Ensure that Audit Log Webhook Is Configured

An XCCDF Rule

Description

Audit is on by default and the best practice is to ship audit logs off an cluster for retention. HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster custom resource. The forementioned resource can be configured to log to different third party systems. For more information on this, please reference the official documentation: https://hypershift-docs.netlify.app/reference/api/

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}} API endpoint, filter with with the jq utility using the following filter .spec and persist it to the local /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#916d614f6293c0b742a5e71ac156259606d6735ca783595a3548858d747aa053 file. true

Rationale

Retaining logs ensures the ability to go back in time to investigate or correlate any events. Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to tamper with the logs because of the logs being stored off-site.

ID: xccdf_org.ssgproject.content_rule_audit_log_forwarding_webhook
Severity: Medium
References: Req-10.5.3 Req-10.5.4 Req-2.2

1.2.21

CCE-86103-9
Updated: about 1 year ago