Check: CNTR-MK-000220
Mirantis Kubernetes Engine STIG:
CNTR-MK-000220
(in version v1 r1)
Title
Audit logging must be enabled on MKE. (Cat II impact)
Discussion
Enabling audit logging on MKE enhances security, supports compliance efforts, provides user accountability, and offers valuable insights for incident response and operational management. It is an essential component of maintaining a secure, compliant, and well-managed Kubernetes environment. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Check Content
Check auditing configuration level for MKE nodes and controller: Log in to the MKE web UI and navigate to admin >> Admin Settings >> Logs & Audit Logs. If "AUDIT LOG LEVEL" is not set to "Request", this is a finding. If "DEBUG LEVEL" is set to "ERROR", this is a finding.
Fix Text
Log in to the MKE web UI and navigate to admin >> Admin Settings >> Logs & Audit Logs. In the "Configure Audit Log Level" section, select "Request" In the "Configure Global Log Level" section, select "INFO" or "DEBUG". Note: The recommended setting is "INFO". Click "Save".
Additional Identifiers
Rule ID: SV-260914r966099_rule
Vulnerability ID: V-260914
Group Title: SRG-APP-000092-CTR-000165
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-001403 |
The information system automatically audits account modification actions. |
CCI-001404 |
The information system automatically audits account disabling actions. |
CCI-001405 |
The information system automatically audits account removal actions. |
CCI-001464 |
The information system initiates session audits at system start-up. |
CCI-002234 |
The information system audits the execution of privileged functions. |