All audit records must identify any containers associated with the event within Rancher RKE2.

An XCCDF Rule

Description

<VulnDiscussion>Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. Retaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements. Result: Pass</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254563r918257_rule
Severity: Medium
References: CCI-001487
Updated: 8 months ago

Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-apiserver-arg" argument:

- audit-log-maxage=30

Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

All audit records must identify any containers associated with the event within Rancher RKE2.

Description

Remediation - Manual Procedure