github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6/etcd.yaml (about)

     1  ---
     2  controls:
     3  version: "cis-1.6"
     4  id: 2
     5  text: "Etcd Node Configuration"
     6  type: "etcd"
     7  groups:
     8    - id: 2
     9      text: "Etcd Node Configuration Files"
    10      checks:
    11        - id: 2.1
    12          text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
    13          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
    14          tests:
    15            bin_op: and
    16            test_items:
    17              - flag: "--cert-file"
    18                env: "ETCD_CERT_FILE"
    19              - flag: "--key-file"
    20                env: "ETCD_KEY_FILE"
    21          remediation: |
    22            Follow the etcd service documentation and configure TLS encryption.
    23            Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
    24            on the master node and set the below parameters.
    25            --cert-file=</path/to/ca-file>
    26            --key-file=</path/to/key-file>
    27          scored: true
    28  
    29        - id: 2.2
    30          text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
    31          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
    32          tests:
    33            test_items:
    34              - flag: "--client-cert-auth"
    35                env: "ETCD_CLIENT_CERT_AUTH"
    36                compare:
    37                  op: eq
    38                  value: true
    39          remediation: |
    40            Edit the etcd pod specification file $etcdconf on the master
    41            node and set the below parameter.
    42            --client-cert-auth="true"
    43          scored: true
    44  
    45        - id: 2.3
    46          text: "Ensure that the --auto-tls argument is not set to true (Automated)"
    47          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
    48          tests:
    49            bin_op: or
    50            test_items:
    51              - flag: "--auto-tls"
    52                env: "ETCD_AUTO_TLS"
    53                set: false
    54              - flag: "--auto-tls"
    55                env: "ETCD_AUTO_TLS"
    56                compare:
    57                  op: eq
    58                  value: false
    59          remediation: |
    60            Edit the etcd pod specification file $etcdconf on the master
    61            node and either remove the --auto-tls parameter or set it to false.
    62              --auto-tls=false
    63          scored: true
    64  
    65        - id: 2.4
    66          text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
    67          set as appropriate (Automated)"
    68          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
    69          tests:
    70            bin_op: and
    71            test_items:
    72              - flag: "--peer-cert-file"
    73                env: "ETCD_PEER_CERT_FILE"
    74              - flag: "--peer-key-file"
    75                env: "ETCD_PEER_KEY_FILE"
    76          remediation: |
    77            Follow the etcd service documentation and configure peer TLS encryption as appropriate
    78            for your etcd cluster.
    79            Then, edit the etcd pod specification file $etcdconf on the
    80            master node and set the below parameters.
    81            --peer-client-file=</path/to/peer-cert-file>
    82            --peer-key-file=</path/to/peer-key-file>
    83          scored: true
    84  
    85        - id: 2.5
    86          text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
    87          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
    88          tests:
    89            test_items:
    90              - flag: "--peer-client-cert-auth"
    91                env: "ETCD_PEER_CLIENT_CERT_AUTH"
    92                compare:
    93                  op: eq
    94                  value: true
    95          remediation: |
    96            Edit the etcd pod specification file $etcdconf on the master
    97            node and set the below parameter.
    98            --peer-client-cert-auth=true
    99          scored: true
   100  
   101        - id: 2.6
   102          text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
   103          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
   104          tests:
   105            bin_op: or
   106            test_items:
   107              - flag: "--peer-auto-tls"
   108                env: "ETCD_PEER_AUTO_TLS"
   109                set: false
   110              - flag: "--peer-auto-tls"
   111                env: "ETCD_PEER_AUTO_TLS"
   112                compare:
   113                  op: eq
   114                  value: false
   115          remediation: |
   116            Edit the etcd pod specification file $etcdconf on the master
   117            node and either remove the --peer-auto-tls parameter or set it to false.
   118            --peer-auto-tls=false
   119          scored: true
   120  
   121        - id: 2.7
   122          text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
   123          audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
   124          tests:
   125            test_items:
   126              - flag: "--trusted-ca-file"
   127                env: "ETCD_TRUSTED_CA_FILE"
   128          remediation: |
   129            [Manual test]
   130            Follow the etcd documentation and create a dedicated certificate authority setup for the
   131            etcd service.
   132            Then, edit the etcd pod specification file $etcdconf on the
   133            master node and set the below parameter.
   134            --trusted-ca-file=</path/to/ca-file>
   135          scored: false