mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-30 10:28:09 +00:00
FIX| RKE-CIS-1.24- CHECK 1.1.19 (#1722)
We have added the missing script required for check 1.1.19 in rke-cis-1.24 and made it available to the kube-bench file system(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh).
This commit is contained in:
parent
7ce327f1db
commit
5eccb498c1
@ -13,8 +13,10 @@ RUN make build && cp kube-bench /go/bin/kube-bench
|
||||
ARG KUBECTL_VERSION TARGETARCH
|
||||
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
|
||||
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
|
||||
|
||||
# Verify kubectl sha256sum
|
||||
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
|
||||
|
||||
RUN chmod +x /usr/local/bin/kubectl
|
||||
|
||||
FROM alpine:3.20.3 AS run
|
||||
@ -44,6 +46,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||
COPY entrypoint.sh .
|
||||
COPY cfg/ cfg/
|
||||
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
CMD ["install"]
|
||||
|
||||
|
@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||
COPY entrypoint.sh .
|
||||
COPY cfg/ cfg/
|
||||
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
CMD ["install"]
|
||||
|
||||
|
@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||
COPY entrypoint.sh .
|
||||
COPY cfg/ cfg/
|
||||
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
CMD ["install"]
|
||||
|
||||
|
44
helper_scripts/check_files_owner_in_dir.sh
Normal file
44
helper_scripts/check_files_owner_in_dir.sh
Normal file
@ -0,0 +1,44 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# This script is used to ensure the owner is set to root:root for
|
||||
# the given directory and all the files in it
|
||||
#
|
||||
# inputs:
|
||||
# $1 = /full/path/to/directory
|
||||
#
|
||||
# outputs:
|
||||
# true/false
|
||||
|
||||
INPUT_DIR=$1
|
||||
|
||||
if [[ "${INPUT_DIR}" == "" ]]; then
|
||||
echo "false"
|
||||
exit
|
||||
fi
|
||||
|
||||
if [[ $(stat -c %U:%G ${INPUT_DIR}) != "root:root" ]]; then
|
||||
echo "false"
|
||||
exit
|
||||
fi
|
||||
|
||||
statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*)
|
||||
while read -r statInfoLine; do
|
||||
f=$(echo ${statInfoLine} | cut -d' ' -f1)
|
||||
p=$(echo ${statInfoLine} | cut -d' ' -f2)
|
||||
|
||||
if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
|
||||
if [[ "$p" != "root:root" && "$p" != "etcd:etcd" ]]; then
|
||||
echo "false"
|
||||
exit
|
||||
fi
|
||||
else
|
||||
if [[ "$p" != "root:root" ]]; then
|
||||
echo "false"
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
done <<< "${statInfoLines}"
|
||||
|
||||
|
||||
echo "true"
|
||||
exit
|
Loading…
Reference in New Issue
Block a user