From 5eccb498c12583c6f1345e7257d15ae00c0431ba Mon Sep 17 00:00:00 2001
From: Saurabh Misra <45711974+sm171190@users.noreply.github.com>
Date: Fri, 15 Nov 2024 18:02:24 +0530
Subject: [PATCH] FIX| RKE-CIS-1.24- CHECK 1.1.19 (#1722)

We have added the missing script required for check 1.1.19 in rke-cis-1.24 and made it available to the kube-bench file system(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh).
---
 Dockerfile                                 |  3 ++
 Dockerfile.fips.ubi                        |  1 +
 Dockerfile.ubi                             |  1 +
 helper_scripts/check_files_owner_in_dir.sh | 44 ++++++++++++++++++++++
 4 files changed, 49 insertions(+)
 create mode 100644 helper_scripts/check_files_owner_in_dir.sh

diff --git a/Dockerfile b/Dockerfile
index 411bbcd..7b0b085 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,8 +13,10 @@ RUN make build && cp kube-bench /go/bin/kube-bench
 ARG KUBECTL_VERSION TARGETARCH
 RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
 RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+
 # Verify kubectl sha256sum
 RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+
 RUN chmod +x /usr/local/bin/kubectl
 
 FROM alpine:3.20.3 AS run
@@ -44,6 +46,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
diff --git a/Dockerfile.fips.ubi b/Dockerfile.fips.ubi
index 360958a..f2d852c 100644
--- a/Dockerfile.fips.ubi
+++ b/Dockerfile.fips.ubi
@@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
diff --git a/Dockerfile.ubi b/Dockerfile.ubi
index 3911274..c36000c 100644
--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@@ -42,6 +42,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
diff --git a/helper_scripts/check_files_owner_in_dir.sh b/helper_scripts/check_files_owner_in_dir.sh
new file mode 100644
index 0000000..58b87b2
--- /dev/null
+++ b/helper_scripts/check_files_owner_in_dir.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# This script is used to ensure the owner is set to root:root for
+# the given directory and all the files in it
+#
+# inputs:
+#   $1 = /full/path/to/directory
+#
+# outputs:
+#   true/false
+
+INPUT_DIR=$1
+
+if [[ "${INPUT_DIR}" == "" ]]; then
+    echo "false"
+    exit
+fi
+
+if [[ $(stat -c %U:%G ${INPUT_DIR}) != "root:root" ]]; then
+    echo "false"
+    exit
+fi
+
+statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*)
+while read -r statInfoLine; do
+  f=$(echo ${statInfoLine} | cut -d' ' -f1)
+  p=$(echo ${statInfoLine} | cut -d' ' -f2)
+
+  if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
+    if [[ "$p" != "root:root" && "$p" != "etcd:etcd" ]]; then
+      echo "false"
+      exit
+    fi
+  else
+    if [[ "$p" != "root:root" ]]; then
+      echo "false"
+      exit
+    fi
+  fi
+done <<< "${statInfoLines}"
+
+
+echo "true"
+exit