From 27047dbd37f3ea3919dc288fb9cb8ad78958a8d9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Jul 2023 13:20:09 +0200
Subject: [PATCH 1/3] CIS: Use the correct rule for 1.1.3

---
 controls/cis_ocp_1_4_0/section-1.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_ocp_1_4_0/section-1.yml b/controls/cis_ocp_1_4_0/section-1.yml
index 5eb0f75c88d..92840abde9f 100644
--- a/controls/cis_ocp_1_4_0/section-1.yml
+++ b/controls/cis_ocp_1_4_0/section-1.yml
@@ -26,7 +26,7 @@ controls:
       title: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
       status: automated
       rules:
-        - file_permissions_kube_apiserver
+        - file_permissions_kube_controller_manager
       levels: level_1
     - id: 1.1.4
       title: Ensure that the controller manager pod specification file ownership is set to root:root

From 80593601552950695012fb9c492ed077ce565e04 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Jul 2023 13:21:13 +0200
Subject: [PATCH 2/3] CIS: Use the automated rule for checking kube scheduler
 permissions

---
 controls/cis_ocp_1_4_0/section-1.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_ocp_1_4_0/section-1.yml b/controls/cis_ocp_1_4_0/section-1.yml
index 92840abde9f..e91978f30fd 100644
--- a/controls/cis_ocp_1_4_0/section-1.yml
+++ b/controls/cis_ocp_1_4_0/section-1.yml
@@ -39,7 +39,7 @@ controls:
       title: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
       status: automated
       rules:
-        - file_permissions_kube_scheduler
+        - file_permissions_scheduler
       levels: level_1
     - id: 1.1.6
       title: Ensure that the scheduler pod specification file ownership is set to root:root

From ac6e08aab4fce1869b2965face1fb6af69dac98f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Jul 2023 13:21:57 +0200
Subject: [PATCH 3/3] CIS: Additional rules for already covered controls

---
 .../controller_rotate_kubelet_server_certs/rule.yml           | 2 +-
 .../openshift/kubelet/kubelet_configure_tls_key/rule.yml      | 2 +-
 controls/cis_ocp_1_4_0/section-4.yml                          | 4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
index d5cc09cb61e..e004fd64219 100644
--- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
+++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
@@ -63,7 +63,7 @@ warnings:
     of rotation yourself
 
 references:
-    cis@ocp4: 1.3.6
+    cis@ocp4: 4.2.11
     nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
     nist: CM-6,CM-6(1),SC-8,SC-8(1)
     pcidss: Req-2.2
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
index fb81c46580d..fbb6a1a2e46 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
@@ -31,7 +31,7 @@ platforms:
   - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
 
 references:
-    cis@ocp4: 4.2.10
+    cis@ocp4: 4.2.9
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)
     pcidss: Req-2.2,Req-2.2.3,Req-2.3
diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml
index 6cb601e6b78..829caab8869 100644
--- a/controls/cis_ocp_1_4_0/section-4.yml
+++ b/controls/cis_ocp_1_4_0/section-4.yml
@@ -47,6 +47,8 @@ controls:
       rules:
         - file_groupowner_kubelet_conf
         - file_owner_kubelet_conf
+        #- file_groupowner_kubelet
+        - file_owner_kubelet
       levels: level_1
     - id: 4.1.7
       title: Ensure that the certificate authorities file permissions are set to 644 or more restrictive
@@ -135,6 +137,7 @@ controls:
       status: automated
       rules:
         - kubelet_configure_tls_cert
+        - kubelet_configure_tls_key
       levels: level_1
     - id: 4.2.10
       title: Ensure that the --rotate-certificates argument is not set to false
@@ -148,6 +151,7 @@ controls:
       status: automated
       rules:
         - kubelet_enable_server_cert_rotation
+        - controller_rotate_kubelet_server_certs
       levels: level_1
     - id: 4.2.12
       title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers