github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.7/etcd.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.7" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 13 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "--cert-file" 18 env: "ETCD_CERT_FILE" 19 - flag: "--key-file" 20 env: "ETCD_KEY_FILE" 21 remediation: | 22 Follow the etcd service documentation and configure TLS encryption. 23 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 24 on the master node and set the below parameters. 25 --cert-file=</path/to/ca-file> 26 --key-file=</path/to/key-file> 27 scored: true 28 29 - id: 2.2 30 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 31 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 32 tests: 33 test_items: 34 - flag: "--client-cert-auth" 35 env: "ETCD_CLIENT_CERT_AUTH" 36 compare: 37 op: eq 38 value: true 39 remediation: | 40 Edit the etcd pod specification file $etcdconf on the master 41 node and set the below parameter. 42 --client-cert-auth="true" 43 scored: true 44 45 - id: 2.3 46 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 47 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 48 tests: 49 bin_op: or 50 test_items: 51 - flag: "--auto-tls" 52 env: "ETCD_AUTO_TLS" 53 set: false 54 - flag: "--auto-tls" 55 env: "ETCD_AUTO_TLS" 56 compare: 57 op: eq 58 value: false 59 remediation: | 60 Edit the etcd pod specification file $etcdconf on the master 61 node and either remove the --auto-tls parameter or set it to false. 62 --auto-tls=false 63 scored: true 64 65 - id: 2.4 66 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 67 set as appropriate (Automated)" 68 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 69 tests: 70 bin_op: and 71 test_items: 72 - flag: "--peer-cert-file" 73 env: "ETCD_PEER_CERT_FILE" 74 - flag: "--peer-key-file" 75 env: "ETCD_PEER_KEY_FILE" 76 remediation: | 77 Follow the etcd service documentation and configure peer TLS encryption as appropriate 78 for your etcd cluster. 79 Then, edit the etcd pod specification file $etcdconf on the 80 master node and set the below parameters. 81 --peer-client-file=</path/to/peer-cert-file> 82 --peer-key-file=</path/to/peer-key-file> 83 scored: true 84 85 - id: 2.5 86 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 87 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 88 tests: 89 test_items: 90 - flag: "--peer-client-cert-auth" 91 env: "ETCD_PEER_CLIENT_CERT_AUTH" 92 compare: 93 op: eq 94 value: true 95 remediation: | 96 Edit the etcd pod specification file $etcdconf on the master 97 node and set the below parameter. 98 --peer-client-cert-auth=true 99 scored: true 100 101 - id: 2.6 102 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 103 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 104 tests: 105 bin_op: or 106 test_items: 107 - flag: "--peer-auto-tls" 108 env: "ETCD_PEER_AUTO_TLS" 109 set: false 110 - flag: "--peer-auto-tls" 111 env: "ETCD_PEER_AUTO_TLS" 112 compare: 113 op: eq 114 value: false 115 remediation: | 116 Edit the etcd pod specification file $etcdconf on the master 117 node and either remove the --peer-auto-tls parameter or set it to false. 118 --peer-auto-tls=false 119 scored: true 120 121 - id: 2.7 122 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" 123 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 124 tests: 125 test_items: 126 - flag: "--trusted-ca-file" 127 env: "ETCD_TRUSTED_CA_FILE" 128 set: true 129 remediation: | 130 [Manual test] 131 Follow the etcd documentation and create a dedicated certificate authority setup for the 132 etcd service. 133 Then, edit the etcd pod specification file $etcdconf on the 134 master node and set the below parameter. 135 --trusted-ca-file=</path/to/ca-file> 136 scored: true