Skip to main content
Skip table of contents

List of CIS Benchmark Explanations

CIS 1.1.12 - Explanation

CIS 1.1.12

ID

Text

Remediation

1.1.12

Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)

On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd

DKP Explanation

etcd files are owned by root. Creating another user adds additional attack vectors. On previous STIGs this has been acceptable to leave as root:root.

CIS 1.2.5 - Explanation

CIS 1.2.5

ID

Text

Remediation

1.2.5

Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)

Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the control plane node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>

DKP Explanation

The --kubelet-certificate-authority flag needs to be set on each API Server after the cluster has been fully provisioned, adding it earlier causes issues with the creation and adding of worker nodes via CAPI and kubeadm.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.