--- controls: version: "rke-cis-1.7" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: and test_items: - flag: "--cert-file" env: "ETCD_CERT_FILE" - flag: "--key-file" env: "ETCD_KEY_FILE" remediation: | Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --client-cert-auth="true" scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: or test_items: - flag: "--auto-tls" env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" env: "ETCD_AUTO_TLS" compare: op: eq value: false remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: and test_items: - flag: "--peer-cert-file" env: "ETCD_PEER_CERT_FILE" - flag: "--peer-key-file" env: "ETCD_PEER_KEY_FILE" remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --peer-client-file= --peer-key-file= scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --peer-client-cert-auth=true scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: bin_op: or test_items: - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" tests: test_items: - flag: "--trusted-ca-file" env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --trusted-ca-file= scored: true