From f0f89b2707c3b38202d4b73ed0bcf4bda3867710 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Mon, 16 Dec 2024 05:44:08 +0000
Subject: [PATCH] fix: change the folder name for certificate files in rke-1.23
 and rke-1.24, fixes #1747 (#1749)

---
 cfg/rke-cis-1.23/master.yaml |  2 +-
 cfg/rke-cis-1.23/node.yaml   |  4 ++--
 cfg/rke-cis-1.24/master.yaml | 10 +++++-----
 cfg/rke-cis-1.24/node.yaml   |  4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/cfg/rke-cis-1.23/master.yaml b/cfg/rke-cis-1.23/master.yaml
index bc2338215..ae67774d8 100644
--- a/cfg/rke-cis-1.23/master.yaml
+++ b/cfg/rke-cis-1.23/master.yaml
@@ -263,7 +263,7 @@ groups:
 
       - id: 1.1.19
         text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
-        audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
+        audit: "check_files_owner_in_dir.sh /etc/kubernetes/ssl"
         tests:
           test_items:
             - flag: "true"
diff --git a/cfg/rke-cis-1.23/node.yaml b/cfg/rke-cis-1.23/node.yaml
index a509ed743..b22c4c5cc 100644
--- a/cfg/rke-cis-1.23/node.yaml
+++ b/cfg/rke-cis-1.23/node.yaml
@@ -93,7 +93,7 @@ groups:
 
       - id: 4.1.7
         text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated)"
-        audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem"
+        audit: "stat -c permissions=%a /etc/kubernetes/ssl/kube-ca.pem"
         tests:
           test_items:
             - flag: "permissions"
@@ -107,7 +107,7 @@ groups:
 
       - id: 4.1.8
         text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
-        audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem"
+        audit: "stat -c %U:%G /etc/kubernetes/ssl/kube-ca.pem"
         tests:
           test_items:
             - flag: root:root
diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml
index c08d6e57b..2b2ee61a3 100644
--- a/cfg/rke-cis-1.24/master.yaml
+++ b/cfg/rke-cis-1.24/master.yaml
@@ -272,7 +272,7 @@ groups:
 
       - id: 1.1.19
         text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
-        audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
+        audit: "check_files_owner_in_dir.sh /etc/kubernetes/ssl"
         tests:
           test_items:
             - flag: "true"
@@ -289,7 +289,7 @@ groups:
       - id: 1.1.20
         text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)"
         audit: |
-          if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/  -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
+          if test -n "$(find /etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /etc/kubernetes/ssl/  -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
         tests:
           bin_op: or
           test_items:
@@ -301,13 +301,13 @@ groups:
         remediation: |
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
-          find /node/etc/kubernetes/ssl/  -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} +
+          find /etc/kubernetes/ssl/  -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} +
         scored: true
 
       - id: 1.1.21
         text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
         audit: |
-          if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem')"; then find /node/etc/kubernetes/ssl/  -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
+          if test -n "$(find /etc/kubernetes/ssl/ -name '*.pem')"; then find /etc/kubernetes/ssl/  -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
         tests:
           bin_op: or
           test_items:
@@ -319,7 +319,7 @@ groups:
         remediation: |
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
-          find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} +
+          find /etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} +
         scored: true
 
   - id: 1.2
diff --git a/cfg/rke-cis-1.24/node.yaml b/cfg/rke-cis-1.24/node.yaml
index 653f1b754..90a173866 100644
--- a/cfg/rke-cis-1.24/node.yaml
+++ b/cfg/rke-cis-1.24/node.yaml
@@ -92,7 +92,7 @@ groups:
 
       - id: 4.1.7
         text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"
-        audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
+        audit: '/bin/sh -c "if test -e /etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
         tests:
           bin_op: or
           test_items:
@@ -107,7 +107,7 @@ groups:
         scored: true
       - id: 4.1.8
         text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
-        audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
+        audit: '/bin/sh -c "if test -e /etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
         tests:
           bin_op: or
           test_items: