--- controls: version: "cis-1.24" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: and test_items: - flag: "--cert-file" env: "ETCD_CERT_FILE" - flag: "--key-file" env: "ETCD_KEY_FILE" remediation: | Not applicable. MicroK8s used dqlite and the communication to this service is done through a local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible to users with root permissions. scored: false - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true remediation: | Not applicable. MicroK8s used dqlite and the communication to this service is done through a local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible to users with root permissions. scored: false - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: or test_items: - flag: "--auto-tls" env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" env: "ETCD_AUTO_TLS" compare: op: eq value: false remediation: | Not applicable. MicroK8s used dqlite and the communication to this service is done through a local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible to users with root permissions. scored: false - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" audit: "if test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.crt && test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.key; then echo 'certs-found'; fi" tests: test_items: - flag: "certs-found" remediation: | The certificate pair for dqlite and tls peer communication is /var/snap/microk8s/current/var/kubernetes/backend/cluster.crt and /var/snap/microk8s/current/var/kubernetes/backend/cluster.key. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" audit: "/bin/cat $etcdconf | /bin/grep enable-tls || true" tests: bin_op: or test_items: - flag: "--enable-tls" compare: op: eq value: true - flag: "--enable-tls" set: false remediation: | MicroK8s used dqlite and tls peer communication uses is TLS if the --enable-tls is set in /var/snap/microk8s/current/args/k8s-dqlite, set to true by default. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: or test_items: - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false remediation: | Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates created upon the snap creation. scored: false - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: test_items: - flag: "--trusted-ca-file" env: "ETCD_TRUSTED_CA_FILE" remediation: | Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates created upon the snap creation. scored: false