OpenShift must generate audit rules to capture account related actions.
An XCCDF Rule
Description
<VulnDiscussion>Account management actions, such as creation, modification, disabling, removal, and enabling are important changes within the system. When management actions are modified, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. In the event of a security incident or policy violation, having detailed audit logs for account creation, modification, disabling, removal, and enabling actions is crucial for incident response and forensic investigations. These logs provide a trail of activities that can be analyzed to determine the cause, impact, and scope of the incident, aiding in the investigation and remediation process. Satisfies: SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257511r921476_rule
- Severity
- Medium
- Updated
Remediation - Manual Procedure
Apply the machine config using the following command:
for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata: