diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml index 4f72c80..0cd83e8 100644 --- a/cfg/cis-1.3/node.yaml +++ b/cfg/cis-1.3/node.yaml @@ -456,7 +456,12 @@ groups: - id: 2.2.8 text: Ensure that the client certificate authorities file ownership is set to root:root (Scored) - audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' + audit: | + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + if [[ -z $CAFILE ]]; then + CAFILE=$kubeletcafile + fi + if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: test_items: - flag: root:root diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml index dec01f7..8b7161b 100644 --- a/cfg/cis-1.4/node.yaml +++ b/cfg/cis-1.4/node.yaml @@ -447,7 +447,12 @@ groups: - id: 2.2.8 text: Ensure that the client certificate authorities file ownership is set to root:root (Scored) - audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' + audit: | + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + if [[ -z $CAFILE ]]; then + CAFILE=$kubeletcafile + fi + if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: test_items: - flag: root:root diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index a2213f5..1b787c3 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -107,7 +107,12 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" - audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' + audit: | + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + if [[ -z $CAFILE ]]; then + CAFILE=$kubeletcafile + fi + if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: test_items: - flag: root:root