-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.14.z
Description of problem:
Rule ocp4-cis-file-permissions-cni-conf returned false negative result
From the CIS benchmark v1.4.0, it is using below command to check the multus config on nodes:
$ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/etc/cni/net.d/*.conf"; done 600 /host/etc/cni/net.d/00-multus.conf 600 /host/etc/cni/net.d/00-multus.conf 600 /host/etc/cni/net.d/00-multus.conf 600 /host/etc/cni/net.d/00-multus.conf 600 /host/etc/cni/net.d/00-multus.conf 600 /host/etc/cni/net.d/00-multus.conf
Per the rule instructions, it is checking /etc/cni/net.d/ on the node.
However, the multus config on nodes is in path /etc/kubernetes/cni/net.d/, not /etc/cni/net.d/:
$ oc debug node/hongli-az-8pzqq-master-0 -- chroot /host ls -ltr /etc/cni/net.d/ Starting pod/hongli-az-8pzqq-master-0-debug ... To use host binaries, run `chroot /host` total 8 -rw-r--r--. 1 root root 129 Nov 7 02:18 200-loopback.conflist -rw-r--r--. 1 root root 469 Nov 7 02:18 100-crio-bridge.conflist Removing debug pod ... $ oc debug node/hongli-az-8pzqq-master-0 -- chroot /host ls -ltr /etc/kubernetes/cni/net.d/ Starting pod/hongli-az-8pzqq-master-0-debug ... To use host binaries, run `chroot /host` total 4 drwxr-xr-x. 2 root root 60 Nov 7 02:23 whereabouts.d -rw-------. 1 root root 352 Nov 7 02:23 00-multus.conf Removing debug pod ...
$ for node in `oc get node --no-headers|awk '{print $1}'`; do oc debug node/$node -- chroot /host ls -l /etc/kubernetes/cni/net.d/; done Starting pod/hongli-az-8pzqq-master-0-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:23 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:23 whereabouts.d Removing debug pod ... Starting pod/hongli-az-8pzqq-master-1-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:23 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:23 whereabouts.d Removing debug pod ... Starting pod/hongli-az-8pzqq-master-2-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:23 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:23 whereabouts.d Removing debug pod ... Starting pod/hongli-az-8pzqq-worker-westus-2mx6t-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:38 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:38 whereabouts.d Removing debug pod ... Starting pod/hongli-az-8pzqq-worker-westus-9qhf5-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:38 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:38 whereabouts.d Removing debug pod ... Starting pod/hongli-az-8pzqq-worker-westus-bcdpd-debug ... To use host binaries, run `chroot /host` total 4 -rw-------. 1 root root 352 Nov 7 02:38 00-multus.conf drwxr-xr-x. 2 root root 60 Nov 7 02:38 whereabouts.d Removing debug pod ...
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-11-05-194730
How reproducible:
Always
Steps to Reproduce:
1. $ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/etc/cni/net.d/*.conf"; done $for node in `oc get node --no-headers|awk '{print $1}'`; do oc debug node/$node -- chroot /host ls -l /etc/kubernetes/cni/net.d/; done
Actual results:
The rule should check the wrong path and return FAIL
Expected results:
The rule should check the right path and return PASS
Additional info:
It was also applicable for both SDN and OVN
- blocks
-
OCPBUGS-30912 compliance scan fails on file permissions mode 600 and no remediation is available
- Closed
-
OCPBUGS-31447 Rule ocp4-cis-file-permissions-cni-conf returned a false negative result
- Closed
- is cloned by
-
OCPBUGS-31447 Rule ocp4-cis-file-permissions-cni-conf returned a false negative result
- Closed
- relates to
-
OCPBUGS-41125 Rule ocp4-cis-file-permissions-cni-conf returned a false negative result
- Closed
- links to
-
RHBA-2024:4965 OpenShift Container Platform 4.16.z bug fix update