All audit records must identify what type of event has occurred within OpenShift.

An XCCDF Rule

Description

<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues such as security incidents that must be investigated. Identifying the type of event in audit records helps classify and categorize different activities or actions within OpenShift. This classification allows for easier analysis, reporting, and filtering of audit logs based on specific event types. It helps distinguish between user actions, system events, policy violations, or security incidents, providing a clearer understanding of the activities occurring within the platform. Satisfies: SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257520r960891_rule
Severity: Medium
References: CCI-000130 CCI-000172 CCI-002884
Updated: 17 days ago

Apply the machine config setting auditd to active and enabled by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:  name: 80-auditd-service-enable-$mcpool
  labels:
    machineconfiguration.openshift.io/role: $mcpool
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: auditd.service
        enabled: true
" | oc apply -f -
done

All audit records must identify what type of event has occurred within OpenShift.

Description

Remediation - Manual Procedure