From ba6cb26582d36523bcc691f8838c8d74dafb4278 Mon Sep 17 00:00:00 2001
From: Saurabh Misra <saurabhmisra@IN-AQ-SAURABHMI.local>
Date: Thu, 19 Sep 2024 12:44:55 +0530
Subject: [PATCH] FIXING RKE2-CIS-1.24 CHECKS

In this change we are making 2 changes:
1. Seom CIS-1.24 checks(1.3.6 , 4.2.12 are not relevant for RKE clusters). So we will skip them.
2. SomeCIS-1.24 tests(1.1.10,1.1.20) are manual checks yet they don't have the type correctly set causing KB to run them with all automated tests.
---
 cfg/rke2-cis-1.24/master.yaml | 4 +++-
 cfg/rke2-cis-1.24/node.yaml   | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/cfg/rke2-cis-1.24/master.yaml b/cfg/rke2-cis-1.24/master.yaml
index 13afa29..0adb2b1 100644
--- a/cfg/rke2-cis-1.24/master.yaml
+++ b/cfg/rke2-cis-1.24/master.yaml
@@ -159,6 +159,7 @@ groups:
           For example,
           chown root:root <path/to/cni/files>
         scored: false
+        type: manual
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
@@ -318,6 +319,7 @@ groups:
           For example,
           chmod -R 600 /var/lib/rancher/rke2/server/tls/*.crt
         scored: false
+        type: manual
 
       - id: 1.1.21
         text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
@@ -335,6 +337,7 @@ groups:
           For example,
           chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key
         scored: false
+        type: manual
 
   - id: 1.2
     text: "API Server"
@@ -979,7 +982,6 @@ groups:
           Edit the Controller Manager pod specification file $controllermanagerconf
           on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
           --feature-gates=RotateKubeletServerCertificate=true
-        scored: true
         type: skip
 
       - id: 1.3.7
diff --git a/cfg/rke2-cis-1.24/node.yaml b/cfg/rke2-cis-1.24/node.yaml
index b99703f..3d3c8e2 100644
--- a/cfg/rke2-cis-1.24/node.yaml
+++ b/cfg/rke2-cis-1.24/node.yaml
@@ -432,6 +432,7 @@ groups:
             - flag: RotateKubeletServerCertificate
               path: '{.featureGates.RotateKubeletServerCertificate}'
               set: false
+        type: manual
         remediation: |
           Edit the kubelet service file $kubeletsvc
           on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.