    reason: ""
    remediation: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml
    test_info: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml
    type: ""
  result: pass
  rule: Master Node Configuration Files
  scored: true
  source: ""
  timestamp:
    nanos: 0
    seconds: 0
- category: CIS Benchmarks
  message: Ensure that the controller manager pod specification file ownership is
    set to root:root (Automated)
  policy: Master Node Security Configuration
  properties:
    AuditConfig: ""
    AuditEnv: ""
    IsMultiple: "false"
    actual_value: root:root
    audit: /bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-controller-manager.yaml;
      then stat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml; fi'
    expected_result: '''root:root'' is present'
    index: 1.1.4
    reason: ""
    remediation: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
    test_info: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
    type: ""
  result: pass
  rule: Master Node Configuration Files
  scored: true
  source: ""
  timestamp:
    nanos: 0
    seconds: 0
- category: CIS Benchmarks
  message: Ensure that the scheduler pod specification file permissions are set to
    644 or more restrictive (Automated)
  policy: Master Node Security Configuration
  properties:
    AuditConfig: ""
    AuditEnv: ""
    IsMultiple: "false"
    actual_value: permissions=600
    audit: /bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-scheduler.yaml; then
      stat -c permissions=%a /etc/kubernetes/manifests/kube-scheduler.yaml; fi'
    expected_result: permissions has permissions 600, expected 644 or more restrictive
    index: 1.1.5
    reason: ""
    remediation: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml
    test_info: |
      Run the below command (based on the file location on your system) on the master node.
      For example,
      chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml
    type: ""
  result: pass
  rule: Master Node Configuration Files
  scored: true
  source: ""
  timestamp:
    nanos: 0
    seconds: 0
mritunjaysharma394 commented 2 years ago

/assign @mritunjaysharma394