Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Rancher Government Solutions RKE2 Security Technical Implementation Guide
SRG-APP-000133-CTR-000300
SRG-APP-000133-CTR-000300
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000133-CTR-000300
1 Rule
<GroupDescription></GroupDescription>
Configuration and authentication files for Rancher RKE2 must be protected.
Medium Severity
<VulnDiscussion>There are various configuration files, logs, access credentials, and other files stored on the host filesystem that contain sensitive information. These files could potentially put at risk, along with other specific workloads and components: - API server. - proxy. - scheduler. - controller. - etcd. - Kubernetes administrator account information. - audit log access, modification, and deletion. - application access, modification, and deletion. - container runtime files. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented. It is crucial to ensure user permissions are enforced down through to the operating system. Protecting file permissions will ensure that if a nonprivileged user gains access to the system they will still not be able to access protected information from the cluster API, cluster configuration, and sensitive cluster information. This control relies on the underlying operating system also having been properly configured to allow only least privileged access to perform required operations. Satisfies: SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>