Check: CNTR-R2-000320
Rancher Government Solutions RKE2 STIG:
CNTR-R2-000320
(in versions v2 r2 through v1 r1)
Title
All audit records must identify any containers associated with the event within Rancher RKE2. (Cat II impact)
Discussion
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. Retaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements. Result: Pass
Check Content
Ensure audit-log-maxage is set correctly. Run the below command on the RKE2 Control Plane: /bin/ps -ef | grep kube-apiserver | grep -v grep If --audit-log-maxage argument is not set to at least 30 or is not configured, this is a finding. (By default, RKE2 sets the --audit-log-maxage argument parameter to 30.)
Fix Text
Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-apiserver-arg" argument: - audit-log-maxage=30 Once the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server
Additional Identifiers
Rule ID: SV-254563r960906_rule
Vulnerability ID: V-254563
Group Title: SRG-APP-000100-CTR-000200
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
Controls
Number | Title |
---|---|
AU-3 |
Content of Audit Records |