Check: CNTR-K8-000700
Kubernetes STIG:
CNTR-K8-000700
(in versions v2 r2 through v1 r7)
Title
Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event. (Cat II impact)
Discussion
Within Kubernetes, audit data for all components is generated by the API server. This audit data is important when there are issues, to include security incidents that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to have the appropriate and required data logged. To fully understand the event, it is important to identify any users associated with the event. The API server policy file allows for the following levels of auditing: None - Do not log events that match the rule. Metadata - Log request metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body. Request - Log event metadata and request body but not response body. RequestResponse - Log event metadata, request, and response bodies. Satisfies: SRGID:SRG-APP-000092-CTR-000165, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000101-CTR-000205, SRG-APP-000100-CTR-000200, SRG-APP-000100-CTR-000195, SRG-APP-000099-CTR-000190, SRG-APP-000098-CTR-000185, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000507-CTR-001295, SRG-APP-000504-CTR-001280, SRG-APP-000503-CTR-001275, SRG-APP-000501-CTR-001265, SRG-APP-000500-CTR-001260, SRG-APP-000497-CTR-001245, SRG-APP-000496-CTR-001240, SRG-APP-000493-CTR-001225, SRG-APP-000492-CTR-001220, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905
Check Content
Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command: grep -i audit-policy-file If the audit-policy-file is not set, this is a finding. The file given is the policy file and defines what is audited and what information is included with each event. The policy file must look like this: # Log all requests at the RequestResponse level. apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion) kind: Policy rules: - level: RequestResponse If the audit policy file does not look like above, this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the value of "--audit-policy-file" to the path of a file with the following content: # Log all requests at the RequestResponse level. apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion) kind: Policy rules: - level: RequestResponse Note: If the API server is running as a Pod, then the manifest will also need to be updated to mount the host system filesystem where the audit policy file resides.
Additional Identifiers
Rule ID: SV-242403r986135_rule
Vulnerability ID: V-242403
Group Title: SRG-APP-000026-CTR-000070
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
Automatically audit account creation actions. |
CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
CCI-001403 |
Automatically audit account modification actions. |
CCI-001404 |
Automatically audit account disabling actions. |
CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
CCI-001844 |
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components. |
CCI-002264 |
Provide the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. |
Controls
Number | Title |
---|---|
AC-2(4) |
Automated Audit Actions |
AC-16 |
Security Attributes |
AU-3 |
Content of Audit Records |
AU-3(1) |
Additional Audit Information |
AU-3(2) |
Centralized Management of Planned Audit Record Content |
AU-12 |
Audit Generation |