V-254564

Discussion

There are various configuration files, logs, access credentials, and other files stored on the host filesystem that contain sensitive information. These files could potentially be put at risk, along with other specific workloads and components: - API server. - proxy. - scheduler. - controller. - etcd. - Kubernetes administrator account information. - audit log access, modification, and deletion. - application access, modification, and deletion. - container runtime files. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented. It is crucial to ensure user permissions are enforced down through to the operating system. Protecting file permissions will ensure that if a nonprivileged user gains access to the system they will still not be able to access protected information from the cluster API, cluster configuration, and sensitive cluster information. This control relies on the underlying operating system also having been properly configured to allow only least privileged access to perform required operations. Satisfies: SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310

Check Content

File system permissions:
1. Verify correct permissions of the files in /etc/rancher/rke2.
cd /etc/rancher/rke2
ls -l

all owners are root:root
all permissions are 0600

2. Verify correct permissions of the files in /var/lib/rancher/rke2.
cd /var/lib/rancher/rke2
ls -l 

all owners are root:root

3. Verify correct permissions of the files and directories in /var/lib/rancher/rke2/agent.
cd /var/lib/rancher/rke2/agent
ls -l

owners and group are root:root

File permissions set to at least 0640 for the following:
rke2controller.kubeconfig
kubelet.kubeconfig
kubeproxy.kubeconfig

Certificate file permissions set to 0600:
client-ca.crt
client-kubelet.crt
client-kube-proxy.crt
client-rke2-controller.crt
server-ca.crt
serving-kubelet.crt

Key file permissions set to 0600:
client-kubelet.key
serving-kubelet.key
client-rke2-controller.key
client-kube-proxy.key

The directory permissions to 0700:
pod-manifests
etc 

4. Verify correct permissions of the files in /var/lib/rancher/rke2/bin.
cd /var/lib/rancher/rke2/bin
ls -l

all owners are root:root
all files are 0750

5. Verify correct permissions of the directory /var/lib/rancher/rke2/data.
cd /var/lib/rancher/rke2
ls -l

owners are root:root
permissions are 0750

6. Verify correct permissions of each file in /var/lib/rancher/rke2/data.
cd /var/lib/rancher/rke2/data
ls -l

all owners are root:root
all files are 0750

7. Verify correct permissions of /var/lib/rancher/rke2/server.
cd /var/lib/rancher/rke2/server
ls -l 

all owners are root:root

The following directories are set to 0700:
cred
db
tls 

The following directories are set to 0750:
manifests 
logs 

The following file is set to 0600:
token 

8. Verify the RKE2 Server configuration file on all RKE2 Server hosts contain the following:
(cat /etc/rancher/rke2/config.yaml)
write-kubeconfig-mode: "0600"

If any of the permissions specified above do not match the required level, this is a finding.