From d5284008818368df4e4d833b0c79f3c39b543686 Mon Sep 17 00:00:00 2001
From: Dmytro Oboznyi <55382034+DOboznyi@users.noreply.github.com>
Date: Thu, 8 Apr 2021 17:02:27 +0300
Subject: [PATCH] Fix file permissions false positive (#800)
* Fix file permissions false positive
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Added kops files to config path list
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Automated CNI files checks
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Fixed linting
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Fixed to right folder CNI test
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Changed Automated to manual
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Removed changes from remediation
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Added path to config files
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Update cfg/cis-1.6/master.yaml
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Fix
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Fix to job.yaml
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Add extra mountpoints
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
* Revert audit scripts changes
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
---
cfg/cis-1.6/master.yaml | 21 ++++++++++++++----
cfg/config.yaml | 10 +++++++++
job-master.yaml | 48 +++++++++++++++++++++++++++++++++++++++++
job-node.yaml | 42 ++++++++++++++++++++++++++++++++++++
job.yaml | 36 +++++++++++++++++++++++++++++++
5 files changed, 153 insertions(+), 4 deletions(-)
diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml
index e4f971a..726df72 100644
--- a/cfg/cis-1.6/master.yaml
+++ b/cfg/cis-1.6/master.yaml
@@ -120,8 +120,16 @@ groups:
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
- audit: "stat -c permissions=%a <path/to/cni/files>"
- type: "manual"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a
+ find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -130,8 +138,13 @@ groups:
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
- audit: "stat -c %U:%G <path/to/cni/files>"
- type: "manual"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G
+ find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
diff --git a/cfg/config.yaml b/cfg/config.yaml
index 328590d..a97165f 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -15,6 +15,7 @@ master:
- flanneld
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
- kubernetes
+ - kubelet
kubernetes:
defaultconf: /etc/kubernetes/config
@@ -53,6 +54,8 @@ master:
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig:
- /etc/kubernetes/scheduler.conf
+ - /var/lib/kube-scheduler/kubeconfig
+ - /var/lib/kube-scheduler/config.yaml
defaultkubeconfig: /etc/kubernetes/scheduler.conf
controllermanager:
@@ -73,6 +76,7 @@ master:
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeconfig:
- /etc/kubernetes/controller-manager.conf
+ - /var/lib/kube-controller-manager/kubeconfig
defaultkubeconfig: /etc/kubernetes/controller-manager.conf
etcd:
@@ -97,6 +101,12 @@ master:
- flanneld
defaultconf: /etc/sysconfig/flanneld
+ kubelet:
+ optional: true
+ bins:
+ - "hyperkube kubelet"
+ - "kubelet"
+
node:
components:
- kubelet
diff --git a/job-master.yaml b/job-master.yaml
index 4154506..347d9f0 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -21,6 +21,24 @@ spec:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -29,14 +47,44 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
diff --git a/job-node.yaml b/job-node.yaml
index 6d4bbce..a930748 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -12,12 +12,27 @@ spec:
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets=node"]
volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -26,17 +41,44 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
diff --git a/job.yaml b/job.yaml
index ec42ba1..a79af59 100644
--- a/job.yaml
+++ b/job.yaml
@@ -21,9 +21,21 @@ spec:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -32,6 +44,12 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
@@ -40,12 +58,30 @@ spec:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
--
GitLab