OCP4 CIS: Re-add forgotten rules

[jhrozek]

Description:

• CIS: Use the correct rule for 1.1.3 - this was a copy-paste most probably
• CIS: Use the automated rule for checking kube scheduler permissions - there's two rules that differ just by one having _kube in the name and one of them is manual, the other is automated. Let's use the automated one.
• CIS: Additional rules for already covered controls - Just re-adds rules that were in the original hand-written CIS profile, but left out from the control files. I'll point out some questions

Rationale:

• OCP4 CIS coverage

Review Hints:

• I'll point out some questions inline
• Otherwise just check that the rules make sense and that CI passes

[jhrozek]

@Vincent056 Are these rules still valid? We have file_owner_kubelet that seems reasonable, but file_groupowner_kubelet is missing despite having been used in the original CIS profile. Should we drop the rules or re-add the group one?

[Vincent056]

it looks like we were missing that one, let's keep this one here, and re-add the group one

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[rhmdnd]

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

[rhmdnd]

/lgtm

Thanks for this. Waiting to see what others have to say and what CI reports, but otherwise this looks good to me.

[codeclimate]

Code Climate has analyzed commit ac6e08a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

[yuumasato]

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

[yuumasato]

Thanks Jakub, LGTM!

[yuumasato]

Fail on Automatus Sanity happens on untouched and unrelated rule.
Rawhide failure is on import imp.