Record Access Events to OpenShift Audit Log Directory
An XCCDF Rule
Description
The audit system should collect access events to read the OpenShift audit log directory. The following audit rule will assure that access to audit log directory are collected.
-a always,exit -F dir=/var/log/openshift-apiserver/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trailIf the
auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file.
Rationale
Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.'
- ID
- xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit
- Severity
- Medium
- Updated
Remediation - Kubernetes Patch
---
#
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec: