diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml
index 4f72c808a4659d627331f8116af3e2a0077ea442..0cd83e862585220042d79beda4e8aea032516a6d 100644
--- a/cfg/cis-1.3/node.yaml
+++ b/cfg/cis-1.3/node.yaml
@@ -456,7 +456,12 @@ groups:
 
       - id: 2.2.8
         text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root
diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml
index dec01f7deaed0f9363259087146ded6f8045b9f9..8b7161b2fc565437ec78bcf9e971cb4fef131a6d 100644
--- a/cfg/cis-1.4/node.yaml
+++ b/cfg/cis-1.4/node.yaml
@@ -447,7 +447,12 @@ groups:
 
       - id: 2.2.8
         text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root
diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml
index a2213f53955084f9d68366750667d0769c4a0277..1b787c368ce5ba182cad2d9af1dbcfaead2a1780 100644
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@@ -107,7 +107,12 @@ groups:
 
       - id: 4.1.8
         text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root