iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the file permissions for the default administrative credential file are set to 600. This ensures that only the root user or authorized service accounts can access the file, preventing unauthorized access to sensitive administrative credentials.

Rationale:

Setting the file permissions to 600 ensures that the administrative credentials are protected from unauthorized access. Only authorized users (typically root or the designated service accounts) will have access to the file, preventing potential security breaches due to unauthorized credential exposure.

Impact:

Pros:

• Protects administrative credentials by restricting access to only authorized users.
  

• Reduces the risk of unauthorized access and potential privilege escalation.
  

Cons:

• If file permissions are improperly configured, it may cause operational issues, especially during system updates or troubleshooting, if necessary access is not granted to legitimate processes.
  

Default Value:

By default, the default administrative credential file may not have restrictive file permissions. Manual configuration is required to ensure the file permissions are set to 600.

Pre-Requisites:

• Access to the administrative credential file.
  

• Sufficient privileges (root or administrator access) to modify file permissions.
  

• A Kubernetes environment configured with secure management of credential files.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to the EC2 service and locate the instances or nodes running the administrative service.
   

3. Check the file permissions for the default administrative credential file to ensure it is set to 600.
   

4. Verify that only authorized users (root or service accounts) have access to the file.
   

Using AWS CLI:

Use the following command to check the file permissions for the default administrative credential file:

kubectl exec -it <node-name> -- ls -l /etc/credentials/<admin-credential-file>

Ensure that the file permissions are set to 600. If not, run the following command to set the permissions:

sudo chmod 600 /etc/credentials/<admin-credential-file>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to EC2 and locate the instance or node storing the administrative credential file.
   

3. Review the file permissions for the administrative credential file.
   

4. If the permissions are not set to 600, modify the file permissions by accessing the instance and updating the permissions.
   

Using AWS CLI:

Identify the node where the credential file is located:

kubectl get nodes

Access the node and check the file permissions for the administrative credential file:

kubectl exec -it <node-name> -- ls -l /etc/credentials/<admin-credential-file>

If needed, change the file permissions:

sudo chmod 600 /etc/credentials/<admin-credential-file>

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Navigate to the instance or node where the administrative credential file is stored.
   

3. Review the file permissions for the credential file.
   

4. Modify the file permissions if necessary to ensure proper access control.
   

5. Confirm that the permissions changes are applied successfully.
   

Using AWS CLI:

To revert the file permissions to a less restrictive setting, run the following command:

sudo chmod 644 /etc/credentials/<admin-credential-file>

References:

• AWS Security Best Practices for Credentials
  

• Kubernetes Security Best Practices
  

• AWS CLI Documentation