1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd

Information

Ensure that the etcd data directory ownership is set to etcd:etcd.

Rationale:

etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by etcd:etcd.

NOTE: The only users that exist on an RHCOS OpenShift node are root and core. This is intentional, as regular management of the underlying RHCOS cluster nodes is designed to be performed via the OpenShift API itself. The core user is a member of the wheel group, which gives it permission to use sudo for running privileged commands. Adding additional users at the node level is highly discouraged.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

No remediation required; file ownership is managed by the operator.

Default Value:

By default, in OpenShift 4, etcd data directory ownership is set to root:root.

See Also

https://workbench.cisecurity.org/benchmarks/16094