1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-24 08:58:11 +00:00

FIX| RKE-CIS-1.24- CHECK 1.1.19 (#1722)

We have added the missing script required for check 1.1.19 in rke-cis-1.24 and made it available to the kube-bench file system(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh).
This commit is contained in:
Saurabh Misra 2024-11-15 18:02:24 +05:30 committed by GitHub
parent 7ce327f1db
commit 5eccb498c1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 49 additions and 0 deletions

View File

@ -13,8 +13,10 @@ RUN make build && cp kube-bench /go/bin/kube-bench
ARG KUBECTL_VERSION TARGETARCH ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256" RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum # Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -' RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl RUN chmod +x /usr/local/bin/kubectl
FROM alpine:3.20.3 AS run FROM alpine:3.20.3 AS run
@ -44,6 +46,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh . COPY entrypoint.sh .
COPY cfg/ cfg/ COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"] ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"] CMD ["install"]

View File

@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh . COPY entrypoint.sh .
COPY cfg/ cfg/ COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"] ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"] CMD ["install"]

View File

@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh . COPY entrypoint.sh .
COPY cfg/ cfg/ COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"] ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"] CMD ["install"]

View File

@ -0,0 +1,44 @@
#!/usr/bin/env bash
# This script is used to ensure the owner is set to root:root for
# the given directory and all the files in it
#
# inputs:
# $1 = /full/path/to/directory
#
# outputs:
# true/false
INPUT_DIR=$1
if [[ "${INPUT_DIR}" == "" ]]; then
echo "false"
exit
fi
if [[ $(stat -c %U:%G ${INPUT_DIR}) != "root:root" ]]; then
echo "false"
exit
fi
statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*)
while read -r statInfoLine; do
f=$(echo ${statInfoLine} | cut -d' ' -f1)
p=$(echo ${statInfoLine} | cut -d' ' -f2)
if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
if [[ "$p" != "root:root" && "$p" != "etcd:etcd" ]]; then
echo "false"
exit
fi
else
if [[ "$p" != "root:root" ]]; then
echo "false"
exit
fi
fi
done <<< "${statInfoLines}"
echo "true"
exit