Profile Applicability:

  • Level 1

Description:

Ensure that the ownership of the default administrative credential file is set to root:root. This ensures that the root user and the root group have ownership and control over the file, preventing unauthorized users from accessing or modifying the file.

Rationale:

Setting the ownership of the default administrative credential file to root:root ensures that only the root user and group have ownership, reducing the risk of unauthorized access or modification. This is critical for maintaining the security of administrative credentials, which are sensitive and must be protected from tampering.

Impact:

Pros:

  • Restricts access to the administrative credential file to trusted administrators (root).

  • Prevents unauthorized access and modifications to sensitive credentials.

Cons:

  • If ownership is misconfigured, it could cause operational issues, especially if necessary access is restricted during system updates or troubleshooting.

Default Value:

The default administrative credential file is not configured by default to have ownership set to root:root. Manual configuration is required.

Pre-Requisites:

  • Access to the administrative credential file.

  • Sufficient privileges (root or administrator access) to modify file ownership.

  • A system configured to secure management of credential files.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 and locate the instances or nodes storing the administrative credential file.

  3. Check the ownership of the administrative credential file to ensure it is set to root:root.

  4. Verify that only authorized users (root) have ownership of the file.

Using AWS CLI:

Use the following command to check the ownership of the default administrative credential file:

kubectl exec -it <node-name> -- ls -l /etc/credentials/<admin-credential-file>

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/credentials/<admin-credential-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 and locate the instance or node storing the administrative credential file.

  3. Review the ownership of the credential file.

  4. If the ownership is not set to root:root, modify the ownership by accessing the instance and updating the ownership to root:root.

Using AWS CLI:

Identify the node where the credential file is located:

kubectl get nodes

Access the node and check the ownership of the administrative credential file:

kubectl exec -it <node-name> -- ls -l /etc/credentials/<admin-credential-file>

If needed, change the ownership:

sudo chown root:root /etc/credentials/<admin-credential-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the instance or node where the administrative credential file is stored.

  3. Review the ownership of the credential file.

  4. Modify the file ownership to ensure it is correctly set to root:root.

  5. Confirm that the ownership changes are applied successfully.

Using AWS CLI:

To revert the ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/credentials/<admin-credential-file>

References: