Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS-1.24 - 1.1.20 - Remediation and Test do not match #1409

Open
tlb1galaxy opened this issue Mar 28, 2023 · 0 comments
Open

CIS-1.24 - 1.1.20 - Remediation and Test do not match #1409

tlb1galaxy opened this issue Mar 28, 2023 · 0 comments

Comments

@tlb1galaxy
Copy link

Overview

  • Within the /cfg/cis-1.24/master.yaml; the test/audit for CIS 1.1.20 will search recursively in /etc/kubernetes/pki/ for any '*.crt' and validate permissions are '600'.
    • If you are running a stacked etcd setup, this will include the /etc/kubernetes/pki/etcd/ folder
  • The remediation suggested command would only rectify the top level folder

How did you run kube-bench?

  1. Install Kubeadm environment
  2. Copy kube-bench/v0.6.12/job.yaml locally
  3. Modify job.yaml to include to run on master/control-plane (attached)
  4. Run kubectl apply -f job_v1.24.0_master.yaml

job_v1.24.0_master.txt

What happened?

CIS 1.1.20 test fails/warns

[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)
1.1.20 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.crt

CIS Kubernetes v1.24-1.0.0 (09-21-2022):
Audit: ls -laR /etc/kubernetes/pki/*.crt

Kube-bench v0.6.12 cfg/cis-1.24/master.yaml - 1.1.20:
audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a"

/etc/kubernetes/pki/ permissions:

/etc/kubernetes/pki/apiserver.crt => permission=600
/etc/kubernetes/pki/front-proxy-client.crt => permission=600
/etc/kubernetes/pki/apiserver-kubelet-client.crt => permission=600
/etc/kubernetes/pki/apiserver-etcd-client.crt => permission=600
/etc/kubernetes/pki/etcd/peer.crt => permission=644
/etc/kubernetes/pki/etcd/server.crt => permission=644
/etc/kubernetes/pki/etcd/healthcheck-client.crt => permission=644
/etc/kubernetes/pki/etcd/ca.crt => permission=644
/etc/kubernetes/pki/front-proxy-ca.crt => permission=600
/etc/kubernetes/pki/ca.crt => permission=600

What did you expect to happen:

  • the 'audit' test between CIS and Kube-bench should match
  • the 'remediation' in kube-bench (if keeping the existing audit) should be:
    sudo find /etc/kubernetes/pki/ -name '*.crt' -type f -exec chmod 600 {} \;

Environment

Kube-bench version: Kubernetes deployment branch:0.6.12

Kubernetes version:

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:15:38Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tlb1galaxy