An error occurred:

Check: CNTR-MK-000310

Mirantis Kubernetes Engine STIG: CNTR-MK-000310 (in versions v2 r1 through v1 r1)

Title

MKE must be configured to send audit data to a centralized log server. (Cat II impact)

Discussion

Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident response, scales effectively, provides redundancy, and helps organizations meet compliance requirements. This is the recommended best practice for managing Kubernetes environments, especially in enterprise settings.

Check Content

Check centralized log server configuration. Via CLI, execute the following commands as a trusted user on the host operating system: cat /etc/docker/daemon.json Verify that the "log-driver" property is set to one of the following: "syslog", "journald", or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin). Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected. If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Fix Text

Configure logging driver by setting the log-driver and log-opts keys to appropriate values in the daemon.json file. Refer to this link for extra assistance: https://docs.docker.com/config/containers/logging/syslog/. Via CLI: Linux: 1. As a trusted user on the host OS, open the /etc/docker/daemon.json file for editing. If the file does not exist, it must be created. 2. Set the "log-driver" property to one of the following: "syslog", "journald", or "<plugin>" (where <plugin> is the naming of a third-party MKE logging driver plugin). Note: Mirantis recommends the "journald" setting. The following example sets the log driver to journald: { "log-driver": "journald" } 3. Configure the "log-opts" object as required by the selected "log-driver". 4. Save the file. 5. Restart the Docker daemon by executing the following: sudo systemctl restart docker Configure rsyslog to send logs to the SEIM system. 1. Edit the /etc/rsyslog.conf file and add the IP address of remote server. Example: *.* @@loghost.example.com 2. Work with the SIEM administrator to configure an alert when no audit data is received from Mirantis.

Additional Identifiers

Rule ID: SV-260915r966102_rule

Vulnerability ID: V-260915

Group Title: SRG-APP-000109-CTR-000215

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000140

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
CCI-000154

Provide the capability to centrally review and analyze audit records from multiple components within the system.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.
CCI-002702

Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage
AU-5

Response to Audit Processing Failures
AU-6(4)

Central Review and Analysis
SI-6

Security Function Verification