From 204ae704136506c7544e1b1de9b2bd58f77abfe9 Mon Sep 17 00:00:00 2001
From: Saurabh Misra <saurabh.misra.iitkgp@gmail.com>
Date: Tue, 5 Nov 2024 09:29:23 +0530
Subject: [PATCH] FIX| RKE-CIS-1.24- CHECK 1.1.19 We have added the contents of
 this
 script(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh)
 as the audit command for this check, ensuring that we are checking the same
 directory as the original check.

---
 cfg/rke-cis-1.24/master.yaml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml
index c08d6e57b..6d14c613e 100644
--- a/cfg/rke-cis-1.24/master.yaml
+++ b/cfg/rke-cis-1.24/master.yaml
@@ -272,7 +272,26 @@ groups:
 
       - id: 1.1.19
         text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
-        audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
+        audit: |
+          #!/bin/bash
+          if [[ $(stat -c %U:%G "/node/etc/kubernetes/ssl") != "root:root" ]]; then
+              echo "false"
+              exit 1
+          fi
+          for f in "/node/etc/kubernetes/ssl"/*; do
+              if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
+                  if [[ $(stat -c %U:%G "$f") != "root:root" && $(stat -c %U:%G "$f") != "etcd:etcd" ]]; then
+                      echo "false"
+                      exit 1
+                  fi
+              else
+                  if [[ $(stat -c %U:%G "$f") != "root:root" ]]; then
+                      echo "false"
+                      exit 1
+                  fi
+              fi
+          done
+          echo "true"
         tests:
           test_items:
             - flag: "true"