Merge pull request #237 from aquasecurity/openshift

Update openshift executable config
Update openshift executable config for #236
2026-03-01 01:00:22 +00:00 · 2019-03-07 14:53:22 +00:00 · 2019-03-07 11:18:06 +00:00 · 2019-03-07 09:30:18 +00:00 · 2019-03-07 09:22:47 +00:00 · 2019-03-06 13:35:17 +00:00
18 changed files with 4213 additions and 119 deletions
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -10,7 +10,7 @@ groups:
  checks:
  - id: 2.1.1
    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--allow-privileged"
@@ -19,7 +19,7 @@ groups:
          value: false
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --allow-privileged=false
      Based on your system, restart the kubelet service. For example:
@@ -29,7 +29,7 @@ groups:

  - id: 2.1.2
    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--anonymous-auth"
@@ -41,7 +41,7 @@ groups:
      If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
      false .
      If using executable arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --anonymous-auth=false
      Based on your system, restart the kubelet service. For example:
@@ -51,7 +51,7 @@ groups:

  - id: 2.1.3
    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--authorization-mode"
@@ -62,7 +62,7 @@ groups:
    remediation: |
      If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
      If using executable arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_AUTHZ_ARGS variable.
      --authorization-mode=Webhook
      Based on your system, restart the kubelet service. For example:
@@ -72,7 +72,7 @@ groups:

  - id: 2.1.4
    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--client-ca-file"
@@ -81,7 +81,7 @@ groups:
      If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
      the location of the client CA file.
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_AUTHZ_ARGS variable.
      --client-ca-file=<path/to/client-ca-file>
      Based on your system, restart the kubelet service. For example:
@@ -91,7 +91,7 @@ groups:

  - id: 2.1.5
    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--read-only-port"
@@ -102,7 +102,7 @@ groups:
    remediation: |
      If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --read-only-port=0
      Based on your system, restart the kubelet service. For example:
@@ -112,7 +112,7 @@ groups:

  - id: 2.1.6
    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--streaming-connection-idle-timeout"
@@ -124,7 +124,7 @@ groups:
      If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
      value other than 0.
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --streaming-connection-idle-timeout=5m
      Based on your system, restart the kubelet service. For example:
@@ -134,7 +134,7 @@ groups:

  - id: 2.1.7
    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--protect-kernel-defaults"
@@ -145,7 +145,7 @@ groups:
    remediation: |
      If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --protect-kernel-defaults=true
      Based on your system, restart the kubelet service. For example:
@@ -155,7 +155,7 @@ groups:

  - id: 2.1.8
    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      bin_op: or
      test_items:
@@ -169,7 +169,7 @@ groups:
    remediation: |
      If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      remove the --make-iptables-util-chains argument from the
      KUBELET_SYSTEM_PODS_ARGS variable.
      Based on your system, restart the kubelet service. For example:
@@ -179,13 +179,13 @@ groups:

  - id: 2.1.9
    text: "Ensure that the --hostname-override argument is not set (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--hostname-override"
        set: false
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and remove the --hostname-override argument from the
      KUBELET_SYSTEM_PODS_ARGS variable.
      Based on your system, restart the kubelet service. For example:
@@ -195,7 +195,7 @@ groups:

  - id: 2.1.10
    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--event-qps"
@@ -206,7 +206,7 @@ groups:
    remediation: |
      If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --event-qps=0
      Based on your system, restart the kubelet service. For example:
@@ -216,7 +216,7 @@ groups:

  - id: 2.1.11
    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      bin_op: and
      test_items:
@@ -229,7 +229,7 @@ groups:
      file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
      corresponding private key file.
      If using command line arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
      set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
      --tls-cert-file=<path/to/tls-certificate-file>
      file=<path/to/tls-key-file>
@@ -240,7 +240,7 @@ groups:

  - id: 2.1.12
    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      bin_op: or
      test_items:
@@ -252,7 +252,7 @@ groups:
      - flag: "--cadvisor-port"
        set: false
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
      --cadvisor-port=0
      Based on your system, restart the kubelet service. For example:
@@ -262,7 +262,7 @@ groups:

  - id: 2.1.13
    text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--rotate-certificates"
@@ -272,7 +272,7 @@ groups:
        set: true
    remediation: |
      If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
-      If using command line arguments, edit the kubelet service file $kubeletconf 
+      If using command line arguments, edit the kubelet service file $kubeletsvc 
      on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
      Based on your system, restart the kubelet service. For example:
      systemctl daemon-reload
@@ -281,7 +281,7 @@ groups:

  - id: 2.1.14
    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "RotateKubeletServerCertificate"
@@ -290,7 +290,7 @@ groups:
          value: true
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
      --feature-gates=RotateKubeletServerCertificate=true
      Based on your system, restart the kubelet service. For example:
@@ -300,7 +300,7 @@ groups:

  - id: 2.1.15
    text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--tls-cipher-suites"
@@ -320,7 +320,7 @@ groups:
    - id: 2.2.1
      text: "Ensure that the kubelet.conf file permissions are set to 644 or
      more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
      tests:
        bin_op: or
        test_items:
@@ -342,12 +342,12 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chmod 644 $kubeletconf
+        chmod 644 $kubeletkubeconfig
      scored: true

    - id: 2.2.2
      text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
      tests:
        test_items:
          - flag: "root:root"
@@ -358,7 +358,7 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chown root:root $kubeletconf
+        chown root:root $kubeletkubeconfig
      scored: true

    - id: 2.2.3
@@ -404,7 +404,7 @@ groups:

    - id: 2.2.5
      text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
      tests:
        bin_op: or
        test_items:
@@ -426,12 +426,12 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chmod 644 $proxyconf
+        chmod 644 $proxykubeconfig
      scored: true

    - id: 2.2.6
      text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
      tests:
        test_items:
        - flag: "root:root"
@@ -439,7 +439,7 @@ groups:
      remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
-          chown root:root $proxyconf
+          chown root:root $proxykubeconfig
      scored: true

    - id: 2.2.7
@@ -462,19 +462,19 @@ groups:

    - id: 2.2.9
      text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
      tests:
        test_items:
        - flag: "root:root"
          set: true
      remediation: |
        Run the following command (using the config file location identied in the Audit step)
-        chown root:root /etc/kubernetes/kubelet.conf
+        chown root:root $kubeletconf
      scored: true

    - id: 2.2.10
      text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
      tests:
        bin_op: or
        test_items:
@@ -495,5 +495,5 @@ groups:
          set: true
      remediation: |
        Run the following command (using the config file location identied in the Audit step)
-        chmod 644 /var/lib/kubelet/config.yaml
+        chmod 644 $kubeletconf
      scored: true
--- a/cfg/1.13/config.yaml
+++ b/cfg/1.13/config.yaml
@@ -0,0 +1,29 @@
+---
+## Controls Files.
+# These are YAML files that hold all the details for running checks.
+#
+## Uncomment to use different control file paths.
+# masterControls: ./cfg/master.yaml
+# nodeControls: ./cfg/node.yaml
+# federatedControls: ./cfg/federated.yaml
+
+master:
+  apiserver:
+    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
+
+  scheduler:
+    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
+
+  controllermanager:
+    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
+
+  etcd:
+    defaultconf: /etc/kubernetes/manifests/etcd.yaml
+
+node:
+  kubelet:
+    defaultconf: /etc/kubernetes/kubelet.conf
+    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+
+  proxy:
+    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@@ -0,0 +1,480 @@
+---
+controls:
+version: 1.13
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 2.1
+  text: "Kubelet"
+  checks:
+  - id: 2.1.1
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--anonymous-auth"
+        compare:
+          op: eq
+          value: false
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
+      false .
+      If using executable arguments, edit the kubelet service file
+      $kubeletconf on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --anonymous-auth=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.2
+    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--authorization-mode"
+        compare:
+          op: nothave
+          value: "AlwaysAllow"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
+      If using executable arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --authorization-mode=Webhook
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.3
+    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--client-ca-file"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
+      the location of the client CA file.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --client-ca-file=<path/to/client-ca-file>
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.4
+    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--read-only-port"
+        compare:
+          op: eq
+          value: 0
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --read-only-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.5
+    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--streaming-connection-idle-timeout"
+        compare:
+          op: noteq
+          value: 0
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
+      value other than 0.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --streaming-connection-idle-timeout=5m
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.6
+    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--protect-kernel-defaults"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --protect-kernel-defaults=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.7
+    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "--make-iptables-util-chains"
+        compare:
+          op: eq
+          value: true
+        set: true
+      - flag: "--make-iptables-util-chains"
+        set: false
+    remediation: |
+      If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      remove the --make-iptables-util-chains argument from the
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.8
+    text: "Ensure that the --hostname-override argument is not set (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--hostname-override"
+        set: false
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and remove the --hostname-override argument from the
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.9
+    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--event-qps"
+        compare:
+          op: eq
+          value: 0
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --event-qps=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.10
+    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      bin_op: and
+      test_items:
+      - flag: "--tls-cert-file"
+        set: true
+      - flag: "--tls-private-key-file"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
+      file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
+      corresponding private key file.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
+      --tls-cert-file=<path/to/tls-certificate-file>
+      file=<path/to/tls-key-file>
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.11
+    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "--cadvisor-port"
+        compare:
+          op: eq
+          value: 0
+        set: true
+      - flag: "--cadvisor-port"
+        set: false
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
+      --cadvisor-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.12
+    text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--rotate-certificates"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
+      If using command line arguments, edit the kubelet service file $kubeletsvc 
+      on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.13
+    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "RotateKubeletServerCertificate"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+      --feature-gates=RotateKubeletServerCertificate=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.14
+    text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--tls-cipher-suites"
+        compare:
+          op: eq
+          value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
+      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+    scored: false
+
+- id: 2.2
+  text: "Configuration Files"
+  checks:
+    - id: 2.2.1
+      text: "Ensure that the kubelet.conf file permissions are set to 644 or
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
+      tests:
+        bin_op: or
+        test_items:
+          - flag: "644"
+            compare:
+              op: eq
+              value: "644"
+            set: true
+          - flag: "640"
+            compare:
+              op: eq
+              value: "640"
+            set: true
+          - flag: "600"
+            compare:
+              op: eq
+              value: "600"
+            set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $kubeletkubeconfig
+      scored: true
+
+    - id: 2.2.2
+      text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root $kubeletkubeconfig
+      scored: true
+
+    - id: 2.2.3
+      text: "Ensure that the kubelet service file permissions are set to 644 or
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: 644
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 755 $kubeletsvc
+      scored: true
+
+    - id: 2.2.4
+      text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root $kubeletsvc
+      scored: true
+
+    - id: 2.2.5
+      text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $proxykubeconfig
+      scored: true
+
+    - id: 2.2.6
+      text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+          Run the below command (based on the file location on your system) on the each worker
+          node. For example,
+          chown root:root $proxykubeconfig
+      scored: true
+
+    - id: 2.2.7
+      text: "Ensure that the certificate authorities file permissions are set to
+      644 or more restrictive (Scored)"
+      type: manual
+      remediation: |
+        Run the following command to modify the file permissions of the --client-ca-file
+        chmod 644 <filename>
+      scored: true
+
+    - id: 2.2.8
+      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
+      type: manual
+      remediation: |
+        Run the following command to modify the ownership of the --client-ca-file .
+        chown root:root <filename>
+      scored: true
+
+    - id: 2.2.9
+      text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+        Run the following command (using the config file location identied in the Audit step)
+        chown root:root $kubeletconf
+      scored: true
+
+    - id: 2.2.10
+      text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the following command (using the config file location identied in the Audit step)
+        chmod 644 $kubeletconf
+      scored: true
--- a/cfg/1.8/config.yaml
+++ b/cfg/1.8/config.yaml
@@ -34,11 +34,9 @@ master:

 node:
  kubelet:
-    confs:
-     - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-    defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+    defaultconf: /var/lib/kubelet/config.yaml
+    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+    defaultkubeconfig: /etc/kubernetes/kubelet.conf
  
  proxy:
-    confs:
-      - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
--- a/cfg/1.8/node.yaml
+++ b/cfg/1.8/node.yaml
@@ -10,7 +10,7 @@ groups:
  checks:
  - id: 2.1.1
    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--allow-privileged"
@@ -19,7 +19,7 @@ groups:
          value: false
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --allow-privileged=false
      Based on your system, restart the kubelet service. For example:
@@ -29,7 +29,7 @@ groups:

  - id: 2.1.2
    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--anonymous-auth"
@@ -38,7 +38,7 @@ groups:
          value: false
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --anonymous-auth=false
      Based on your system, restart the kubelet service. For example:
@@ -48,7 +48,7 @@ groups:

  - id: 2.1.3
    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--authorization-mode"
@@ -57,7 +57,7 @@ groups:
          value: "AlwaysAllow"
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
      --authorization-mode=Webhook
      Based on your system, restart the kubelet service. For example:
@@ -67,13 +67,13 @@ groups:

  - id: 2.1.4
    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--client-ca-file"
        set: true 
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
      --client-ca-file=<path/to/client-ca-file>
      Based on your system, restart the kubelet service. For example:
@@ -83,7 +83,7 @@ groups:

  - id: 2.1.5
    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--read-only-port"
@@ -92,7 +92,7 @@ groups:
          value: 0
        set: true 
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --read-only-port=0
      Based on your system, restart the kubelet service. For example:
@@ -102,7 +102,7 @@ groups:

  - id: 2.1.6
    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--streaming-connection-idle-timeout"
@@ -111,7 +111,7 @@ groups:
          value: 0
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --streaming-connection-idle-timeout=5m
      Based on your system, restart the kubelet service. For example:
@@ -121,7 +121,7 @@ groups:

  - id: 2.1.7
    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--protect-kernel-defaults"
@@ -130,7 +130,7 @@ groups:
          value: true
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --protect-kernel-defaults=true
      Based on your system, restart the kubelet service. For example:
@@ -140,7 +140,7 @@ groups:

  - id: 2.1.8
    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      bin_op: or
      test_items:
@@ -150,7 +150,7 @@ groups:
          value: true
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and remove the --make-iptables-util-chains argument from the
      KUBELET_SYSTEM_PODS_ARGS variable.
      Based on your system, restart the kubelet service. For example:
@@ -160,7 +160,7 @@ groups:

  - id: 2.1.9
    text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--keep-terminated-pod-volumes"
@@ -169,7 +169,7 @@ groups:
          value: false
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --keep-terminated-pod-volumes=false
      Based on your system, restart the kubelet service. For example:
@@ -179,13 +179,13 @@ groups:

  - id: 2.1.10
    text: "Ensure that the --hostname-override argument is not set (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--hostname-override"
        set: false
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and remove the --hostname-override argument from the
      KUBELET_SYSTEM_PODS_ARGS variable.
      Based on your system, restart the kubelet service. For example:
@@ -195,7 +195,7 @@ groups:

  - id: 2.1.11
    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--event-qps"
@@ -204,7 +204,7 @@ groups:
          value: 0
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
      --event-qps=0
      Based on your system, restart the kubelet service. For example:
@@ -214,7 +214,7 @@ groups:

  - id: 2.1.12
    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--tls-cert-file"
@@ -223,8 +223,7 @@ groups:
        set: true
    remediation: |
      Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
-      Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-
-      kubeadm.conf on each worker node and set the below parameters in
+      Then edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in
      KUBELET_CERTIFICATE_ARGS variable.
      --tls-cert-file=<path/to/tls-certificate-file>
      file=<path/to/tls-key-file>
@@ -236,7 +235,7 @@ groups:

  - id: 2.1.13
    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "--cadvisor-port"
@@ -245,7 +244,7 @@ groups:
          value: 0
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
      --cadvisor-port=0
      Based on your system, restart the kubelet service. For example:
@@ -255,7 +254,7 @@ groups:

  - id: 2.1.14
    text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "RotateKubeletClientCertificate"
@@ -264,7 +263,7 @@ groups:
          value: true
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and remove the --feature-
      gates=RotateKubeletClientCertificate=false argument from the
      KUBELET_CERTIFICATE_ARGS variable.
@@ -275,7 +274,7 @@ groups:

  - id: 2.1.15
    text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
-    audit: "ps -ef | grep $kubeletbin | grep -v grep"
+    audit: "ps -fC $kubeletbin"
    tests:
      test_items:
      - flag: "RotateKubeletServerCertificate"
@@ -284,7 +283,7 @@ groups:
          value: true
        set: true
    remediation: |
-      Edit the kubelet service file $kubeletconf
+      Edit the kubelet service file $kubeletsvc
      on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
      --feature-gates=RotateKubeletServerCertificate=true
      Based on your system, restart the kubelet service. For example:
@@ -298,7 +297,7 @@ groups:
    - id: 2.2.1
      text: "Ensure that the kubelet.conf file permissions are set to 644 or
      more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
      tests:
        bin_op: or
        test_items:
@@ -320,12 +319,12 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chmod 644 $kubeletconf
+        chmod 644 $kubeletkubeconfig
      scored: true

    - id: 2.2.2
      text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
      tests:
        test_items:
          - flag: "root:root"
@@ -336,13 +335,13 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chown root:root /etc/kubernetes/kubelet.conf
+        chown root:root $kubeletkubeconfig
      scored: true

    - id: 2.2.3
      text: "Ensure that the kubelet service file permissions are set to 644 or
      more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
      tests:
        bin_op: or
        test_items:
@@ -364,12 +363,12 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chmod 755 $kubeletconf
+        chmod 755 $kubeletsvc
      scored: true

    - id: 2.2.4
      text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
      tests:
        test_items:
        - flag: "root:root"
@@ -377,13 +376,13 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chown root:root $kubeletconf
+        chown root:root $kubeletsvc
      scored: true

    - id: 2.2.5
      text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
      restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
      tests:
        bin_op: or
        test_items:
@@ -405,12 +404,12 @@ groups:
      remediation: |
        Run the below command (based on the file location on your system) on the each worker
        node. For example,
-        chmod 644 $proxyconf
+        chmod 644 $proxykubeconfig
      scored: true

    - id: 2.2.6
      text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
      tests:
        test_items:
        - flag: "root:root"
@@ -418,7 +417,7 @@ groups:
      remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
-          chown root:root $proxyconf
+          chown root:root $proxykubeconfig
      scored: true

    - id: 2.2.7
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -24,6 +24,7 @@ master:
    bins:
      - "kube-apiserver"
      - "hyperkube apiserver"
+      - "hyperkube kube-apiserver"
      - "apiserver"
    confs:
      - /etc/kubernetes/apiserver.conf
@@ -34,6 +35,7 @@ master:
    bins:
      - "kube-scheduler"
      - "hyperkube scheduler"
+      - "hyperkube kube-scheduler"
      - "scheduler"
    confs: 
      - /etc/kubernetes/scheduler.conf
@@ -44,6 +46,7 @@ master:
    bins:
      - "kube-controller-manager"
      - "hyperkube controller-manager"
+      - "hyperkube kube-controller-manager"
      - "controller-manager"
    confs:
      - /etc/kubernetes/controller-manager.conf
@@ -78,10 +81,9 @@ node:
    bins:
      - "hyperkube kubelet"
      - "kubelet"
-    confs:
-      - /etc/kubernetes/kubelet.conf
-      - /etc/kubernetes/kubelet 
-    defaultconf: "/etc/kubernetes/kubelet.conf"
+    defaultconf: "/var/lib/kubelet/config.yaml"
+    defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
+    defaultkubeconfig: "/etc/kubernetes/kubelet.conf"

  proxy:
    bins:
@@ -89,9 +91,9 @@ node:
      - "hyperkube proxy"
      - "proxy"
    confs:
-      - /etc/kubernetes/proxy.conf
      - /etc/kubernetes/proxy
      - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+    defaultkubeconfig: "/etc/kubernetes/proxy.conf"

 federated:
  components:
--- a/cfg/ocp-3.10/config.yaml
+++ b/cfg/ocp-3.10/config.yaml
@@ -0,0 +1,22 @@
+---
+## Controls Files.
+# These are YAML files that hold all the details for running checks.
+#
+## Uncomment to use different control file paths.
+# masterControls: ./cfg/master.yaml
+# nodeControls: ./cfg/node.yaml
+# federatedControls: ./cfg/federated.yaml
+
+master:
+  apiserver:
+    bins:
+      - hypershift openshift-kube-apiserver
+
+  etcd:
+    bins:
+      - openshift start etcd
+
+node:
+  proxy:
+    bins:
+      - openshift start network
--- a/cfg/ocp-3.10/federated.yaml
+++ b/cfg/ocp-3.10/federated.yaml
@@ -0,0 +1,113 @@
+---
+controls:
+id: 3
+text: "Federated Deployments"
+type: "federated"
+groups:
+- id: 3.1
+  text: "Federated API Server"
+  checks:
+  - id: 3.1.1
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.2
+    text: "Ensure that the --basic-auth-file argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.3
+    text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.4
+    text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.5
+    text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.6
+    text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.7
+    text: "Ensure that the --profiling argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.8
+    text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.9
+    text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.10
+    text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.11
+    text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.12
+    text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.13
+    text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.14
+    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.15
+    text: "Ensure that the --token-auth-file parameter is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.16
+    text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.17
+    text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.18
+    text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.19
+    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+
+- id: 3.2
+  text: "Federation Controller Manager"
+  checks:
+  - id: 3.2.1
+    text: "Ensure that the --profiling argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
--- a/cfg/ocp-3.10/master.yaml
+++ b/cfg/ocp-3.10/master.yaml
--- a/cfg/ocp-3.10/node.yaml
+++ b/cfg/ocp-3.10/node.yaml
@@ -0,0 +1,376 @@
+---
+controls:
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 2.1
+  text: "Kubelet"
+  checks:
+  - id: 2.1.1
+    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 2.1.2
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 2.1.3
+    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+    audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "authorization-mode"
+        set: false
+      - flag: "authorization-mode: Webhook"
+        compare:
+          op: has
+          value: "Webhook"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
+      kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
+    scored: true
+
+  - id: 2.1.4
+    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+    audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "client-ca-file"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
+      grep -A1 client-ca-file /etc/origin/node/node-config.yaml
+
+      Reset to the OpenShift default. 
+      See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
+      The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
+    scored: true
+
+  - id: 2.1.5
+    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+    audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "read-only-port"
+        set: false
+      - flag: "read-only-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
+    scored: true
+
+  - id: 2.1.6
+    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+    audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "streaming-connection-idle-timeout"
+        set: false
+      - flag: "0"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
+      value like the following in node-config.yaml.
+      
+      kubeletArguments:
+        streaming-connection-idle-timeout:
+           - "5m"
+    scored: true
+
+  - id: 2.1.7
+    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 2.1.8
+    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+    audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "make-iptables-util-chains"
+        set: false
+      - flag: "make-iptables-util-chains: true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
+      default value of true. 
+    scored: true
+
+    id: 2.1.9
+    text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
+    audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "keep-terminated-pod-volumes: false"
+        compare:
+          op: has
+          value: "false"
+        set: true
+    remediation: |
+      Reset to the OpenShift defaults
+    scored: true
+
+  - id: 2.1.10
+    text: "Ensure that the --hostname-override argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 2.1.11
+    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+    audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "event-qps"
+        set: false
+      - flag: "event-qps: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
+      the kubeletArguments section of.
+    scored: true
+
+  - id: 2.1.12
+    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+    audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "/etc/origin/node/certificates"
+        compare:
+          op: has
+          value: "/etc/origin/node/certificates"
+        set: true
+    remediation: |
+      Reset to the OpenShift default values.
+    scored: true
+
+  - id: 2.1.13
+    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+    audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "cadvisor-port"
+        set: false
+      - flag: "cadvisor-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag 
+      if it is set in the  kubeletArguments section.
+    scored: true
+
+  - id: 2.1.14
+    text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
+    audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "RotateKubeletClientCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
+    scored: true
+
+  - id: 2.1.15
+    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+    audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
+    test:
+      test_items:
+      - flag: "RotateKubeletServerCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
+    scored: true
+
+
+- id: 2.2
+  text: "Configuration Files"
+  checks:
+  - id: 2.2.1
+    text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
+    audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 2.2.2
+    text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 2.2.3
+    text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
+    audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/systemd/system/atomic-openshift-node.service
+    scored: true
+
+  - id: 2.2.4
+    text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
+    audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/systemd/system/atomic-openshift-node.service
+      scored: true
+
+  - id: 2.2.5
+    text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
+    audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 2.2.6
+    text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 2.2.7
+    text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
+    audit: "stat -c %a /etc/origin/node/client-ca.crt"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/client-ca.crt
+    scored: true
+
+  - id: 2.2.8
+    text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+    audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/client-ca.crt
+      scored: true
--- a/check/check.go
+++ b/check/check.go
@@ -71,13 +71,21 @@ type Check struct {
 	TestInfo    []string    `json:"test_info"`
 	State       `json:"status"`
 	ActualValue string `json:"actual_value"`
+	Scored      bool   `json:"scored"`
 }

 // Run executes the audit commands specified in a check and outputs
 // the results.
 func (c *Check) Run() {
-	// If check type is manual, force result to WARN.
-	if c.Type == "manual" {
+
+	// If check type is skip, force result to INFO
+	if c.Type == "skip" {
+		c.State = INFO
+		return
+	}
+
+	// If check type is manual or the check is not scored, force result to WARN
+	if c.Type == "manual" || !c.Scored {
 		c.State = WARN
 		return
 	}
--- a/check/check_test.go
+++ b/check/check_test.go
@@ -0,0 +1,30 @@
+package check
+
+import (
+	"testing"
+)
+
+func TestCheck_Run(t *testing.T) {
+	type TestCase struct {
+		check    Check
+		Expected State
+	}
+
+	testCases := []TestCase{
+		{check: Check{Type: "manual"}, Expected: WARN},
+		{check: Check{Type: "skip"}, Expected: INFO},
+		{check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn
+		{check: Check{Type: "", Scored: true}, Expected: WARN},  // If there are no tests in the check, warn
+		{check: Check{Type: "manual", Scored: false}, Expected: WARN},
+		{check: Check{Type: "skip", Scored: false}, Expected: INFO},
+	}
+
+	for _, testCase := range testCases {
+
+		testCase.check.Run()
+
+		if testCase.check.State != testCase.Expected {
+			t.Errorf("test failed, expected %s, actual %s\n", testCase.Expected, testCase.check.State)
+		}
+	}
+}
--- a/check/controls.go
+++ b/check/controls.go
@@ -37,6 +37,7 @@ type Group struct {
 	Pass   int      `json:"pass"`
 	Fail   int      `json:"fail"`
 	Warn   int      `json:"warn"`
+	Info   int      `json:"info"`
 	Text   string   `json:"desc"`
 	Checks []*Check `json:"results"`
 }
@@ -46,6 +47,7 @@ type Summary struct {
 	Pass int `json:"total_pass"`
 	Fail int `json:"total_fail"`
 	Warn int `json:"total_warn"`
+	Info int `json:"total_info"`
 }

 // NewControls instantiates a new master Controls object.
@@ -74,7 +76,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
 // RunGroup runs all checks in a group.
 func (controls *Controls) RunGroup(gids ...string) Summary {
 	g := []*Group{}
-	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
+	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0

 	// If no groupid is passed run all group checks.
 	if len(gids) == 0 {
@@ -105,7 +107,7 @@ func (controls *Controls) RunGroup(gids ...string) Summary {
 func (controls *Controls) RunChecks(ids ...string) Summary {
 	g := []*Group{}
 	m := make(map[string]*Group)
-	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
+	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0

 	// If no groupid is passed run all group checks.
 	if len(ids) == 0 {
@@ -182,6 +184,8 @@ func summarize(controls *Controls, check *Check) {
 		controls.Summary.Fail++
 	case WARN:
 		controls.Summary.Warn++
+	case INFO:
+		controls.Summary.Info++
 	}
 }

@@ -193,5 +197,7 @@ func summarizeGroup(group *Group, check *Check) {
 		group.Fail++
 	case WARN:
 		group.Warn++
+	case INFO:
+		group.Info++
 	}
 }
--- a/check/test.go
+++ b/check/test.go
@@ -144,6 +144,12 @@ type tests struct {
 func (ts *tests) execute(s string) *testOutput {
 	finalOutput := &testOutput{}

+	// If no tests are defined return with empty finalOutput.
+	// This may be the case for checks of type: "skip".
+	if ts == nil {
+		return finalOutput
+	}
+
 	res := make([]testOutput, len(ts.TestItems))
 	if len(res) == 0 {
 		return finalOutput
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -83,12 +83,14 @@ func runChecks(nodetype check.NodeType) {
 	binmap := getBinaries(typeConf)
 	confmap := getConfigFiles(typeConf)
 	svcmap := getServiceFiles(typeConf)
+	kubeconfmap := getKubeConfigFiles(typeConf)

 	// Variable substitutions. Replace all occurrences of variables in controls files.
 	s := string(in)
 	s = makeSubstitutions(s, "bin", binmap)
 	s = makeSubstitutions(s, "conf", confmap)
 	s = makeSubstitutions(s, "svc", svcmap)
+	s = makeSubstitutions(s, "kubeconfig", kubeconfmap)

 	controls, err := check.NewControls(nodetype, []byte(s))
 	if err != nil {
@@ -108,7 +110,7 @@ func runChecks(nodetype check.NodeType) {
 	}

 	// if we successfully ran some tests and it's json format, ignore the warnings
-	if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && jsonFmt {
+	if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && jsonFmt {
 		out, err := controls.JSON()
 		if err != nil {
 			exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
@@ -117,7 +119,7 @@ func runChecks(nodetype check.NodeType) {
 		fmt.Println(string(out))
 	} else {
 		// if we want to store in PostgreSQL, convert to JSON and save it
-		if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && pgSQL {
+		if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && pgSQL {
 			out, err := controls.JSON()
 			if err != nil {
 				exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
@@ -157,7 +159,7 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
 			colors[check.WARN].Printf("== Remediations ==\n")
 			for _, g := range r.Groups {
 				for _, c := range g.Checks {
-					if c.State != check.PASS {
+					if c.State == check.FAIL || c.State == check.WARN {
 						fmt.Printf("%s %s\n", c.ID, c.Remediation)
 					}
 				}
@@ -178,8 +180,8 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
 		}

 		colors[res].Printf("== Summary ==\n")
-		fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n",
-			summary.Pass, summary.Fail, summary.Warn,
+		fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n%d checks INFO\n",
+			summary.Pass, summary.Fail, summary.Warn, summary.Info,
 		)
 	}
 }
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -33,20 +33,6 @@ func init() {
 	statFunc = os.Stat
 }

-func printlnWarn(msg string) {
-	fmt.Fprintf(os.Stderr, "[%s] %s\n",
-		colors[check.WARN].Sprintf("%s", check.WARN),
-		msg,
-	)
-}
-
-func sprintlnWarn(msg string) string {
-	return fmt.Sprintf("[%s] %s",
-		colors[check.WARN].Sprintf("%s", check.WARN),
-		msg,
-	)
-}
-
 func exitWithError(err error) {
 	fmt.Fprintf(os.Stderr, "\n%v\n", err)
 	os.Exit(1)
@@ -233,6 +219,37 @@ func getServiceFiles(v *viper.Viper) map[string]string {
 	return svcmap
 }

+// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
+func getKubeConfigFiles(v *viper.Viper) map[string]string {
+	kubeconfigmap := make(map[string]string)
+
+	for _, component := range v.GetStringSlice("components") {
+		s := v.Sub(component)
+		if s == nil {
+			continue
+		}
+
+		// See if any of the candidate config files exist
+		kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
+		if kubeconfig == "" {
+			if s.IsSet("defaultkubeconfig") {
+				kubeconfig = s.GetString("defaultkubeconfig")
+				glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
+			} else {
+				// Default the service file name that we'll substitute to the name of the component
+				glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
+				kubeconfig = component
+			}
+		} else {
+			glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
+		}
+
+		kubeconfigmap[component] = kubeconfig
+	}
+
+	return kubeconfigmap
+}
+
 // verifyBin checks that the binary specified is running
 func verifyBin(bin string) bool {

@@ -303,6 +320,12 @@ func getKubeVersion() (string, error) {
 	if err != nil {
 		_, err = exec.LookPath("kubelet")
 		if err != nil {
+			// Search for the kubelet binary all over the filesystem and run the first match to get the kubernetes version
+			cmd := exec.Command("/bin/sh", "-c", "`find / -type f -executable -name kubelet 2>/dev/null | grep -m1 .` --version")
+			out, err := cmd.CombinedOutput()
+			if err == nil {
+				return getVersionFromKubeletOutput(string(out)), nil
+			}
 			return "", fmt.Errorf("need kubectl or kubelet binaries to get kubernetes version")
 		}
 		return getKubeVersionFromKubelet(), nil
@@ -336,7 +359,7 @@ func getVersionFromKubectlOutput(s string) string {
 	serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`)
 	subs := serverVersionRe.FindStringSubmatch(s)
 	if len(subs) < 2 {
-		printlnWarn(fmt.Sprintf("Unable to get kubectl version, using default version: %s", defaultKubeVersion))
+		glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubectl, using default version: %s", defaultKubeVersion))
 		return defaultKubeVersion
 	}
 	return subs[1]
@@ -346,7 +369,7 @@ func getVersionFromKubeletOutput(s string) string {
 	serverVersionRe := regexp.MustCompile(`Kubernetes v(\d+.\d+)`)
 	subs := serverVersionRe.FindStringSubmatch(s)
 	if len(subs) < 2 {
-		printlnWarn(fmt.Sprintf("Unable to get kubelet version, using default version: %s", defaultKubeVersion))
+		glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubelet, using default version: %s", defaultKubeVersion))
 		return defaultKubeVersion
 	}
 	return subs[1]
--- a/BIN
+++ b/BIN
Author	SHA1	Message	Date
Liz Rice	c4c0d911d4	Merge pull request #237 from aquasecurity/openshift Update openshift executable config	2019-03-07 14:53:22 +00:00
Liz Rice	9b3628e76a	Update openshift executable config for #236	2019-03-07 11:18:06 +00:00
Liz Rice	8745df170a	Merge pull request #233 from aquasecurity/clean-ocp-configs Clean up OCP benchmark config.	2019-03-07 09:30:18 +00:00
Liz Rice	1ead9e1d71	Merge branch 'master' into clean-ocp-configs	2019-03-07 09:22:47 +00:00
Liz Rice	772d2e26b4	Merge pull request #226 from aquasecurity/add-new-cfg-version1.4 add new config files from the new CIS Kubernetes Benchmark	2019-03-06 13:35:17 +00:00
Abubakr-Sadik Nii Nai Davis	53ed68a0b2	Clean up OCP benchmark config. The OCP benchmarks uses configs for only binary component variable names. This commit cleans up the OCP config by removing all configuration except those component binaries required to run kube-bench on OCP installations and adds missing ones.	2019-03-06 12:02:58 +00:00
yoavrotems	c6102f0a1b	Fix the files Fix the start from 1.11 to 1.13 and adding changes from pull #227, and pull #228.	2019-03-06 11:26:36 +00:00
yoavrotems	e534392525	Delete node.yaml replace with the new node.yaml file	2019-03-06 13:24:14 +02:00
yoavrotems	5f09ecef44	Delete master.yaml replace with the new master.yaml file	2019-03-06 13:23:49 +02:00
yoavrotems	a7d9e06c1b	Delete config.yaml replace with the new config.yaml file	2019-03-06 13:23:18 +02:00
yoavrotems	50f22e7f13	Merge branch 'master' into add-new-cfg-version1.4	2019-03-06 11:16:36 +00:00
Liz Rice	2d4019aabe	Merge pull request #228 from aquasecurity/fix-208 Fix issues with checks for kubelet configuration files	2019-03-03 11:10:05 +00:00
Liz Rice	dd8e7ec874	Merge branch 'master' into fix-208	2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis	d255b49d4b	Revert 1.8 config file.	2019-03-02 17:20:46 +00:00
Liz Rice	0a58805cdb	Merge pull request #227 from aquasecurity/fix-false-detections Only find flags on the process we really want	2019-02-28 10:48:23 +08:00
Liz Rice	c18d8a2234	Merge branch 'master' into fix-false-detections	2019-02-28 10:38:41 +08:00
Abubakr-Sadik Nii Nai Davis	a88b0703d8	Add kubeconfig variable substitution for kubelet and proxy. There are checks for the kubeconfig for both kubelet and proxy which the current kube-bench implementation does not check for properly. kube-bench checks the wrong files. This PR adds support for variable substitution for all the config file types are that should be checked in the CIS benchmarks. This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for ownership of the kubelet config file /var/lib/kubelet/config.yaml but recommends changing ownership of kubelet kubeconfig file /etc/kubernetes/kubelet.conf as remediation.	2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis	3f98c1def2	Fix wrong reference to kubelet.config in node checks. This fix applies to only checks for kubernetes versions 1.8 and 1.11. See https://github.com/aquasecurity/kube-bench/pull/208.	2019-02-27 22:14:19 +00:00
Liz Rice	d712db47a2	Only find flags on the process we really want	2019-02-28 01:33:21 +08:00
yoavrotems	82150fdc63	add new config files from the new CIS Kubernetes Benchmark there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13	2019-02-27 10:39:32 +00:00
Liz Rice	c824daeb15	Merge pull request #222 from nshauli/search_for_kubelet_binary_when_not_in_path search for the kubelet binary when it is not in the path	2019-02-19 16:07:20 +00:00
nshauli	e93bfc1aac	search for the kubelet binary when it is not in the path	2019-02-19 16:38:10 +02:00
Liz Rice	da09e6513a	Merge pull request #218 from yoavAqua/bugfix-log-warnings-instead-of-print Bugfix: Logging warning instead of printing	2019-02-19 13:48:30 +00:00
Liz Rice	7626dc2705	Merge branch 'master' into bugfix-log-warnings-instead-of-print	2019-02-19 13:44:23 +00:00
Yoav Hizkiahou	082e9cf7e9	Bugfix: Logging warning instead of printing Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format. fix #217	2019-02-19 14:39:55 +02:00
Liz Rice	2d4c7e8b42	Merge pull request #212 from aquasecurity/ocp-configs OCP benchmarks and configs	2019-02-18 09:31:45 +00:00
Liz Rice	cd231106cc	Improve comment Tests could easily be marked "skip" because the user doesn't want to run them in their environment, and in this common case the set of tests will be non-nil	2019-02-18 08:46:26 +00:00
Liz Rice	db962a0ad9	Fix merge of skip check	2019-02-18 08:40:57 +00:00
Abubakr-Sadik Nii Nai Davis	911e9051dc	Merge remote-tracking branch 'origin/master' into ocp-configs	2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis	e899e941f7	Add OCP 3.10 benchmarks.	2019-02-15 19:44:39 +00:00
Weston Steimel	42ed8628de	Only get runningVersion if --version has not been provided Signed-off-by: Weston Steimel <weston.steimel@gmail.com>	2019-02-15 19:43:13 +00:00
Liz Rice	dc8dcfbf8c	Merge pull request #211 from yoavAqua/support-skip-flag Type skip and not scored checks	2019-01-29 23:14:05 +02:00
Yoav Hizkiahou	49f745af8e	Support new check type - skip: If a check is marked with type "skip", it will be marked as Info. Support scored property: If a check is not scored and is not marked with type skip, it will be marked as Warn.	2019-01-29 19:05:12 +02:00