kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

cfg/cis-1.6's 4.2.1 get a false negative result

Open tarihub opened this issue 1 year ago • 3 comments

Overview if kubelet run only with cmd parameter --anonymous-auth=false and cannot find configuration file in server, cis-1.6-4.2.1 rule will get a false negative result

How did you run kube-bench?

kube-bench run --benchmark=cis-1.6 --targets node --check=4.2.1

What happened?

/root/kube-bench-main/executables-rzdMAHOz82/___224_worker run --benchmark=cis-1.6 --targets node --check=4.2.1 -v=3
....
I0811 17:31:40.822903   34122 check.go:110] -----   Running check 4.2.1   -----
I0811 17:31:40.882694   34122 check.go:299] Command: "/bin/ps -fC kubelet"
I0811 17:31:40.882733   34122 check.go:300] Output:
 "UID        PID  PPID  C STIME TTY          TIME CMD\nroot     48387 48366 19 Aug06 ?        1-02:13:21 kubelet --anonymous-auth=false --network-plugin=cni --registry-burst=10 ....
I0811 17:31:40.886387   34122 check.go:180] failed to run: "/bin/cat /var/lib/kubelet/config.yaml", output: "/bin/cat: /var/lib/kubelet/config.yaml: No such file or directory\n", error: exit status 1
I0811 17:31:40.886411   34122 check.go:186] Command: "/bin/cat /var/lib/kubelet/config.yaml" TestResult: <<EMPTY>> 
I0811 17:31:40.886424   34122 check.go:190] failed to run: "/bin/cat /var/lib/kubelet/config.yaml", output: "/bin/cat: /var/lib/kubelet/config.yaml: No such file or directory\n", error: exit status 1
[INFO] 4 Worker Node Security Configuration
[INFO] 4.2 Kubelet
[FAIL] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)

What did you expect to happen: [PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)

Environment

[What is your version of kube-bench? (run kube-bench version)] build from the latest source code

Reason https://github.com/aquasecurity/kube-bench/blob/main/check/check.go#L195-L212 if it cannot find configuration file, err will not be nil, so let the false negative result

c.AuditConfigOutput, err = runAudit(c.AuditConfig)

Any advice for this issue? Thanks ~

tarihub avatar Aug 11 '22 09:08 tarihub

Thanks for reporting. I'll check it later.

mozillazg avatar Aug 21 '22 09:08 mozillazg

Thanks

tarihub avatar Aug 23 '22 11:08 tarihub

@TARI0510 @mozillazg Did you find the solution for this issue? I am also facing the issue of "kube-bench cannot find configuration files in server".

Ref: https://github.com/aquasecurity/kube-bench/issues/1256

Please provide your input.

Thanks

Algoss avatar Sep 06 '22 07:09 Algoss