The Kubernetes component etcd must be owned by etcd.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242445 | CNTR-K8-003120 | SV-242445r961863_rule | CCI-000366 | medium |
| Description | ||||
| The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and the Control Plane would be compromised. The scheduler will implement the changes immediately. Many of the security settings within the document are implemented through this file. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-242445r961863_chk)
Review the ownership of the Kubernetes etcd files by using the command:
stat -c %U:%G /var/lib/etcd/* | grep -v etcd:etcd
If the command returns any non etcd:etcd file permissions, this is a finding.
Fix Text (F-45678r712690_fix)
Change the ownership of the manifest files to etcd:etcd by executing the command:
chown etcd:etcd /var/lib/etcd/*