From 3e6a41af049006dbf0652d12d24d49624d3d0b47 Mon Sep 17 00:00:00 2001
From: Huang Huang <mozillazg101@gmail.com>
Date: Wed, 8 Jul 2020 15:22:49 +0800
Subject: [PATCH] Try to search the right ca file of kubelet (#633)

---
 cfg/cis-1.3/node.yaml | 7 ++++++-
 cfg/cis-1.4/node.yaml | 7 ++++++-
 cfg/cis-1.5/node.yaml | 7 ++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml
index 4f72c80..0cd83e8 100644
--- a/cfg/cis-1.3/node.yaml
+++ b/cfg/cis-1.3/node.yaml
@@ -456,7 +456,12 @@ groups:
 
       - id: 2.2.8
         text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root
diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml
index dec01f7..8b7161b 100644
--- a/cfg/cis-1.4/node.yaml
+++ b/cfg/cis-1.4/node.yaml
@@ -447,7 +447,12 @@ groups:
 
       - id: 2.2.8
         text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root
diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml
index a2213f5..1b787c3 100644
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@@ -107,7 +107,12 @@ groups:
 
       - id: 4.1.8
         text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-        audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
+        audit: |
+          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+          if [[ -z $CAFILE ]]; then
+            CAFILE=$kubeletcafile
+          fi
+          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
         tests:
           test_items:
             - flag: root:root
-- 
GitLab