--- controls: version: "k3s-cis-1.24" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" set: true - flag: "key-file" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" compare: op: eq value: true set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --client-cert-auth="true" scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" set: false - flag: "--auto-tls" compare: op: eq value: false remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" set: true - flag: "key-file" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --peer-client-file= --peer-key-file= scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" compare: op: eq value: true set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --peer-client-cert-auth=true scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" set: false - flag: "--peer-auto-tls" compare: op: eq value: false set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" set: true remediation: | [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --trusted-ca-file= scored: false