Ensure that the cluster's audit profile is properly set
An XCCDF Rule
Description
OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities.
In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:
The request line containing:
- A Unique ID allowing to match the response line (see #2)
- The source IP of the request
- The HTTP method being invoked
- The original user invoking the operation
- The impersonated user for the operation (self meaning himself)
- The impersonated group for the operation (lookup meaning user's group)
- The namespace of the request or none
- The URI as requested
The response line containing:
- The aforementioned unique ID
- The response code
For more information on how to configure the audit profile, please visit the documentation
warning alert: Warning
/apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local Rationale
Logging is an important detective control for all systems, to detect potential unauthorised access.
- ID
- xccdf_org.ssgproject.content_rule_audit_profile_set
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec: