kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

kube-bench checks are failing in case of the expected value and actual value is empty string.

Open arjunkhunti-crest opened this issue 1 year ago • 3 comments

Overview Kube-bench checks are failing when the flagVal and compareValue are empty strings and flagName is given.

  • Expected Outcome
{label: “empty - val”, op: “eq”, flagVal: “”, compareValue: “”, expectedResultPattern: “‘flagName’ is equal to ‘’“, testResult: true, flagName: “flagName”}
  • Actual Outcome
{label: "empty - val", op: "eq", flagVal: "", compareValue: "", expectedResultPattern: "'flagName' is equal to ''", testResult: false, flagName: "flagName"}

How did you run kube-bench?

kube-bench run --benchmark eks-1.2.0

What happened? The check should pass when flagVal and compareValue are the same (including empty) and flagName is not empty. However, it is failing with the given parameters. Here’s the reference test for the same:

Test Details

- id: 4.2.14
        text: "Check empty string"
        audit: curl http://127.0.0.1:8000/check?name=ncm:disabled_integrity_monitoring
        tests:
          test_items:
            - flag: disabledIntegrityMonitoring 
              compare:
                op: eq 
                value: ""
              set: true
        remediation: |
         nothing
        scored: true

Golang Function

func myFun(ctx context.Context, clientset *kubernetes.Clientset, logger *zap.Logger) (string, error) {
    disabledIntegrityMonitoringNodepools, err := getNodePoolsWithoutIntegrityMonitoring(ctx, clientset, logger)
    if err != nil{
        return "", err
    }
    sort.Strings(disabledIntegrityMonitoringNodepools)

    return fmt.Sprintf("disabledIntegrityMonitoring: %s", ""), nil
}

Given the parameters provided:

flagName = "disabledIntegrityMonitoring"
flagVal = ""
compareVal = ""
op = "eq"

The intention was to compare flagVal and compareVal ("" == ""). However, there was an internal assignment of flagName to compareVal, resulting in a comparison of "" == "disabledIntegrityMonitoring". This unexpected behavior led to a test failure and incorrect outcomes.

What did you expect to happen? The check should pass when flagVal and compareValue are the same (including empty) and flagName is not empty.

Environment

  • Kube-bench: v0.6.19
  • Client Version: v1.21.3
  • Server Version: v1.24.14-gke.2700

arjunkhunti-crest avatar Oct 30 '23 16:10 arjunkhunti-crest

@arjunkhunti-crest Please raise a PR with suggested solution

chen-keinan avatar Oct 31 '23 07:10 chen-keinan

@chen-keinan, I have raised a PR with a suggested solution. Please find the relevant reference below

  • PR: https://github.com/aquasecurity/kube-bench/pull/1517

arjunkhunti-crest avatar Nov 03 '23 12:11 arjunkhunti-crest

The tentative solution for this issue is to add a new operator that could compare empty values.

arjunkhunti-crest avatar Nov 18 '23 08:11 arjunkhunti-crest