kube-bench
kube-bench copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
CIS 1.9 Make kube-apiserver --request-timeout check (1.2.20) from Manual to Automated?
trafficstars
Discussed in https://github.com/aquasecurity/kube-bench/discussions/1694
Originally posted by heitzflorian September 27, 2024 Actually the kube-apiserver --request-timeout is a "manual" type check with the following specifications:
- id: 1.2.20
text: "Ensure that the --request-timeout argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: manual
remediation: |
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed.
For example, --request-timeout=300s
scored: false
I think this could be easily changed to an automated check using the following specifications:
- id: 1.2.20
text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--request-timeout"
remediation: |
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed.
For example, --request-timeout=300s
scored: true
It will not check the value of timeout, but only if the flag is set.
Before change:
# /bin/ps -ef | grep "[a]piserver" | sed "s/^.*\(\-\-request-timeout=[0-9ms]*\) .*$/\1/"
--request-timeout=1m0s
# ./kube-bench --config-dir cfg/ --config cfg/config.yaml --benchmark cis-1.9 -c 1.2.20
[INFO] 1 Control Plane Security Configuration
[INFO] 1.2 API Server
[WARN] 1.2.20 Ensure that the --request-timeout argument is set as appropriate (Manual)
== Remediations master ==
1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed.
For example, --request-timeout=300s
== Summary master ==
0 checks PASS
0 checks FAIL
1 checks WARN
0 checks INFO
[INFO] 2 Etcd Node Configuration
== Summary etcd ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 3 Control Plane Configuration
== Summary controlplane ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 4 Worker Node Security Configuration
== Summary node ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 5 Kubernetes Policies
== Summary policies ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
== Summary total ==
0 checks PASS
0 checks FAIL
1 checks WARN
0 checks INFO
After change:
# ./kube-bench --config-dir cfg/ --config cfg/config.yaml --benchmark cis-1.9 -c 1.2.20
[INFO] 1 Control Plane Security Configuration
[INFO] 1.2 API Server
[PASS] 1.2.20 Ensure that the --request-timeout argument is set as appropriate (Automated)
== Summary master ==
1 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 2 Etcd Node Configuration
== Summary etcd ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 3 Control Plane Configuration
== Summary controlplane ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 4 Worker Node Security Configuration
== Summary node ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 5 Kubernetes Policies
== Summary policies ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
== Summary total ==
1 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
If you're interested in, i can open a issue for that and propose the associated Pull Request.
