github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.24/etcd.yaml

---
controls:
version: "rke-cis-1.24"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
  - id: 2
    text: "Etcd Node Configuration"
    checks:
      - id: 2.1
        text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: and
          test_items:
            - flag: "--cert-file"
              env: "ETCD_CERT_FILE"
              set: true
            - flag: "--key-file"
              env: "ETCD_KEY_FILE"
              set: true
        remediation: |
          Follow the etcd service documentation and configure TLS encryption.
          Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
          on the master node and set the below parameters.
          --cert-file=</path/to/ca-file>
          --key-file=</path/to/key-file>
        scored: true

      - id: 2.2
        text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: or
          test_items:
            - flag: "--client-cert-auth"
              set: true
            - flag: "--client-cert-auth"
              env: "ETCD_CLIENT_CERT_AUTH"
              compare:
                op: eq
                value: true
              set: true
        remediation: |
          Edit the etcd pod specification file $etcdconf on the master
          node and set the below parameter.
          --client-cert-auth="true"
        scored: true

      - id: 2.3
        text: "Ensure that the --auto-tls argument is not set to true (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: or
          test_items:
            - flag: "--auto-tls"
              env: "ETCD_AUTO_TLS"
              set: false
            - flag: "--auto-tls"
              env: "ETCD_AUTO_TLS"
              compare:
                op: eq
                value: false
        remediation: |
          Edit the etcd pod specification file $etcdconf on the master
          node and either remove the --auto-tls parameter or set it to false.
            --auto-tls=false
        scored: true

      - id: 2.4
        text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
        set as appropriate (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: and
          test_items:
            - flag: "--peer-cert-file"
              env: "ETCD_PEER_CERT_FILE"
              set: true
            - flag: "--peer-key-file"
              env: "ETCD_PEER_KEY_FILE"
              set: true
        remediation: |
          Follow the etcd service documentation and configure peer TLS encryption as appropriate
          for your etcd cluster.
          Then, edit the etcd pod specification file $etcdconf on the
          master node and set the below parameters.
          --peer-client-file=</path/to/peer-cert-file>
          --peer-key-file=</path/to/peer-key-file>
        scored: true

      - id: 2.5
        text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: or
          test_items:
            - flag: "--peer-client-cert-auth"
              set: true
            - flag: "--peer-client-cert-auth"
              env: "ETCD_PEER_CLIENT_CERT_AUTH"
              compare:
                op: eq
                value: true
              set: true
        remediation: |
          Edit the etcd pod specification file $etcdconf on the master
          node and set the below parameter.
          --peer-client-cert-auth=true
        scored: true

      - id: 2.6
        text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          bin_op: or
          test_items:
            - flag: "--peer-auto-tls"
              env: "ETCD_PEER_AUTO_TLS"
              set: false
            - flag: "--peer-auto-tls"
              env: "ETCD_PEER_AUTO_TLS"
              compare:
                op: eq
                value: false
              set: false
        remediation: |
          Edit the etcd pod specification file $etcdconf on the master
          node and either remove the --peer-auto-tls parameter or set it to false.
          --peer-auto-tls=false
        scored: true

      - id: 2.7
        text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
        tests:
          test_items:
            - flag: "--trusted-ca-file"
              env: "ETCD_TRUSTED_CA_FILE"
              set: true
        remediation: |
          [Manual test]
          Follow the etcd documentation and create a dedicated certificate authority setup for the
          etcd service.
          Then, edit the etcd pod specification file $etcdconf on the
          master node and set the below parameter.
          --trusted-ca-file=</path/to/ca-file>
        scored: true