Skip to content

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

An XCCDF Rule

Description

<VulnDiscussion>Audit logs must be enabled. Rancher MCM provides audit record generation capabilities. Audit logs capture what happened, when it happened, who initiated it, and what cluster it affected to ensure non-repudiation of actions taken. Audit logging at the platform level also needs to be enabled. This will need to be done through the Kubernetes engine and is not always configurable through the Rancher MCM application. Audit log verbosity can be set to one of the following levels: 0 - Disable audit log (default setting). 1 - Log event metadata. 2 - Log event metadata and request body. 3 - Log event metadata, request body, and response body. Each log transaction for a request/response pair uses the same auditID value. Cluster administrators with authorized access can view logs produced by the Rancher MCM server. Audit and normal application logs generated by Rancher MCM can be forwarded to a remote log aggregation system for use by authorized viewers as well. This system can in turn be configured for further log processing, monitoring, backup, and alerting. This aggregation also should include failover and buffering in the event that a logging subsystem fails. The logging mechanism of the individual server is independent and will kill the server process if this logging mechanism fails. To meet the requirements of this control, an administrator with access to the local cluster configuration must add the 'AUDIT_LOG' environment variable with a level of at least 2 in the Rancher MCM deployment configuration. This setting will persist between restarts of the application. Satisfies: SRG-APP-000026-CTR-000070, SRG-APP-000033-CTR-000100, SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000091-CTR-000160, SRG-APP-000092-CTR-000165, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000109-CTR-000215, SRG-APP-000343-CTR-000780, SRG-APP-000358-CTR-000805, SRG-APP-000374-CTR-000865, SRG-APP-000375-CTR-000870</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>




Remediation - Manual Procedure

Ensure audit logging is enabled:

Navigate to Triple Bar Symbol(Global) >>  <local cluster> 
-From the drop down next to the cluster name, select 'cattle-system'.
-Click "deployments" under Workload menu item.
-Select "rancher" in the Deployments section.