1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
documentation_complete: true
title: 'Verify Permissions on the Etcd Write-Ahead-Log Files'
description: |-
{{{ describe_file_permissions(file="/var/lib/etcd/member/wal/*", perms="0600") }}}
rationale: |-
etcd is a highly-available key-value store used by Kubernetes deployments for persistent
storage of all of its REST API objects. This data directory should be protected from any
unauthorized reads or writes. It should not be readable or writable by any group members
or the world.
severity: medium
identifiers:
cce@ocp4: CCE-83382-2
references:
cis@ocp4: 1.1.11
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/lib/etcd/member/wal/*", perms="-rw-------") }}}'
ocil: |-
{{{ ocil_file_permissions(file="/var/lib/etcd/member/wal/*", perms="-rw-------") }}}
platform: ocp4-master-node
warnings:
- dependency: |-
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default.
template:
name: file_permissions
vars:
filepath: ^/var/lib/etcd/member/wal/.*$
filemode: '0600'
filepath_is_regex: "true"
|
