rke2-cis-1.7 failed three tests for a maser node due to issue with the config.yaml or/and tests 'audit'

[shenghongfu]

Overview

To help see and understand the issue I have written a perl script/tool that formats a test report (generated with json option) into html so that the detail can be seen in a web browser, as you will see in the image below:

As you can see from the report there are three 'FAIL' tests only and they are in the section 1.1. The report has audit/reason info attached to each test so that we can tell what the possible root cause is - I would say it has a 99% certainty. So below are the 'bug' s and fixes I believe are:

For test 1.1.7, the audit should be checking the permission of the file "/var/lib/rancher/rke2/server/db/etcd/config", instead of thinking it is a directory and try to find files with the 'etcd' patten.

For test 1.1.15, kube-bench could not find a 'kubeconfig' entry for the ''scheduler" component in the cfg/confg.yaml file and thus used the default entry of "/etc/kubernetes/scheduler.conf". A fix is to add an entry of "/var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" for the coponent of "scheduler", like the image shown below

For test 1.1.17, this will need someone to verify. I believe the cause of the issue is similar to the test 1.1.15, but it is a little tricker. I think this test should de checking the permission of the file "/var/lib/rancher/rke2/server/cred/controller.kubeconfig", but in the kube-bench cfg/config.yaml file there is NOT a component of 'controller'. Hence a dirty fix should be to change the test audit

from
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"

to
audit: "/bin/sh -c 'if test -e /var/lib/rancher/rke2/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/rke2/server/cred/controller.kubeconfig; fi'"

Environment

What is your version of kube-bench? I have used the latest version, v0.7.3.

[What is your version of Kubernetes? tested both v1.25.16+rke2r2 and v1.28.9+rke2r1

Since the bug and fixes have been described above, I have skipped other requirements for this bug report. But please contact me if there are any questions or needs.

[mozillazg]

cc @andypitcher

[andypitcher]

@shenghongfu thanks for bringing this up. Here are some answers:

1. 1.1.7 This check should be skipped as per our Skipped and Not Applicable tests

In rancher/security-scan/cfg you can see that the check is not present .

2. 1.1.15 and 1.1.17 both checks rely on the paths that are listed in rke2-cis-1.7-permissive/config.yaml

Generally speaking, there are some imprecisions that we need to tackle to align the profiles that we maintain in security-scan/cfg with kube-bench for rke1, rke2 and k3s.

For the time being I suggest that you refer to the profiles posted in https://github.com/rancher/security-scan/tree/master/package/cfg.

We will provide some updates soon in kube-bench, feel free to contribute as well.

[shenghongfu]

@andypitcher Thanks a lot for the comments and sharing of the links, which are very helpful! Will keep an eye for kube-bench updates:-).