CIS 1.9 Make kube-apiserver --request-timeout check (1.2.20) from Manual to Automated?

[heitzflorian]

Discussed in https://github.com/aquasecurity/kube-bench/discussions/1694

^{Originally posted by **heitzflorian** September 27, 2024} Actually the kube-apiserver --request-timeout is a "manual" type check with the following specifications: ```yaml= - id: 1.2.20 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: manual remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, --request-timeout=300s scored: false ``` I think this could be easily changed to an automated check using the following specifications: ```yaml= - id: 1.2.20 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--request-timeout" remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, --request-timeout=300s scored: true ``` It will not check the value of timeout, but only if the flag is set. Before change: ```shell= # /bin/ps -ef | grep "[a]piserver" | sed "s/^.*\(\-\-request-timeout=[0-9ms]*\) .*$/\1/" --request-timeout=1m0s # ./kube-bench --config-dir cfg/ --config cfg/config.yaml --benchmark cis-1.9 -c 1.2.20 [INFO] 1 Control Plane Security Configuration [INFO] 1.2 API Server [WARN] 1.2.20 Ensure that the --request-timeout argument is set as appropriate (Manual) == Remediations master == 1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s == Summary master == 0 checks PASS 0 checks FAIL 1 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration == Summary etcd == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 3 Control Plane Configuration == Summary controlplane == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 4 Worker Node Security Configuration == Summary node == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies == Summary policies == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO == Summary total == 0 checks PASS 0 checks FAIL 1 checks WARN 0 checks INFO ``` After change: ```shell= # ./kube-bench --config-dir cfg/ --config cfg/config.yaml --benchmark cis-1.9 -c 1.2.20 [INFO] 1 Control Plane Security Configuration [INFO] 1.2 API Server [PASS] 1.2.20 Ensure that the --request-timeout argument is set as appropriate (Automated) == Summary master == 1 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration == Summary etcd == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 3 Control Plane Configuration == Summary controlplane == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 4 Worker Node Security Configuration == Summary node == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies == Summary policies == 0 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO == Summary total == 1 checks PASS 0 checks FAIL 0 checks WARN 0 checks INFO ``` If you're interested in, i can open a issue for that and propose the associated Pull Request.

[afdesk]

@heitzflorian thanks for your opinion! it's really nice!

it was reverted here #874 and the discussion https://github.com/aquasecurity/kube-bench/pull/841#discussion_r603269444

please feel free to reopen the issue, if there was missed something. thanks!