mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-24 08:58:11 +00:00
FIX| RKE-CIS-1.24- CHECK 1.1.19 (#1722)
We have added the missing script required for check 1.1.19 in rke-cis-1.24 and made it available to the kube-bench file system(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh).
This commit is contained in:
parent
7ce327f1db
commit
5eccb498c1
@ -13,8 +13,10 @@ RUN make build && cp kube-bench /go/bin/kube-bench
|
|||||||
ARG KUBECTL_VERSION TARGETARCH
|
ARG KUBECTL_VERSION TARGETARCH
|
||||||
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
|
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
|
||||||
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
|
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
|
||||||
|
|
||||||
# Verify kubectl sha256sum
|
# Verify kubectl sha256sum
|
||||||
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
|
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
|
||||||
|
|
||||||
RUN chmod +x /usr/local/bin/kubectl
|
RUN chmod +x /usr/local/bin/kubectl
|
||||||
|
|
||||||
FROM alpine:3.20.3 AS run
|
FROM alpine:3.20.3 AS run
|
||||||
@ -44,6 +46,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
|||||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||||
COPY entrypoint.sh .
|
COPY entrypoint.sh .
|
||||||
COPY cfg/ cfg/
|
COPY cfg/ cfg/
|
||||||
|
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||||
ENTRYPOINT ["./entrypoint.sh"]
|
ENTRYPOINT ["./entrypoint.sh"]
|
||||||
CMD ["install"]
|
CMD ["install"]
|
||||||
|
|
||||||
|
@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
|||||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||||
COPY entrypoint.sh .
|
COPY entrypoint.sh .
|
||||||
COPY cfg/ cfg/
|
COPY cfg/ cfg/
|
||||||
|
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||||
ENTRYPOINT ["./entrypoint.sh"]
|
ENTRYPOINT ["./entrypoint.sh"]
|
||||||
CMD ["install"]
|
CMD ["install"]
|
||||||
|
|
||||||
|
@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
|||||||
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
|
||||||
COPY entrypoint.sh .
|
COPY entrypoint.sh .
|
||||||
COPY cfg/ cfg/
|
COPY cfg/ cfg/
|
||||||
|
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
|
||||||
ENTRYPOINT ["./entrypoint.sh"]
|
ENTRYPOINT ["./entrypoint.sh"]
|
||||||
CMD ["install"]
|
CMD ["install"]
|
||||||
|
|
||||||
|
44
helper_scripts/check_files_owner_in_dir.sh
Normal file
44
helper_scripts/check_files_owner_in_dir.sh
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# This script is used to ensure the owner is set to root:root for
|
||||||
|
# the given directory and all the files in it
|
||||||
|
#
|
||||||
|
# inputs:
|
||||||
|
# $1 = /full/path/to/directory
|
||||||
|
#
|
||||||
|
# outputs:
|
||||||
|
# true/false
|
||||||
|
|
||||||
|
INPUT_DIR=$1
|
||||||
|
|
||||||
|
if [[ "${INPUT_DIR}" == "" ]]; then
|
||||||
|
echo "false"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $(stat -c %U:%G ${INPUT_DIR}) != "root:root" ]]; then
|
||||||
|
echo "false"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*)
|
||||||
|
while read -r statInfoLine; do
|
||||||
|
f=$(echo ${statInfoLine} | cut -d' ' -f1)
|
||||||
|
p=$(echo ${statInfoLine} | cut -d' ' -f2)
|
||||||
|
|
||||||
|
if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
|
||||||
|
if [[ "$p" != "root:root" && "$p" != "etcd:etcd" ]]; then
|
||||||
|
echo "false"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [[ "$p" != "root:root" ]]; then
|
||||||
|
echo "false"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done <<< "${statInfoLines}"
|
||||||
|
|
||||||
|
|
||||||
|
echo "true"
|
||||||
|
exit
|
Loading…
Reference in New Issue
Block a user