Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
An XCCDF Rule
Description
The ClusterLogging and ClusterLoggingForwarder Custom Resources provide a way to configure the logging forwarding subsystem and delete access to it should be restricted to as-needed basis. Remove delete permissions from any unauthorized user or group by performing one or more of the following commands: * Remove role from user > oc adm policy remove-role-from-user ROLE USER -n openshift-logging * Remove role from group > oc adm policy remove-role-from-group ROLE GROUP -n openshift-logging * Remove cluster role from user > oc adm policy remove-cluster-role-from-user CLUSTER_ROLE USER -n openshift-logging * Remove cluster role from group > oc adm policy remove-cluster-role-from-group CLUSTER_ROLE GROUP -n openshift-logging Where ROLE/CLUSTER_ROLE is the role granting user delete permission to resources in openshift-logging namespace.}
Rationale
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
- ID
- xccdf_org.ssgproject.content_rule_rbac_logging_del
- Severity
- Medium
- References
- Updated