aquasecurity · LaibaBareera · Dec 11, 2025 · Dec 11, 2025
diff --git a/cfg/rke2-cis-1.23/master.yaml b/cfg/rke2-cis-1.23/master.yaml
@@ -99,11 +99,13 @@ groups:
       - id: 1.1.7
         text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
         audit: |
-          /bin/sh -c 'if [ -d "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} +
-          else
-            echo "Directory not found"
-          fi'
+          /bin/sh -c '
+            if [ -e "$etcdconf" ]; then
+              stat -c "permissions=%a %n" "$etcdconf"
+            else
+              echo "Directory not found"
+            fi
+          '
         use_multiple_values: true
         tests:
           bin_op: or
@@ -122,11 +124,13 @@ groups:
       - id: 1.1.8
         text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
         audit: |
-           /bin/sh -c 'if [ -d "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
-           else
-            echo "Directory not found"
-           fi'
+          /bin/sh -c '
+            if [ -e $etcdconf ]; then
+              stat -c "ownership=%U:%G %n" $etcdconf
+            else
+              echo "Directory not found"
+            fi
+            '
         tests:
           bin_op: or
           test_items:

diff --git a/cfg/rke2-cis-1.24/master.yaml b/cfg/rke2-cis-1.24/master.yaml
@@ -99,11 +99,13 @@ groups:
       - id: 1.1.7
         text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
         audit: |
-          /bin/sh -c 'if [ -d "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} +
-          else
-            echo "Directory not found"
-          fi'
+          /bin/sh -c '
+            if [ -e "$etcdconf" ]; then
+              stat -c "permissions=%a %n" "$etcdconf"
+            else
+              echo "Directory not found"
+            fi
+          '
         use_multiple_values: true
         tests:
           bin_op: or
@@ -122,11 +124,13 @@ groups:
       - id: 1.1.8
         text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
         audit: |
-          /bin/sh -c 'if [ -d "$etcdconf" ]; then
-           find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
-          else
-           echo "Directory not found"
-          fi'
+          /bin/sh -c '
+            if [ -e $etcdconf ]; then
+              stat -c "ownership=%U:%G %n" $etcdconf
+            else
+              echo "Directory not found"
+            fi
+          '
         tests:
           bin_op: or
           test_items:

diff --git a/cfg/rke2-cis-1.7/master.yaml b/cfg/rke2-cis-1.7/master.yaml
@@ -99,13 +99,13 @@ groups:
       - id: 1.1.7
         text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"
         audit: |
-          /bin/sh -c 'if [ -d "$etcdconf" ]; then
-             find "$etcdconf" -type f -name "*etcd*" \
-               -exec stat -c "permissions=%a %n" {} +
-           else
-             echo "Directory not found"
-           fi'
-        use_multiple_values: true
+          /bin/sh -c '
+            if [ -e "$etcdconf" ]; then
+              stat -c "permissions=%a %n" "$etcdconf"
+            else
+              echo "Directory not found"
+            fi
+          '
         tests:
           bin_op: or
           test_items:
@@ -125,11 +125,13 @@ groups:
       - id: 1.1.8
         text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
         audit: |
-          /bin/sh -c 'if [ -d "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
-          else
-            echo "Directory not found"
-          fi'
+          /bin/sh -c '
+            if [ -e $etcdconf ]; then
+              stat -c "ownership=%U:%G %n" $etcdconf
+            else
+              echo "Directory not found"
+            fi
+          '
         tests:
           bin_op: or
           test_items:

diff --git a/cfg/rke2-cis-1.8/config.yaml b/cfg/rke2-cis-1.8/config.yaml
@@ -1,22 +1,2 @@
 ---
 ## Version-specific settings that override the values in cfg/config.yaml
-
-master:
-  components:
-    - apiserver
-    - kubelet
-    - scheduler
-    - controllermanager
-    - etcd
-    - policies
-  kubelet:
-    bins:
-      - kubelet
-node:
-  kubelet:
-    defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
-    defaultcafile: "/node/etc/kubernetes/ssl/kube-ca.pem"
-    bins:
-      - kubelet
-  proxy:
-    defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml"
diff --git a/cfg/rke2-cis-1.8/controlplane.yaml b/cfg/rke2-cis-1.8/controlplane.yaml
@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.8"
+version: "rke2-cis-1.8"
 id: 3
 text: "Control Plane Configuration"
 type: "controlplane"

diff --git a/cfg/rke2-cis-1.8/etcd.yaml b/cfg/rke2-cis-1.8/etcd.yaml
@@ -1,13 +1,10 @@
 ---
 controls:
-version: "cis-1.8"
+version: "rke2-cis-1.8"
 id: 2
 text: "Etcd Node Configuration"
 type: "etcd"
 groups:
-  - id: 1.1
-    text: "Control Plane Node Configuration Files"
-    checks:
   - id: 2
     text: "Etcd Node Configuration"
     checks:

diff --git a/cfg/rke2-cis-1.8/master.yaml b/cfg/rke2-cis-1.8/master.yaml
@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.8"
+version: "rke2-cis-1.8"
 id: 1
 text: "Control Plane Security Configuration"
 type: "master"
@@ -98,15 +98,14 @@ groups:
 
       - id: 1.1.7
         text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"
-
         audit: |
-          /bin/sh -c 'if [ -e "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" \
-              -exec stat -c "permissions=%a %n" {} +
+          /bin/sh -c '
+          if [ -e "$etcdconf" ]; then
+            stat -c "permissions=%a %n" "$etcdconf"
           else
             echo "Directory not found"
-          fi'
-        use_multiple_values: true
+          fi
+          '
         tests:
           bin_op: or
           test_items:
@@ -126,16 +125,21 @@ groups:
       - id: 1.1.8
         text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
         audit: |
-          /bin/sh -c 'if [ -e "$etcdconf" ]; then
-            find "$etcdconf" -type f -name "*etcd*" -exec stat -c "%U:%G %n" {} +
+          /bin/sh -c '
+          if [ -e $etcdconf ]; then
+            stat -c "ownership=%U:%G %n" $etcdconf
           else
             echo "Directory not found"
-          fi'
-        use_multiple_values: true
+          fi
+          '
         tests:
           bin_op: or
           test_items:
-            - flag: "root:root"
+            - flag: "ownership"
+              compare:
+                op: eq
+                value: "root:root"
+              set: true
             - flag: "Directory not found"
               set: true
         remediation: |
@@ -181,10 +185,10 @@ groups:
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
         audit: |
-          /bin/sh -c 'if [ -e "/node/var/lib/etcd" ]; then
-            stat -c "%a" "/node/var/lib/etcd"
+          /bin/sh -c 'if [ -e "/var/lib/rancher/rke2/server/db/etcd" ]; then
+            stat -c "%a" "/var/lib/rancher/rke2/server/db/etcd"
           else
-            echo "Directory not found: /node/var/lib/etcd"
+            echo "Directory not found: /var/lib/rancher/rke2/server/db/etcd"
           fi'
         tests:
           bin_op: or
@@ -194,7 +198,7 @@ groups:
                 op: eq
                 value: "700"
               set: true
-            - flag: "Directory not found: /node/var/lib/etcd"
+            - flag: "Directory not found: /var/lib/rancher/rke2/server/db/etcd"
         remediation: |
           On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
           from the command 'ps -ef | grep etcd'.
@@ -204,10 +208,10 @@ groups:
 
       - id: 1.1.12
         text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
-        audit: "stat -c %U:%G /node/var/lib/etcd"
+        audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd"
         tests:
           test_items:
-            - flag: "etcd:etcd"
+            - flag: "root:root"
               set: true
         remediation: |
           On the etcd server node, get the etcd data directory, passed as an argument --data-dir,

diff --git a/cfg/rke2-cis-1.8/node.yaml b/cfg/rke2-cis-1.8/node.yaml
@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.8"
+version: "rke2-cis-1.8"
 id: 4
 text: "Worker Node Security Configuration"
 type: "node"

diff --git a/cfg/rke2-cis-1.8/policies.yaml b/cfg/rke2-cis-1.8/policies.yaml
@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.8"
+version: "rke2-cis-1.8"
 id: 5
 text: "Kubernetes Policies"
 type: "policies"