I am trying to remediate CIS benchmark security scan failures, but I am unable to find the files and directories on the server that are mentioned in the report.
For instance, some of the remediation descriptions say things like,
“Edit the API server pod specification file
$apiserverconf on the master node…”,
“Edit the Scheduler pod specification file
$schedulerconf file on the master node…”,
chmod 644 /etc/kubernetes/scheduler.conf ",
chown root:root /etc/kubernetes/controller-manager.conf ", etc.
To what files do
I do not find the files
/etc/kubernetes/controller-manager.conf on the master node file system or in a container volume.
Where can I find those files on the file systems so that they can be modified and stored in infrastructure as code with ansible or terraform?
I have an HA rancher version 2.4.5 installation on AWS EC2 instances and RKE clusters.
Also, what is going on with the mismatching version information in the Rancher documentation?
If you look at,
there are matrices for the different versions of the Self Assessment Guid, Rancher, Hardening Guide, Kubernetes, and the CIS Benchmark. Since I am using Rancher v2.4.5, I would presume that the CIS scan would use benchmark v1.5.
However, at the security scan page (Sorry, new users can only put 2 links in a post.) and the about-the-generated-report section it states,
“As of Rancher v2.4, the scan will use the CIS Benchmark v1.4. The Benchmark version is included in the generated report.”
In my Rancher v2.4.5 installation I am only able to run CIS scans for benchmark v1.4. The items on the CIS Benchmark Rancher Self-Assessment Guide - v2.4, do not match up with the items shown in my scan reports.
If I download the benchmark document from the CIS web site, I see items in my generated report correlating to the items in benchmark v1.4
Any help is appreciated.