CIS-1.1.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive

Ensure that the etcd data directory permissions are set to 700 or more restrictive

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

High

Description of the the issue

etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.

Related resources

What does this control test

Ensure that the etcd data directory has permissions of 700 or more restrictive.

How to check it manually

On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command:

ps -ef | grep etcd

Run the below command (based on the etcd data directory found above). For example,

stat -c %a /var/lib/etcd

Verify that the permissions are 700 or more restrictive.

Remediation

On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command:

ps -ef | grep etcd

Run the below command (based on the etcd data directory found above). For example,

chmod 700 /var/lib/etcd

Impact Statement

None

Default Value

By default, etcd data directory has permissions of 755.

Example

No example