Error Executing 'ps' Command RHEL 7.x/8x - Ubuntu 19x #501

robertojrojas · 2019-10-28T20:25:48Z

There are situation where kube-bench is trying to execute the ps coammd and this call fails with the following error "fork/exec /usr/bin/ps: no such file or directory".

Here are a couple of examples:
I1026 19:08:34.085818 18433 util.go:53] [ps -C kube-apiserver -o cmd --no-headers]: fork/exec /usr/bin/ps: no such file or directory

I1026 19:21:13.896322 25411 util.go:53] [ps -C kubelet -o cmd --no-headers]: fork/exec /usr/bin/ps: no such file or directory

I1029 19:04:11.538900 20608 util.go:51] [ps -C kubelet -o cmd --no-headers]: exit status 127

The above error could lead to kube-bench reporting and error like the following:
need apiserver executable but none of the candidates are running

or

need kubelet executable but none of the candidates are running

This happens when the host operating system places the ps command in the /usr/bin directory and this directory is also mapped to the container running kube-bench.

The following operating systems are an example of those:

RHEL / CentOS 7.x
RHEL / CentOS 8.x
Ubuntu 19.04 and 19.10

The problem with the ps command provided by the host OS is that the it was compiled as dynamically linked (uses shared libs) executable using the GLIBC library which is not compatible with the MUSL LIBC library provided by alpine the based image used to build kube-bench docker image.

Alpine

/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.2
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
/ # file /bin/ps
/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, stripped
/ # ldd /bin/ps
	/lib/ld-musl-x86_64.so.1 (0x7f96c2735000)
	libprocps.so.7 => /lib/libprocps.so.7 (0x7f96c26cf000)
	libintl.so.8 => /usr/lib/libintl.so.8 (0x7f96c26bf000)
	libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f96c2735000)
/ #

RHEL 7.6 (OpenShift 3.10)

/opt/kube-bench # cat /host/etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.6 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.6"
PRETTY_NAME="OpenShift Enterprise"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.6:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.6"
/opt/kube-bench # file /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c496788c276f3dbad570439a9ab748ac2c05f4b2, stripped
/opt/kube-bench # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.10.2
PRETTY_NAME="Alpine Linux v3.10"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
/opt/kube-bench # file /bin/ps
/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, stripped

Ubuntu 19.04

/# cat /etc/os-release
NAME="Ubuntu"
VERSION="19.04 (Disco Dingo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Disco Dingo (development branch)"
VERSION_ID="19.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=disco
UBUNTU_CODENAME=disco

/# file /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2198ba789463d54782f34e47d2cbdf250bcd7b50, for GNU/Linux 3.2.0, stripped

/# ldd /usr/bin/ps
	linux-vdso.so.1 (0x00007ffe509b2000)
	libprocps.so.7 => /lib/x86_64-linux-gnu/libprocps.so.7 (0x00007fd2ba168000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd2ba162000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd2b9f77000)
	libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fd2b9ed9000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fd2ba1da000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fd2b9ece000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fd2b9ea7000)
	liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fd2b9e76000)
	libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fd2b9d59000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd2b9d38000)
	libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fd2b9d15000)

The text was updated successfully, but these errors were encountered:

* fixes issue #501 * specify abolute path for ps and cat

robertojrojas · 2019-11-06T01:13:12Z

Fixed by #508

robertojrojas self-assigned this Oct 28, 2019

robertojrojas added a commit to robertojrojas/kube-bench that referenced this issue Oct 30, 2019

fixes issue aquasecurity#501

1ef8839

lizrice pushed a commit that referenced this issue Nov 1, 2019

Fixes issue #501: specifying absolute path for both ps and cat (#508)

13fe1cd

* fixes issue #501 * specify abolute path for ps and cat

robertojrojas closed this as completed Nov 6, 2019

robertojrojas mentioned this issue Feb 10, 2020

Running in a kubernetes cluster don't work as expected when check cis-1.4-1.1.8 #574

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error Executing 'ps' Command RHEL 7.x/8x - Ubuntu 19x #501

Error Executing 'ps' Command RHEL 7.x/8x - Ubuntu 19x #501

robertojrojas commented Oct 28, 2019 •

edited

robertojrojas commented Nov 6, 2019

Error Executing 'ps' Command RHEL 7.x/8x - Ubuntu 19x #501

Error Executing 'ps' Command RHEL 7.x/8x - Ubuntu 19x #501

Comments

robertojrojas commented Oct 28, 2019 • edited

Alpine

RHEL 7.6 (OpenShift 3.10)

Ubuntu 19.04

robertojrojas commented Nov 6, 2019

robertojrojas commented Oct 28, 2019 •

edited