From d5284008818368df4e4d833b0c79f3c39b543686 Mon Sep 17 00:00:00 2001 From: Dmytro Oboznyi <55382034+DOboznyi@users.noreply.github.com> Date: Thu, 8 Apr 2021 17:02:27 +0300 Subject: [PATCH] Fix file permissions false positive (#800) * Fix file permissions false positive Signed-off-by: Dmytro Oboznyi * Added kops files to config path list Signed-off-by: Dmytro Oboznyi * Automated CNI files checks Signed-off-by: Dmytro Oboznyi * Fixed linting Signed-off-by: Dmytro Oboznyi * Fixed to right folder CNI test Signed-off-by: Dmytro Oboznyi * Changed Automated to manual Signed-off-by: Dmytro Oboznyi * Removed changes from remediation Signed-off-by: Dmytro Oboznyi * Added path to config files Signed-off-by: Dmytro Oboznyi * Update cfg/cis-1.6/master.yaml Co-authored-by: Yoav Rotem Signed-off-by: Dmytro Oboznyi * Fix Signed-off-by: Dmytro Oboznyi * Fix to job.yaml Signed-off-by: Dmytro Oboznyi * Add extra mountpoints Signed-off-by: Dmytro Oboznyi * Revert audit scripts changes Signed-off-by: Dmytro Oboznyi Co-authored-by: Yoav Rotem --- cfg/cis-1.6/master.yaml | 21 ++++++++++++++---- cfg/config.yaml | 10 +++++++++ job-master.yaml | 48 +++++++++++++++++++++++++++++++++++++++++ job-node.yaml | 42 ++++++++++++++++++++++++++++++++++++ job.yaml | 36 +++++++++++++++++++++++++++++++ 5 files changed, 153 insertions(+), 4 deletions(-) diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml index e4f971a..726df72 100644 --- a/cfg/cis-1.6/master.yaml +++ b/cfg/cis-1.6/master.yaml @@ -120,8 +120,16 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" - audit: "stat -c permissions=%a " - type: "manual" + audit: | + ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a + find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -130,8 +138,13 @@ groups: - id: 1.1.10 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - audit: "stat -c %U:%G " - type: "manual" + audit: | + ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G + find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G + use_multiple_values: true + tests: + test_items: + - flag: "root:root" remediation: | Run the below command (based on the file location on your system) on the master node. For example, diff --git a/cfg/config.yaml b/cfg/config.yaml index 328590d..a97165f 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -15,6 +15,7 @@ master: - flanneld # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark - kubernetes + - kubelet kubernetes: defaultconf: /etc/kubernetes/config @@ -53,6 +54,8 @@ master: defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml kubeconfig: - /etc/kubernetes/scheduler.conf + - /var/lib/kube-scheduler/kubeconfig + - /var/lib/kube-scheduler/config.yaml defaultkubeconfig: /etc/kubernetes/scheduler.conf controllermanager: @@ -73,6 +76,7 @@ master: defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml kubeconfig: - /etc/kubernetes/controller-manager.conf + - /var/lib/kube-controller-manager/kubeconfig defaultkubeconfig: /etc/kubernetes/controller-manager.conf etcd: @@ -97,6 +101,12 @@ master: - flanneld defaultconf: /etc/sysconfig/flanneld + kubelet: + optional: true + bins: + - "hyperkube kubelet" + - "kubelet" + node: components: - kubelet diff --git a/job-master.yaml b/job-master.yaml index 4154506..347d9f0 100644 --- a/job-master.yaml +++ b/job-master.yaml @@ -21,6 +21,24 @@ spec: - name: var-lib-etcd mountPath: /var/lib/etcd readOnly: true + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: srv-kubernetes + mountPath: /srv/kubernetes/ + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -29,14 +47,44 @@ spec: - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + - name: opt-cni-bin + mountPath: /opt/cni/bin/ + readOnly: true restartPolicy: Never volumes: - name: var-lib-etcd hostPath: path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: var-lib-kube-scheduler + hostPath: + path: "/var/lib/kube-scheduler" + - name: var-lib-kube-controller-manager + hostPath: + path: "/var/lib/kube-controller-manager" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: lib-systemd + hostPath: + path: "/lib/systemd" + - name: srv-kubernetes + hostPath: + path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" + - name: etc-cni-netd + hostPath: + path: "/etc/cni/net.d/" + - name: opt-cni-bin + hostPath: + path: "/opt/cni/bin/" diff --git a/job-node.yaml b/job-node.yaml index 6d4bbce..a930748 100644 --- a/job-node.yaml +++ b/job-node.yaml @@ -12,12 +12,27 @@ spec: image: aquasec/kube-bench:latest command: ["kube-bench", "run", "--targets=node"] volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: srv-kubernetes + mountPath: /srv/kubernetes/ + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -26,17 +41,44 @@ spec: - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + - name: opt-cni-bin + mountPath: /opt/cni/bin/ + readOnly: true restartPolicy: Never volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" + - name: var-lib-kube-scheduler + hostPath: + path: "/var/lib/kube-scheduler" + - name: var-lib-kube-controller-manager + hostPath: + path: "/var/lib/kube-controller-manager" - name: etc-systemd hostPath: path: "/etc/systemd" + - name: lib-systemd + hostPath: + path: "/lib/systemd" + - name: srv-kubernetes + hostPath: + path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" + - name: etc-cni-netd + hostPath: + path: "/etc/cni/net.d/" + - name: opt-cni-bin + hostPath: + path: "/opt/cni/bin/" diff --git a/job.yaml b/job.yaml index ec42ba1..a79af59 100644 --- a/job.yaml +++ b/job.yaml @@ -21,9 +21,21 @@ spec: - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: srv-kubernetes + mountPath: /srv/kubernetes/ + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -32,6 +44,12 @@ spec: - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + - name: opt-cni-bin + mountPath: /opt/cni/bin/ + readOnly: true restartPolicy: Never volumes: - name: var-lib-etcd @@ -40,12 +58,30 @@ spec: - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" + - name: var-lib-kube-scheduler + hostPath: + path: "/var/lib/kube-scheduler" + - name: var-lib-kube-controller-manager + hostPath: + path: "/var/lib/kube-controller-manager" - name: etc-systemd hostPath: path: "/etc/systemd" + - name: lib-systemd + hostPath: + path: "/lib/systemd" + - name: srv-kubernetes + hostPath: + path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" + - name: etc-cni-netd + hostPath: + path: "/etc/cni/net.d/" + - name: opt-cni-bin + hostPath: + path: "/opt/cni/bin/"