data directory found above). For example, chmod 700 /var/lib/etcd Audit Script: 1.1.11.sh #!/bin/bash -e etcd_bin=${1} test_dir=$(ps -ef | grep ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= directory found above). For example, chown etcd:etcd /var/lib/etcd Audit Script: 1.1.12.sh #!/bin/bash -e etcd_bin=${1} test_dir=$(ps -ef | grep ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the file permissions are set CIS Benchmark Rancher Self-Assessment

data directory found above). For example, chmod 700 /var/lib/etcd Audit Script: 1.1.11.sh #!/bin/bash -e etcd_bin=${1} test_dir=$(ps -ef | grep ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= directory found above). For example, chown etcd:etcd /var/lib/etcd Audit Script: 1.1.12.sh #!/bin/bash -e etcd_bin=${1} test_dir=$(ps -ef | grep ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the file permissions are set CIS 1.5 Benchmark - Self-Assessment

/node/etc/kubernetes/ssl Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This script is used to ensure the owner is set to root:root for # the given directory and all /node/etc/kubernetes/ssl/!(*key).pe m Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This script is used to ensure the file permissions are set to 644 or # more restrictive for /node/etc/kubernetes/ssl/*key.pem 600 Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This script is used to ensure the file permissions are set to 644 or # more restrictive for

automountServiceAccountToken: false Create a bash script file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get - Egress Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. #!/bin/bash -e for namespace in

automountServiceAccountToken: false Create a bash script file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. Hardening Guide v2.4 6 #!/bin/bash -e for

od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-apiserver c on - t ai n e r s : bash docker inspect kube-apiserver • Look f or t h e f ol l ow i n g op t i on s i n t h e c om m an d c h e r AP I t o s h ow u s e r s w i t h ad m i n i s t r at or p r i v i l e ge s : 18 #!/bin/bash for i in $(curl -sk -u 'token-:' https:///v3/users|jq -r .data[].links.globalRoleBindings); od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-apiserver c on - t ai n e r s : bash docker inspect kube-apiserver • Look f or t h e f ol l ow i n g op t i on s i n t h e c om m an d

Audit The following script uses the Rancher API to show users with administrator privileges: #!/bin/bash for i in $(curl -sk -u 'token-:' https:///v3/users|jq -r .data[].links

Helm: Option1 $ curl https://raw.githubusercontent.com/helm/helm/master/scripts /get-helm-3 | bash Option2 $ curl -sfL https://get.helm.sh/helm-v3.5.3-linux- amd64.tar.gz -o helm.tgz $ tar xf helm