github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.24-microk8s/etcd.yaml (about) 1 --- 2 controls: 3 version: "cis-1.24" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 13 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "--cert-file" 18 env: "ETCD_CERT_FILE" 19 - flag: "--key-file" 20 env: "ETCD_KEY_FILE" 21 remediation: | 22 Not applicable. MicroK8s used dqlite and the communication to this service is done through a 23 local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible 24 to users with root permissions. 25 scored: false 26 27 - id: 2.2 28 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 29 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 30 tests: 31 test_items: 32 - flag: "--client-cert-auth" 33 env: "ETCD_CLIENT_CERT_AUTH" 34 compare: 35 op: eq 36 value: true 37 remediation: | 38 Not applicable. MicroK8s used dqlite and the communication to this service is done through a 39 local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible 40 to users with root permissions. 41 scored: false 42 43 - id: 2.3 44 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 45 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 46 tests: 47 bin_op: or 48 test_items: 49 - flag: "--auto-tls" 50 env: "ETCD_AUTO_TLS" 51 set: false 52 - flag: "--auto-tls" 53 env: "ETCD_AUTO_TLS" 54 compare: 55 op: eq 56 value: false 57 remediation: | 58 Not applicable. MicroK8s used dqlite and the communication to this service is done through a 59 local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible 60 to users with root permissions. 61 scored: false 62 63 - id: 2.4 64 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" 65 audit: "if test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.crt && test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.key; then echo 'certs-found'; fi" 66 tests: 67 test_items: 68 - flag: "certs-found" 69 remediation: | 70 The certificate pair for dqlite and tls peer communication is 71 /var/snap/microk8s/current/var/kubernetes/backend/cluster.crt and 72 /var/snap/microk8s/current/var/kubernetes/backend/cluster.key. 73 scored: true 74 75 - id: 2.5 76 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 77 audit: "/bin/cat $etcdconf | /bin/grep enable-tls || true" 78 tests: 79 bin_op: or 80 test_items: 81 - flag: "--enable-tls" 82 compare: 83 op: eq 84 value: true 85 - flag: "--enable-tls" 86 set: false 87 remediation: | 88 MicroK8s used dqlite and tls peer communication uses is TLS if the --enable-tls is set in 89 /var/snap/microk8s/current/args/k8s-dqlite, set to true by default. 90 scored: true 91 92 - id: 2.6 93 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 94 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 95 tests: 96 bin_op: or 97 test_items: 98 - flag: "--peer-auto-tls" 99 env: "ETCD_PEER_AUTO_TLS" 100 set: false 101 - flag: "--peer-auto-tls" 102 env: "ETCD_PEER_AUTO_TLS" 103 compare: 104 op: eq 105 value: false 106 remediation: | 107 Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates 108 created upon the snap creation. 109 scored: false 110 111 - id: 2.7 112 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" 113 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 114 tests: 115 test_items: 116 - flag: "--trusted-ca-file" 117 env: "ETCD_TRUSTED_CA_FILE" 118 remediation: | 119 Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates 120 created upon the snap creation. 121 scored: false