Profile applicability: Level 1 - Master Node
Ensure that the etcd data directory has permissions of 700 or more restrictive.
etcd is a highly-available key-value store used by Kubernetes deployments for persistent
storage of all of its REST API objects. This data directory should be protected from
any
unauthorized reads or writes. It should not be readable or writable by any group members
or the
world.
 |
NoteBy default, etcd data directory has permissions of 755.
|
Audit
On the etcd server node, get the etcd data directory, passed as an argument
--data-dir, from the below command:ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
stat -c %a /var/lib/etcd
Verify that the permissions are 700 or more restrictive.
Remediation
On the etcd server node, get the etcd data directory, passed as an argument
--data-dir, from the below command:ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
chmod 700 /var/lib/etcd