Check: CNTR-K8-003120
Kubernetes STIG:
CNTR-K8-003120
(in versions v2 r2 through v1 r0.1)
Title
The Kubernetes component etcd must be owned by etcd. (Cat II impact)
Discussion
The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and the Control Plane would be compromised. The scheduler will implement the changes immediately. Many of the security settings within the document are implemented through this file.
Check Content
Review the ownership of the Kubernetes etcd files by using the command: stat -c %U:%G /var/lib/etcd/* | grep -v etcd:etcd If the command returns any non etcd:etcd file permissions, this is a finding.
Fix Text
Change the ownership of the manifest files to etcd:etcd by executing the command: chown etcd:etcd /var/lib/etcd/*
Additional Identifiers
Rule ID: SV-242445r961863_rule
Vulnerability ID: V-242445
Group Title: SRG-APP-000516-CTR-001325
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |