github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.24/etcd.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.24" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 13 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "--cert-file" 18 env: "ETCD_CERT_FILE" 19 - flag: "--key-file" 20 env: "ETCD_KEY_FILE" 21 remediation: | 22 Follow the etcd service documentation and configure TLS encryption. 23 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 24 on the master node and set the below parameters. 25 --cert-file=</path/to/ca-file> 26 --key-file=</path/to/key-file> 27 scored: true 28 type: "skip" 29 30 - id: 2.2 31 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 32 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 33 tests: 34 test_items: 35 - flag: "--client-cert-auth" 36 env: "ETCD_CLIENT_CERT_AUTH" 37 compare: 38 op: eq 39 value: true 40 type: "skip" 41 remediation: | 42 Edit the etcd pod specification file $etcdconf on the master 43 node and set the below parameter. 44 --client-cert-auth="true" 45 scored: true 46 47 - id: 2.3 48 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 49 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 50 tests: 51 bin_op: or 52 test_items: 53 - flag: "--auto-tls" 54 env: "ETCD_AUTO_TLS" 55 set: false 56 - flag: "--auto-tls" 57 env: "ETCD_AUTO_TLS" 58 compare: 59 op: eq 60 value: false 61 remediation: | 62 Edit the etcd pod specification file $etcdconf on the master 63 node and either remove the --auto-tls parameter or set it to false. 64 --auto-tls=false 65 scored: true 66 67 - id: 2.4 68 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 69 set as appropriate (Automated)" 70 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 71 tests: 72 bin_op: and 73 test_items: 74 - flag: "--peer-cert-file" 75 env: "ETCD_PEER_CERT_FILE" 76 set: true 77 - flag: "--peer-key-file" 78 env: "ETCD_PEER_KEY_FILE" 79 set: true 80 remediation: | 81 Follow the etcd service documentation and configure peer TLS encryption as appropriate 82 for your etcd cluster. 83 Then, edit the etcd pod specification file $etcdconf on the 84 master node and set the below parameters. 85 --peer-client-file=</path/to/peer-cert-file> 86 --peer-key-file=</path/to/peer-key-file> 87 scored: true 88 type: "skip" 89 90 - id: 2.5 91 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 92 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 93 tests: 94 test_items: 95 - flag: "--peer-client-cert-auth" 96 env: "ETCD_PEER_CLIENT_CERT_AUTH" 97 compare: 98 op: eq 99 value: true 100 set: true 101 remediation: | 102 Edit the etcd pod specification file $etcdconf on the master 103 node and set the below parameter. 104 --peer-client-cert-auth=true 105 scored: true 106 type: "skip" 107 108 - id: 2.6 109 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 110 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 111 tests: 112 bin_op: or 113 test_items: 114 - flag: "--peer-auto-tls" 115 env: "ETCD_PEER_AUTO_TLS" 116 set: false 117 - flag: "--peer-auto-tls" 118 env: "ETCD_PEER_AUTO_TLS" 119 compare: 120 op: eq 121 value: false 122 set: true 123 remediation: | 124 Edit the etcd pod specification file $etcdconf on the master 125 node and either remove the --peer-auto-tls parameter or set it to false. 126 --peer-auto-tls=false 127 scored: true 128 129 - id: 2.7 130 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" 131 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 132 audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" 133 tests: 134 bin_op: or 135 test_items: 136 - flag: "--trusted-ca-file" 137 env: "ETCD_TRUSTED_CA_FILE" 138 - path: "{.peer-transport-security.trusted-ca-file}" 139 compare: 140 op: eq 141 value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" 142 set: true 143 remediation: | 144 [Manual test] 145 Follow the etcd documentation and create a dedicated certificate authority setup for the 146 etcd service. 147 Then, edit the etcd pod specification file $etcdconf on the 148 master node and set the below parameter. 149 --trusted-ca-file=</path/to/ca-file> 150 scored: false