Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Kubernetes Settings
Role-based Access Control
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
An XCCDF Rule
Details
Profiles
Prose
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
Medium Severity
The ClusterLogging and ClusterLoggingForwarder Custom Resources provide a way to configure the logging forwarding subsystem and delete access to it should be restricted to as-needed basis. Remove delete permissions from any unauthorized user or group by performing one or more of the following commands: * Remove role from user > oc adm policy remove-role-from-user ROLE USER -n openshift-logging * Remove role from group > oc adm policy remove-role-from-group ROLE GROUP -n openshift-logging * Remove cluster role from user > oc adm policy remove-cluster-role-from-user CLUSTER_ROLE USER -n openshift-logging * Remove cluster role from group > oc adm policy remove-cluster-role-from-group CLUSTER_ROLE GROUP -n openshift-logging Where ROLE/CLUSTER_ROLE is the role granting user delete permission to resources in openshift-logging namespace.}