Fix file permissions false positive (#800)

* Fix file permissions false positive

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Added kops files to config path list

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Automated CNI files checks

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fixed linting

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fixed to right folder CNI test

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Changed Automated to manual

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Removed changes from remediation

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Added path to config files

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Update cfg/cis-1.6/master.yaml

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fix

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fix to job.yaml

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Add extra mountpoints

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Revert audit scripts changes

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

cfg/cis-1.6/master.yaml

@@ -120,8 +120,16 @@ groups:
 
       - id: 1.1.9
         text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
-        audit: "stat -c permissions=%a <path/to/cni/files>"
+        audit: |
-        type: "manual"
+          ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a
+          find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
         remediation: |
           Run the below command (based on the file location on your system) on the master node.
           For example,
@@ -130,8 +138,13 @@ groups:
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
-        audit: "stat -c %U:%G <path/to/cni/files>"
+        audit: |
-        type: "manual"
+          ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G
+          find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "root:root"
         remediation: |
           Run the below command (based on the file location on your system) on the master node.
           For example,

cfg/config.yaml

@@ -15,6 +15,7 @@ master:
     - flanneld
     # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
     - kubernetes
+    - kubelet
 
   kubernetes:
     defaultconf: /etc/kubernetes/config
@@ -53,6 +54,8 @@ master:
     defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
     kubeconfig:
       - /etc/kubernetes/scheduler.conf
+      - /var/lib/kube-scheduler/kubeconfig
+      - /var/lib/kube-scheduler/config.yaml
     defaultkubeconfig: /etc/kubernetes/scheduler.conf
 
   controllermanager:
@@ -73,6 +76,7 @@ master:
     defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
     kubeconfig:
       - /etc/kubernetes/controller-manager.conf
+      - /var/lib/kube-controller-manager/kubeconfig
     defaultkubeconfig: /etc/kubernetes/controller-manager.conf
 
   etcd:
@@ -97,6 +101,12 @@ master:
       - flanneld
     defaultconf: /etc/sysconfig/flanneld
 
+  kubelet:
+    optional: true
+    bins:
+      - "hyperkube kubelet"
+      - "kubelet"
+
 node:
   components:
     - kubelet

job-master.yaml

@@ -21,6 +21,24 @@ spec:
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
               readOnly: true
+            - name: var-lib-kubelet
+              mountPath: /var/lib/kubelet
+              readOnly: true
+            - name: var-lib-kube-scheduler
+              mountPath: /var/lib/kube-scheduler
+              readOnly: true
+            - name: var-lib-kube-controller-manager
+              mountPath: /var/lib/kube-controller-manager
+              readOnly: true
+            - name: etc-systemd
+              mountPath: /etc/systemd
+              readOnly: true
+            - name: lib-systemd
+              mountPath: /lib/systemd/
+              readOnly: true
+            - name: srv-kubernetes
+              mountPath: /srv/kubernetes/
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
@@ -29,14 +47,44 @@ spec:
             - name: usr-bin
               mountPath: /usr/local/mount-from-host/bin
               readOnly: true
+            - name: etc-cni-netd
+              mountPath: /etc/cni/net.d/
+              readOnly: true
+            - name: opt-cni-bin
+              mountPath: /opt/cni/bin/
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd
           hostPath:
             path: "/var/lib/etcd"
+        - name: var-lib-kubelet
+          hostPath:
+            path: "/var/lib/kubelet"
+        - name: var-lib-kube-scheduler
+          hostPath:
+            path: "/var/lib/kube-scheduler"
+        - name: var-lib-kube-controller-manager
+          hostPath:
+            path: "/var/lib/kube-controller-manager"
+        - name: etc-systemd
+          hostPath:
+            path: "/etc/systemd"
+        - name: lib-systemd
+          hostPath:
+            path: "/lib/systemd"
+        - name: srv-kubernetes
+          hostPath:
+            path: "/srv/kubernetes"
         - name: etc-kubernetes
           hostPath:
             path: "/etc/kubernetes"
         - name: usr-bin
           hostPath:
             path: "/usr/bin"
+        - name: etc-cni-netd
+          hostPath:
+            path: "/etc/cni/net.d/"
+        - name: opt-cni-bin
+          hostPath:
+            path: "/opt/cni/bin/"

job-node.yaml

@@ -12,12 +12,27 @@ spec:
           image: aquasec/kube-bench:latest
           command: ["kube-bench", "run", "--targets=node"]
           volumeMounts:
+            - name: var-lib-etcd
+              mountPath: /var/lib/etcd
+              readOnly: true
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
               readOnly: true
+            - name: var-lib-kube-scheduler
+              mountPath: /var/lib/kube-scheduler
+              readOnly: true
+            - name: var-lib-kube-controller-manager
+              mountPath: /var/lib/kube-controller-manager
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
               readOnly: true
+            - name: lib-systemd
+              mountPath: /lib/systemd/
+              readOnly: true
+            - name: srv-kubernetes
+              mountPath: /srv/kubernetes/
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
@@ -26,17 +41,44 @@ spec:
             - name: usr-bin
               mountPath: /usr/local/mount-from-host/bin
               readOnly: true
+            - name: etc-cni-netd
+              mountPath: /etc/cni/net.d/
+              readOnly: true
+            - name: opt-cni-bin
+              mountPath: /opt/cni/bin/
+              readOnly: true
       restartPolicy: Never
       volumes:
+        - name: var-lib-etcd
+          hostPath:
+            path: "/var/lib/etcd"
         - name: var-lib-kubelet
           hostPath:
             path: "/var/lib/kubelet"
+        - name: var-lib-kube-scheduler
+          hostPath:
+            path: "/var/lib/kube-scheduler"
+        - name: var-lib-kube-controller-manager
+          hostPath:
+            path: "/var/lib/kube-controller-manager"
         - name: etc-systemd
           hostPath:
             path: "/etc/systemd"
+        - name: lib-systemd
+          hostPath:
+            path: "/lib/systemd"
+        - name: srv-kubernetes
+          hostPath:
+            path: "/srv/kubernetes"
         - name: etc-kubernetes
           hostPath:
             path: "/etc/kubernetes"
         - name: usr-bin
           hostPath:
             path: "/usr/bin"
+        - name: etc-cni-netd
+          hostPath:
+            path: "/etc/cni/net.d/"
+        - name: opt-cni-bin
+          hostPath:
+            path: "/opt/cni/bin/"

job.yaml

@@ -21,9 +21,21 @@ spec:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
               readOnly: true
+            - name: var-lib-kube-scheduler
+              mountPath: /var/lib/kube-scheduler
+              readOnly: true
+            - name: var-lib-kube-controller-manager
+              mountPath: /var/lib/kube-controller-manager
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
               readOnly: true
+            - name: lib-systemd
+              mountPath: /lib/systemd/
+              readOnly: true
+            - name: srv-kubernetes
+              mountPath: /srv/kubernetes/
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
@@ -32,6 +44,12 @@ spec:
             - name: usr-bin
               mountPath: /usr/local/mount-from-host/bin
               readOnly: true
+            - name: etc-cni-netd
+              mountPath: /etc/cni/net.d/
+              readOnly: true
+            - name: opt-cni-bin
+              mountPath: /opt/cni/bin/
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd
@@ -40,12 +58,30 @@ spec:
         - name: var-lib-kubelet
           hostPath:
             path: "/var/lib/kubelet"
+        - name: var-lib-kube-scheduler
+          hostPath:
+            path: "/var/lib/kube-scheduler"
+        - name: var-lib-kube-controller-manager
+          hostPath:
+            path: "/var/lib/kube-controller-manager"
         - name: etc-systemd
           hostPath:
             path: "/etc/systemd"
+        - name: lib-systemd
+          hostPath:
+            path: "/lib/systemd"
+        - name: srv-kubernetes
+          hostPath:
+            path: "/srv/kubernetes"
         - name: etc-kubernetes
           hostPath:
             path: "/etc/kubernetes"
         - name: usr-bin
           hostPath:
             path: "/usr/bin"
+        - name: etc-cni-netd
+          hostPath:
+            path: "/etc/cni/net.d/"
+        - name: opt-cni-bin
+          hostPath:
+            path: "/opt/cni/bin/"