Skip to content

Commit

Permalink
FIX| RKE-CIS-1.24- CHECK 1.1.19
Browse files Browse the repository at this point in the history
We have added the contents of this script(https://github.com/rancher/security-scan/blob/master/package/helper_scripts/check_files_owner_in_dir.sh) as the audit command for this check, ensuring that we are checking the same directory as the original check.
  • Loading branch information
sm171190 committed Nov 7, 2024
1 parent 74f5c8b commit 204ae70
Showing 1 changed file with 20 additions and 1 deletion.
21 changes: 20 additions & 1 deletion cfg/rke-cis-1.24/master.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,26 @@ groups:

- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
audit: |
#!/bin/bash
if [[ $(stat -c %U:%G "/node/etc/kubernetes/ssl") != "root:root" ]]; then
echo "false"
exit 1
fi
for f in "/node/etc/kubernetes/ssl"/*; do
if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then
if [[ $(stat -c %U:%G "$f") != "root:root" && $(stat -c %U:%G "$f") != "etcd:etcd" ]]; then
echo "false"
exit 1
fi
else
if [[ $(stat -c %U:%G "$f") != "root:root" ]]; then
echo "false"
exit 1
fi
fi
done
echo "true"
tests:
test_items:
- flag: "true"
Expand Down

0 comments on commit 204ae70

Please sign in to comment.