Verify Permissions on the Etcd Write-Ahead-Log Files

An XCCDF Rule

Details
Profiles
Prose

Description

To properly set the permissions of /var/lib/etcd/member/wal/*, run the command:

$ sudo chmod 0600 /var/lib/etcd/member/wal/*

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Etcd service. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.

ID: xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_files
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

1.1.11

CCE-83382-2
Updated: about 1 year ago