github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.5/etcd.yaml (about) 1 --- 2 controls: 3 version: "cis-1.5" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration Files" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" 13 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "--cert-file" 18 set: true 19 - flag: "--key-file" 20 set: true 21 remediation: | 22 Follow the etcd service documentation and configure TLS encryption. 23 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 24 on the master node and set the below parameters. 25 --cert-file=</path/to/ca-file> 26 --key-file=</path/to/key-file> 27 scored: true 28 29 - id: 2.2 30 text: "Ensure that the --client-cert-auth argument is set to true (Scored)" 31 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 32 tests: 33 test_items: 34 - flag: "--client-cert-auth" 35 compare: 36 op: eq 37 value: true 38 set: true 39 remediation: | 40 Edit the etcd pod specification file $etcdconf on the master 41 node and set the below parameter. 42 --client-cert-auth="true" 43 scored: true 44 45 - id: 2.3 46 text: "Ensure that the --auto-tls argument is not set to true (Scored)" 47 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 48 tests: 49 bin_op: or 50 test_items: 51 - flag: "--auto-tls" 52 set: false 53 - flag: "--auto-tls" 54 compare: 55 op: eq 56 value: false 57 remediation: | 58 Edit the etcd pod specification file $etcdconf on the master 59 node and either remove the --auto-tls parameter or set it to false. 60 --auto-tls=false 61 scored: true 62 63 - id: 2.4 64 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 65 set as appropriate (Scored)" 66 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 67 tests: 68 bin_op: and 69 test_items: 70 - flag: "--peer-cert-file" 71 set: true 72 - flag: "--peer-key-file" 73 set: true 74 remediation: | 75 Follow the etcd service documentation and configure peer TLS encryption as appropriate 76 for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the 77 master node and set the below parameters. 78 --peer-client-file=</path/to/peer-cert-file> 79 --peer-key-file=</path/to/peer-key-file> 80 scored: true 81 82 - id: 2.5 83 text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" 84 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 85 tests: 86 test_items: 87 - flag: "--peer-client-cert-auth" 88 compare: 89 op: eq 90 value: true 91 set: true 92 remediation: | 93 Edit the etcd pod specification file $etcdconf on the master 94 node and set the below parameter. 95 --peer-client-cert-auth=true 96 scored: true 97 98 - id: 2.6 99 text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" 100 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 101 tests: 102 bin_op: or 103 test_items: 104 - flag: "--peer-auto-tls" 105 set: false 106 - flag: "--peer-auto-tls" 107 compare: 108 op: eq 109 value: false 110 set: true 111 remediation: | 112 Edit the etcd pod specification file $etcdconf on the master 113 node and either remove the --peer-auto-tls parameter or set it to false. 114 --peer-auto-tls=false 115 scored: true 116 117 - id: 2.7 118 text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 119 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 120 tests: 121 test_items: 122 - flag: "--trusted-ca-file" 123 set: true 124 remediation: | 125 [Manual test] 126 Follow the etcd documentation and create a dedicated certificate authority setup for the 127 etcd service. 128 Then, edit the etcd pod specification file $etcdconf on the 129 master node and set the below parameter. 130 --trusted-ca-file=</path/to/ca-file> 131 scored: false