Verify Permissions on the Etcd PKI Certificate Files

An XCCDF Rule

Details
Profiles
Prose

Description

To properly set the permissions of /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt, run the command:

$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Etcd service. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

OpenShift makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to

or more restrictive to protect their integrity.

ID: xccdf_org.ssgproject.content_rule_file_permissions_etcd_pki_cert_files
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

1.1.20

CCE-83362-4
Updated: about 1 year ago