Disable etcd Peer Self-Signed Certificates

An XCCDF Rule

Description

To ensure the etcd service is not using self-signed certificates, run the following command:

$ oc get cm/etcd-pod -n openshift-etcd -o yaml

The etcd pod configuration contained in the configmap should not contain the --peer-auto-tls=true flag.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.items[0].spec.containers[0].command | join(" ")]{{else}}[.data."pod.yaml"]{{end}} and persist it to the local /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027 file.

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Using self-signed certificates ensures that the certificates are never validated against a certificate authority and could lead to compromised and invalidated data.

ID: xccdf_org.ssgproject.content_rule_etcd_peer_auto_tls
Severity: Medium
References: CIP-003-8 R4.2 CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

CM-6 CM-6(1) SC-8 SC-8(1)

Req-2.2

SRG-APP-000516-CTR-001325

2.6

CCE-84184-1
Updated: about 1 year ago