Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS 1.9 Control Node Checks 1.1.13, 1.1.14 show fail with correct permissions/ownership. no actual output reported #1644

Closed
btray900 opened this issue Jul 17, 2024 · 7 comments
Closed

CIS 1.9 Control Node Checks 1.1.13, 1.1.14 show fail with correct permissions/ownership. no actual output reported #1644

btray900 opened this issue Jul 17, 2024 · 7 comments
Labels
bug

Comments

@btray900
Copy link

Overview

CIS 1.9 implements a permission and ownership check for /etc/kubernetes/admin.conf and /etc/kubernetes/super-admin.conf.

The tested control node shows 600 for both files, as well as root:root ownership but the check is reporting FAIL for both 1.1.13 and 1.1.14 in master.yaml for cis-1.9

Also CIS 1.9 master.yaml 1.1.14 has an incorrect remediation path (chmod versus chown) for super-admin.conf.

image

How did you run kube-bench?

kube-bench --benchmark cis-1.9 --json

What happened?

Permissions and ownership are correct, but benchmark reports FAIL.

image

image

Actual output is not captured for CIS-1.9

image

[Comparison] Actual output was captured as expected for CIS-1.8

image

What did you expect to happen:

The tests would pass due to the correct permissions and ownership for the admin.conf and super-admin.conf on Kubernetes 1.29.4

Environment

kube-bench: v0.8.0
kubernetes: 1.29.4
@btray900
Copy link
Author

I notice the CIS-1.9 master.yaml 1.1.14 test uses /tmp for the path to confs in the audit section, /etc/kubernetes is the actual path on the controller tested.

image

@mozillazg
Copy link
Collaborator

@btray900 Thanks for reporting.

  • For 1.1.13, Could you please attach the debug logs? (via kube-bench --benchmark cis-1.9 -c 1.1.13 -v 3)
  • For 1.1.14, Yes, it looks like is a typo.

@mozillazg mozillazg added the bug label Jul 21, 2024
@btray900
Copy link
Author

btray900 commented Jul 22, 2024
edited
Loading

Debug for 1.1.13 attached, @mozillazg
kb_1_1_13_debug.txt

image

@mozillazg
Copy link
Collaborator

@btray900 Please changes

kube-bench/cfg/cis-1.9/master.yaml

Line 192 in 5a3fd1d

for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \"permissions=%a %n\" $adminconf; fi; done

to

for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "permissions=%a %n" $adminconf; fi; done

kube-bench/cfg/cis-1.9/master.yaml

Line 210 in 5a3fd1d

for adminconf in /tmp/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done

to

for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done

then try again.

@andypitcher
Copy link
Contributor

@btray900 nice catch thanks.
@mozillazg I can make a PR to fix this up if needed.

@mozillazg
Copy link
Collaborator

@andypitcher Feel free to send a pull request. Thanks!

@andypitcher andypitcher mentioned this issue Jul 26, 2024
Merged
@andypitcher
Copy link
Contributor

andypitcher commented Sep 26, 2024
edited
Loading

@mozillazg IMO This issue can be now closed, since #1649 has been merged. Thanks again @btray900 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mozillazg @andypitcher @btray900