Ensure that Audit Log Forwarding Uses TLS

An XCCDF Rule

Description

OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention using a secure protocol.

The cluster-logging-operator is able to do this with the

ClusterLogForwarders

resource. The forementioned resource can be configured to logs to different third party systems. For more information on this, please reference the official documentation: https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the . This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance API endpoint, filter with with the jq utility using the following filter try [.spec.outputs[].url] catch [] and persist it to the local /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0 file. true

Rationale

It is necessary to ensure that any configured output uses the TLS protocol to receive logs in order to ensure the confidentiality, integrity and authenticity of the logs.

ID: xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls
Severity: Medium
References: CIP-003-8 R5.2 CIP-004-6 R3.3 CIP-007-3 R6.5

AU-10 AU-9 AU-9(2) AU-9(3)

SRG-APP-000126-CTR-000275

CCE-90688-3
Updated: about 1 year ago