--- controls: version: "k3s-cis-1.8" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" audit_config: "cat $etcdconf" tests: bin_op: and test_items: - path: "{.client-transport-security.cert-file}" compare: op: eq value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" - path: "{.client-transport-security.key-file}" compare: op: eq value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates cert and key files for etcd. These are located in /var/lib/rancher/k3s/server/tls/etcd/. If this check fails, ensure that the configuration file $etcdconf has not been modified to use custom cert and key files. scored: false - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" audit_config: "cat $etcdconf" tests: test_items: - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s sets the --client-cert-auth parameter to true. If this check fails, ensure that the configuration file $etcdconf has not been modified to disable client certificate authentication. scored: false - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" audit_config: "cat $etcdconf" tests: bin_op: or test_items: - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false - path: "{.client-transport-security.auto-tls}" set: false remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s does not set the --auto-tls parameter. If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. client-transport-security: auto-tls: false scored: false - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" audit_config: "cat $etcdconf" tests: bin_op: and test_items: - path: "{.peer-transport-security.cert-file}" compare: op: eq value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" - path: "{.peer-transport-security.key-file}" compare: op: eq value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates peer cert and key files for etcd. These are located in /var/lib/rancher/k3s/server/tls/etcd/. If this check fails, ensure that the configuration file $etcdconf has not been modified to use custom peer cert and key files. scored: false - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" audit_config: "cat $etcdconf" tests: test_items: - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true. If this check fails, ensure that the configuration file $etcdconf has not been modified to disable peer client certificate authentication. scored: false - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" audit_config: "cat $etcdconf" tests: bin_op: or test_items: - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - path: "{.peer-transport-security.auto-tls}" set: false remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s does not set the --peer-auto-tls parameter. If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. peer-transport-security: auto-tls: false scored: false - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" audit_config: "cat $etcdconf" tests: test_items: - path: "{.peer-transport-security.trusted-ca-file}" compare: op: eq value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates a unique certificate authority for etcd. This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. If this check fails, ensure that the configuration file $etcdconf has not been modified to use a shared certificate authority. scored: false