CIS-1.24 - 1.1.20 - Remediation and Test do not match

[tlb1galaxy]

Overview

• Within the /cfg/cis-1.24/master.yaml; the test/audit for CIS 1.1.20 will search recursively in /etc/kubernetes/pki/ for any '*.crt' and validate permissions are '600'.
  • If you are running a stacked etcd setup, this will include the /etc/kubernetes/pki/etcd/ folder
• The remediation suggested command would only rectify the top level folder

How did you run kube-bench?

1. Install Kubeadm environment
2. Copy kube-bench/v0.6.12/job.yaml locally
3. Modify job.yaml to include to run on master/control-plane (attached)
4. Run kubectl apply -f job_v1.24.0_master.yaml

job_v1.24.0_master.txt

What happened?

CIS 1.1.20 test fails/warns

[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)

1.1.20 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.crt

CIS Kubernetes v1.24-1.0.0 (09-21-2022): Audit: ls -laR /etc/kubernetes/pki/*.crt

Kube-bench v0.6.12 cfg/cis-1.24/master.yaml - 1.1.20: audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a"

/etc/kubernetes/pki/ permissions:

/etc/kubernetes/pki/apiserver.crt => permission=600
/etc/kubernetes/pki/front-proxy-client.crt => permission=600
/etc/kubernetes/pki/apiserver-kubelet-client.crt => permission=600
/etc/kubernetes/pki/apiserver-etcd-client.crt => permission=600
/etc/kubernetes/pki/etcd/peer.crt => permission=644
/etc/kubernetes/pki/etcd/server.crt => permission=644
/etc/kubernetes/pki/etcd/healthcheck-client.crt => permission=644
/etc/kubernetes/pki/etcd/ca.crt => permission=644
/etc/kubernetes/pki/front-proxy-ca.crt => permission=600
/etc/kubernetes/pki/ca.crt => permission=600

What did you expect to happen:

• the 'audit' test between CIS and Kube-bench should match
• the 'remediation' in kube-bench (if keeping the existing audit) should be: sudo find /etc/kubernetes/pki/ -name '*.crt' -type f -exec chmod 600 {} \;

Environment

Kube-bench version: Kubernetes deployment branch:0.6.12

Kubernetes version:

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:15:38Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}