Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNI file permissions misses files #121

Open
OlofKalufs opened this issue May 13, 2024 · 1 comment
Open

CNI file permissions misses files #121

OlofKalufs opened this issue May 13, 2024 · 1 comment

Comments

@OlofKalufs
Copy link

OlofKalufs commented May 13, 2024
edited
Loading

What steps did you take and what happened:

When running the CIS benchmark I get 0 fails on 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive even though that is wrong. The collection of file permissions that is specified in pkg/collector/config/specs/k8s-cis-1.23.0.yaml runs "stat -c %a /*/cni/*" which doesn't check all the files below those paths.

To debug, I try the same command but with %n to list the files found instead, and I get the following result

$ stat -c %n /*/cni/*
/etc/cni/net.d
/opt/cni/bin

What did you expect to happen:

Anything else you would like to add:

If I want to get the names of all the files, I could do this instead and see all the files that are missed by the node collector:

$ find /*/cni -type f -exec stat -c %n {} \;
/etc/cni/net.d/10-antrea.conflist
/opt/cni/bin/antrea
/opt/cni/bin/loopback
/opt/cni/bin/bandwidth
/opt/cni/bin/host-local
/opt/cni/bin/ipvlan
/opt/cni/bin/tuning
/opt/cni/bin/vlan
/opt/cni/bin/sbr
/opt/cni/bin/firewall
/opt/cni/bin/macvlan
/opt/cni/bin/vrf
/opt/cni/bin/host-device
/opt/cni/bin/ptp
/opt/cni/bin/portmap
/opt/cni/bin/static
/opt/cni/bin/bridge
/opt/cni/bin/dhcp
/opt/cni/bin/whereabouts
/opt/cni/bin/dummy

If the check instead would be "find /*/cni -type f -exec stat -c %a {} \;" we should get a relevant result.

Environment:

  • K8s-Node-Collector version (use k8s-node-collector version):
    We run tag-version 0.1.4 of the image. It doesn't have a "version" subcommand
  • Kubernetes version (use kubectl version):
$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.27.5+vmware.1
Kustomize Version: v5.0.1
Server Version: v1.27.5+vmware.1
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc):
    Ubuntu 22.04 on the nodes
@OlofKalufs
Copy link
Author

OlofKalufs commented May 13, 2024
edited
Loading

The same goes for CIS compliance check 1.1.0, where the corresponding node collector command is
"stat -c %U:%G /*/cni/*"

It would be beneficial to change that to
"find /*/cni -type f -exec stat -c %U:%G {} \;"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OlofKalufs