github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.7/etcd.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.7" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 13 type: "skip" 14 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 15 tests: 16 bin_op: and 17 test_items: 18 - flag: "--cert-file" 19 env: "ETCD_CERT_FILE" 20 - flag: "--key-file" 21 env: "ETCD_KEY_FILE" 22 remediation: | 23 Follow the etcd service documentation and configure TLS encryption. 24 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 25 on the master node and set the below parameters. 26 --cert-file=</path/to/ca-file> 27 --key-file=</path/to/key-file> 28 Not Applicable. 29 scored: true 30 31 - id: 2.2 32 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 33 type: "skip" 34 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 35 tests: 36 test_items: 37 - flag: "--client-cert-auth" 38 env: "ETCD_CLIENT_CERT_AUTH" 39 compare: 40 op: eq 41 value: true 42 remediation: | 43 Edit the etcd pod specification file $etcdconf on the master 44 node and set the below parameter. 45 --client-cert-auth="true" 46 Not Applicable. 47 scored: true 48 49 - id: 2.3 50 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 51 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 52 tests: 53 bin_op: or 54 test_items: 55 - flag: "--auto-tls" 56 env: "ETCD_AUTO_TLS" 57 set: false 58 - flag: "--auto-tls" 59 env: "ETCD_AUTO_TLS" 60 compare: 61 op: eq 62 value: false 63 remediation: | 64 Edit the etcd pod specification file $etcdconf on the master 65 node and either remove the --auto-tls parameter or set it to false. 66 --auto-tls=false 67 scored: true 68 69 - id: 2.4 70 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 71 set as appropriate (Automated)" 72 type: "skip" 73 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 74 tests: 75 bin_op: and 76 test_items: 77 - flag: "--peer-cert-file" 78 env: "ETCD_PEER_CERT_FILE" 79 set: true 80 - flag: "--peer-key-file" 81 env: "ETCD_PEER_KEY_FILE" 82 set: true 83 remediation: | 84 Follow the etcd service documentation and configure peer TLS encryption as appropriate 85 for your etcd cluster. 86 Then, edit the etcd pod specification file $etcdconf on the 87 master node and set the below parameters. 88 --peer-client-file=</path/to/peer-cert-file> 89 --peer-key-file=</path/to/peer-key-file> 90 Not Applicable. 91 scored: true 92 93 - id: 2.5 94 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 95 type: "skip" 96 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 97 tests: 98 test_items: 99 - flag: "--peer-client-cert-auth" 100 env: "ETCD_PEER_CLIENT_CERT_AUTH" 101 compare: 102 op: eq 103 value: true 104 set: true 105 remediation: | 106 Edit the etcd pod specification file $etcdconf on the master 107 node and set the below parameter. 108 --peer-client-cert-auth=true 109 Not Applicable. 110 scored: true 111 112 - id: 2.6 113 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 114 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 115 tests: 116 bin_op: or 117 test_items: 118 - flag: "--peer-auto-tls" 119 env: "ETCD_PEER_AUTO_TLS" 120 set: false 121 - flag: "--peer-auto-tls" 122 env: "ETCD_PEER_AUTO_TLS" 123 compare: 124 op: eq 125 value: false 126 set: true 127 remediation: | 128 Edit the etcd pod specification file $etcdconf on the master 129 node and either remove the --peer-auto-tls parameter or set it to false. 130 --peer-auto-tls=false 131 scored: true 132 133 - id: 2.7 134 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" 135 audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" 136 audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" 137 tests: 138 bin_op: or 139 test_items: 140 - flag: "--trusted-ca-file" 141 env: "ETCD_TRUSTED_CA_FILE" 142 - path: "{.peer-transport-security.trusted-ca-file}" 143 compare: 144 op: eq 145 value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" 146 set: true 147 remediation: | 148 [Manual test] 149 Follow the etcd documentation and create a dedicated certificate authority setup for the 150 etcd service. 151 Then, edit the etcd pod specification file $etcdconf on the 152 master node and set the below parameter. 153 --trusted-ca-file=</path/to/ca-file> 154 scored: true