Ensure that API server audit logging is enabled

An XCCDF Rule

Description

OpenShift has the ability to audit API server requests. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Verify that audit logging is enabled by checking that the API server audit log configuration is not set to `None`, which explicitly disables the functionality. For more information on how to configure the audit profile, please visit the documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local /apis/config.openshift.io/v1/apiservers/cluster file.

Rationale

Logging is an important detective control for all systems, to detect potential unauthorised access.

ID: xccdf_org.ssgproject.content_rule_audit_logging_enabled
Severity: Medium
References: CIP-003-8 R4 CIP-003-8 R4.1 CIP-003-8 R4.2 CIP-003-8 R5.2 CIP-003-8 R6 CIP-004-6 R2.2.2 CIP-004-6 R2.2.3 CIP-004-6 R3.3 CIP-007-3 R.1.3 CIP-007-3 R5 CIP-007-3 R5.1.1 CIP-007-3 R5.2 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3 CIP-007-3 R6.5

AU-12 AU-12(1) AU-12(3) AU-2 AU-3 AU-3(1) AU-6 AU-6(1) AU-7 AU-7(1) AU-8 AU-8(1) AU-9 CM-5(1) SI-11 SI-12 SI-4(20) SI-4(23)

Req-12.5.5 Req-2.2

SRG-APP-000089-CTR-000150 SRG-APP-000090-CTR-000155 SRG-APP-000101-CTR-000205

3.2.1

10.2 10.2.1 10.2.1.3 2.2 2.2.1

CCE-90619-8
Updated: 5 days ago