OpenShift audit records must record user access start and end times.

An XCCDF Rule

Description

<VulnDiscussion>OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257581r961830_rule
Severity: Medium
References: CCI-000172
Updated: 17 days ago

Apply the machine config for user access times by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:  name: 75-session-start-end-time-$mcpool
  labels:
    machineconfiguration.openshift.io/role: $mcpool
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A
        mode: 0644
        path: /etc/audit/rules.d/75-var_log_btmp_write_events.rules
        overwrite: true
      - contents:
          source: data:,-w%20/var/log/utmp%20-p%20wa%20-k%20session%0A
        mode: 0644
        path: /etc/audit/rules.d/75-var_log_utmp_write_events.rules
        overwrite: true
" | oc apply -f -
done

OpenShift audit records must record user access start and end times.

Description

Remediation - Manual Procedure