FIX| RKE-CIS-1.24- CHECK 1.1.19

We have added the contents of this script(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh) as the audit command for this check, ensuring that we are checking the same directory as the original check.
aquasecurity · Nov 5, 2024 · bad4483 · bad4483
1 parent 74f5c8b
commit bad4483
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml
@@ -272,7 +272,7 @@ groups:
 
       - id: 1.1.19
         text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
-        audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
+        audit : "/bin/sh -c 'if [[ $(stat -c %U:%G \"/node/etc/kubernetes/ssl\") != \"root:root" ]]; then echo \"false\"; exit; fi; for f in "/node/etc/kubernetes/ssl"/*; do if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then if [[ $(stat -c %U:%G "$f") != \"root:root\" && $(stat -c %U:%G \"$f\") != \"etcd:etcd\" ]]; then echo \"false\"; exit; fi; else if [[ $(stat -c %U:%G "$f") != \"root:root\" ]]; then echo \"false\"; exit; fi; fi; done; echo \"true'"
         tests:
           test_items:
             - flag: "true"