-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNI file permissions misses files #121
Comments
The same goes for CIS compliance check 1.1.0, where the corresponding node collector command is It would be beneficial to change that to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What steps did you take and what happened:
When running the CIS benchmark I get 0 fails on 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive even though that is wrong. The collection of file permissions that is specified in pkg/collector/config/specs/k8s-cis-1.23.0.yaml runs "stat -c %a /*/cni/*" which doesn't check all the files below those paths.
To debug, I try the same command but with %n to list the files found instead, and I get the following result
What did you expect to happen:
Anything else you would like to add:
If I want to get the names of all the files, I could do this instead and see all the files that are missed by the node collector:
If the check instead would be "find /*/cni -type f -exec stat -c %a {} \;" we should get a relevant result.
Environment:
k8s-node-collector version
):We run tag-version 0.1.4 of the image. It doesn't have a "version" subcommand
kubectl version
):Ubuntu 22.04 on the nodes
The text was updated successfully, but these errors were encountered: