Skip to content

OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

An XCCDF Rule

Description

<VulnDiscussion>Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository simplifies log storage, retention, and retrieval. It provides a single source of truth for audit logs, making it easier to manage and analyze log data. Centralized audit logs are crucial for incident response and forensic investigations. When a security incident occurs, having audit logs in a central repository allows security teams to quickly access relevant log data for analysis. It facilitates incident reconstruction, root cause analysis, and the identification of the scope and impact of the incident. This is vital for effective incident response and minimizing the impact of security breaches. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000092-CTR-000165, SRG-APP-000358-CTR-000805</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-257524r921515_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

To configure log forwarding, the OpenShift Cluster Logging operator first must be installed, and then the Cluster Log Forwarder is configured to forward logs to a centralized log aggregation service.

To install the OpenShift Cluster Logging operator, execute the following command to apply the subscription manifests to the cluster:

oc apply -f - << 'EOF'
---