Ensure that Audit Log Forwarding Is Enabled

An XCCDF Rule

Description

OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The cluster-logging-operator is able to do this with the

ClusterLogForwarders

resource. The forementioned resource can be configured to logs to different third party systems. For more information on this, please reference the official documentation: https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance API endpoint to the local /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance file. true

Rationale

Retaining logs ensures the ability to go back in time to investigate or correlate any events. Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to tamper with the logs because of the logs being stored off-site.

ID: xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled
Severity: Medium
References: CIP-003-8 R5.2 CIP-004-6 R2.2.2 CIP-004-6 R2.2.3 CIP-004-6 R3.3 CIP-007-3 R.1.3 CIP-007-3 R5 CIP-007-3 R5.1.1 CIP-007-3 R5.2 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3 CIP-007-3 R6.5

AC-2(12) AU-11 AU-3(2) AU-4(1) AU-5(1) AU-6 AU-6(1) AU-6(3) AU-7 AU-7(1) AU-9(2) SI-4(16) SI-4(20)

Req-10.5.3 Req-10.5.4 Req-2.2

SRG-APP-000092-CTR-000165 SRG-APP-000111-CTR-000220 SRG-APP-000358-CTR-000805

1.2.21

CCE-84076-9
Updated: about 1 year ago