rke-cis-1.7 | Folder is wrong - should be changed to /etc/kubernetes/ssl

[guyjerby]

folder name on the rke master should be chanegd from: /node/etc/kubernetes/ssl to: /etc/kubernetes/ssl on the following checks:

1.1.19 =>

kube-bench/cfg/rke-cis-1.7/master.yaml

Line 303 in 6aa242e

audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"

4.1.7 =>

kube-bench/cfg/rke-cis-1.7/node.yaml

Line 101 in 6aa242e

audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem"

4.1.8 =>

kube-bench/cfg/rke-cis-1.7/node.yaml

Line 115 in 6aa242e

audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem"

as we can see , the files under /etc/kubernetes/ssl has root owner and this is being checked by 1.1.19:

root@ip-10-0-5-79:/etc/kubernetes/ssl# ls -l
total 108
-rwxr-xr-x 1 root root 838 Dec 5 21:26 check_files_owner_in_dir.sh
-rw------- 1 root root 1679 Dec 5 09:29 kube-apiserver-key.pem
-rw------- 1 root root 1675 Dec 5 09:29 kube-apiserver-proxy-client-key.pem
-rw------- 1 root root 1151 Dec 5 09:29 kube-apiserver-proxy-client.pem
-rw------- 1 root root 1679 Dec 5 09:29 kube-apiserver-requestheader-ca-key.pem
-rw------- 1 root root 1123 Dec 5 09:29 kube-apiserver-requestheader-ca.pem
-rw------- 1 root root 1306 Dec 5 09:29 kube-apiserver.pem
-rw------- 1 root root 1679 Dec 5 09:29 kube-ca-key.pem
-rw------- 1 root root 1058 Dec 5 09:29 kube-ca.pem
-rw------- 1 root root 1675 Dec 5 09:29 kube-controller-manager-key.pem
-rw------- 1 root root 1107 Dec 5 09:29 kube-controller-manager.pem
-rw------- 1 root root 1675 Dec 5 09:29 kube-etcd-10-0-5-79-key.pem
-rw------- 1 root root 1302 Dec 5 09:29 kube-etcd-10-0-5-79.pem
-rw------- 1 root root 1679 Dec 5 09:29 kube-node-key.pem
-rw------- 1 root root 1115 Dec 5 09:29 kube-node.pem
-rw------- 1 root root 1679 Dec 5 09:29 kube-proxy-key.pem
-rw------- 1 root root 1090 Dec 5 09:29 kube-proxy.pem
-rw------- 1 root root 1675 Dec 5 09:29 kube-scheduler-key.pem
-rw------- 1 root root 1094 Dec 5 09:29 kube-scheduler.pem
-rw------- 1 root root 1679 Dec 5 09:29 kube-service-account-token-key.pem
-rw------- 1 root root 1306 Dec 5 09:29 kube-service-account-token.pem
-rw------- 1 root root 517 Dec 5 09:29 kubecfg-kube-apiserver-proxy-client.yaml
-rw------- 1 root root 533 Dec 5 09:29 kubecfg-kube-apiserver-requestheader-ca.yaml
-rw------- 1 root root 501 Dec 5 09:29 kubecfg-kube-controller-manager.yaml
-rw------- 1 root root 445 Dec 5 09:29 kubecfg-kube-node.yaml
-rw------- 1 root root 449 Dec 5 09:29 kubecfg-kube-proxy.yaml
-rw------- 1 root root 465 Dec 5 09:29 kubecfg-kube-scheduler.yaml
root@ip-10-0-5-79:/etc/kubernetes/ssl# ./check_files_owner_in_dir.sh /etc/kubernetes/ssl/
true
root@ip-10-0-5-79:/etc/kubernetes/ssl#

[mozillazg]

cc @andypitcher

[guyjerby]

@ttousai , @afdesk - can we have a quick fix here and a new build? even tomorrow?
(this is a super minor fix)

[ttousai]

@guyjerby , @afdesk please review #1747 with the fixes.

[andypitcher]

cc @andypitcher

Just to add context to the use of /node in /node/etc/kubernetes/ssl is used to serve the Deployment needs when using our CIS Benchmark App in Rancher.
For reference, all of our profiles at Rancher are currently maintained here: https://github.com/rancher/security-scan/tree/main/package/cfg. There might be some differences from kube-bench cfgs and ours, that we are addressing and ultimately moving completely inside kube-bench.
cc @dereknola

[guyjerby]

Hi @andypitcher ,
you mean that rancher deployment that include CIS benchmark test in the UI will requires the /node while other type of deployment will be without the /node?

can you provide an example?

[guyjerby]

while testing the change, the helper script check_files_owner_in_dir.sh is not founded under /go/bin, therefore this test was never worked.

this is due to 3 issues:

1. typo in the docker file:

   kube-bench/Dockerfile

   Line 49 in b6687c1

   COPY helper_scripts/check_files_owner_in_dir.sh /go/bin

   
   it should copy the script to /go/bin/check_files_owner_in_dir.sh but it put it as /go/bin because of the missing "/" after b

2. missing bash that required to run the script - the docker file should contains: apk add bash or any other method to have bash on kube-bench container

3. chmode +x - the script should be executable

@ttousai - can you assist with fixing it?

[andypitcher]

Hi @andypitcher , you mean that rancher deployment that include CIS benchmark test in the UI will requires the /node while other type of deployment will be without the /node?

can you provide an example?

Hey @guyjerby, as I mentioned this is only particular to the CIS Benchmark App inside Rancher, a dedicated pod is created to run the scans, and mounts the node's / dir as /node, see this.

The best way would be to remove the /node as you proposed, and to use the kube-bench variables instead which would get populated by config.yaml.

[andypitcher]

while testing the change, the helper script check_files_owner_in_dir.sh is not founded under /go/bin, therefore this test was never worked.

this is due to 3 issues:

1. typo in the docker file:

   kube-bench/Dockerfile

   Line 49 in b6687c1

   COPY helper_scripts/check_files_owner_in_dir.sh /go/bin

   it should copy the script to /go/bin/check_files_owner_in_dir.sh but it put it as /go/bin because of the missing "/" after b

2. missing bash that required to run the script - the docker file should contains: apk add bash or any other method to have bash on kube-bench container

3. chmode +x - the script should be executable

@ttousai - can you assist with fixing it?

If I may add some info here, we proposed some changes for K3s/RKE2 not to use these helper_scripts anymore, see this related PR.
We haven't proposed this change in RKE1, feel free to change it.

[guyjerby]

Hi @andypitcher , you mean that rancher deployment that include CIS benchmark test in the UI will requires the /node while other type of deployment will be without the /node?
can you provide an example?

Hey @guyjerby, as I mentioned this is only particular to the CIS Benchmark App inside Rancher, a dedicated pod is created to run the scans, and mounts the node's / dir as /node, see this.

The best way would be to remove the /node as you proposed, and to use the kube-bench variables instead which would get populated by config.yaml.

Thank you very much @andypitcher , now it is clear from where the /node prefix was collected and yes - in kube-bench we have different conifguration and the host is not mounted under /node so it is not relevant.

[guyjerby]

while testing the change, the helper script check_files_owner_in_dir.sh is not founded under /go/bin, therefore this test was never worked.
this is due to 3 issues:

1. typo in the docker file:

   kube-bench/Dockerfile

   Line 49 in b6687c1

   COPY helper_scripts/check_files_owner_in_dir.sh /go/bin

   it should copy the script to /go/bin/check_files_owner_in_dir.sh but it put it as /go/bin because of the missing "/" after b

2. missing bash that required to run the script - the docker file should contains: apk add bash or any other method to have bash on kube-bench container

3. chmode +x - the script should be executable

@ttousai - can you assist with fixing it?

If I may add some info here, we proposed some changes for K3s/RKE2 not to use these helper_scripts anymore, see this related PR. We haven't proposed this change in RKE1, feel free to change it.

Thanks @andypitcher , to have a quick fix for this bug I suggest to fix the existing script while in parallel to check for the next update the use without the scrips , but I will let @ttousai to decide what works better to close this issue.

looking at this check from rancher repo - it is implemented like that in a k3s check:

• id: 1.1.19
  text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
  audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls"
  use_multiple_values: true
  tests:
  test_items:
  - flag: "root:root"
  remediation: |
  Run the below command (based on the file location on your system) on the control plane node.
  For example,
  chown -R root:root /var/lib/rancher/k3s/server/tls
  scored: true