STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

DISA Rule

SV-242403r712565_rule

Vulnerability Number

V-242403

Group Title

SRG-APP-000026-CTR-000070

Rule Version

CNTR-K8-000700

Severity

CAT II

CCI(s)

• CCI-000018 - The information system automatically audits account creation actions.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
• CCI-001403 - The information system automatically audits account modification actions.
• CCI-001404 - The information system automatically audits account disabling actions.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
• CCI-001814 - The Information system supports auditing of the enforcement actions.
• CCI-002234 - The information system audits the execution of privileged functions.

Weight

10

Fix Recommendation

Edit the Kubernetes API Server audit policy and set it to look like the following:

# Log all requests at the RequestResponse level.
apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion)
kind: Policy
rules:
- level: RequestResponse

Check Contents

Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i audit-policy-file

If the audit-policy-file is not set, this is a finding.

The file given is the policy file and defines what is audited and what information is included with each event.

The policy file must look like this:

# Log all requests at the RequestResponse level.
apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion)
kind: Policy
rules:
- level: RequestResponse

If the audit policy file does not look like above, this is a finding.

Vulnerability Number

V-242403

Documentable

False

Rule Version

CNTR-K8-000700

Severity Override Guidance

Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i audit-policy-file

If the audit-policy-file is not set, this is a finding.

The file given is the policy file and defines what is audited and what information is included with each event.

The policy file must look like this:

# Log all requests at the RequestResponse level.
apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion)
kind: Policy
rules:
- level: RequestResponse

If the audit policy file does not look like above, this is a finding.

Check Content Reference

M

Target Key

5376

Comments