OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.

An XCCDF Rule

Description

<VulnDiscussion>Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log files can expose sensitive data to malicious actors. By setting owner permissions, OpenShift ensures that only authorized users or processes with the necessary privileges can access the pod log files, preserving the confidentiality of the logged information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257532r960930_rule
Severity: Medium
References: CCI-000162
Updated: 17 days ago

Change the permissions and ownership of files located under "/var/log/pods" to protect from unauthorized access.

1. Execute the following to set the output of pods readable only by the owner:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \( -perm /022 -o -perm /044 \) | xargs -r chmod 600' 2>/dev/null; done
2. Execute the following to set the group and group-ownership to root for files that store the output of pods:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \! -user 0 | xargs -r chown root:root' 2>/dev/null; done

OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.

Description

Remediation - Manual Procedure