1.5.8 Ensure that the --max-wals argument is set to 0

Information

Do not auto rotate logs.

Rationale:

etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. You should avoid automatic log rotation and instead safeguard the logs in a centralized repository or through a separate log management system.

Solution

Edit the etcd environment file (for example, `/etc/etcd/etcd.conf`) on the etcd server node and set the `ETCD_MAX_WALS` parameter to `0`: `ETCD_MAX_WALS='0'`

Edit the etcd startup file (for example, `/etc/systemd/system/multi-user.target.wants/etcd.service`) and configure the startup parameter for `--max-wals` and set it to `'${ETCD_MAX_WALS}'`: `ExecStart=/bin/bash -c 'GOMAXPROCS=$(nproc) /usr/bin/etcd --name='${ETCD_NAME}' --data-dir='${ETCD_DATA_DIR}' --listen-client-urls='${ETCD_LISTEN_CLIENT_URLS}' --max-walsr='${ETCD_MAX_WALS}''`

Based on your system, reload the daemon and restart the etcd service. For example, `systemctl daemon-reload systemctl restart etcd.service`

Impact:

You will have to manage log rotation and archiving.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, CSCv6|6

Plugin: Unix

Control ID: cf6fc061c26eadd203dccd9bab36608da2a010a0f19b3df1f17cb051a0441cc4