C-0161 - Ensure that the audit policy covers key security concerns
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment.
Related resources
APIServerInfo
What does this control test
Ensure that the audit policy created for the cluster covers key security concerns.
How to check it manually
Review the audit policy provided for the cluster and ensure that it covers at least the following areas :-
- Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.
- Modification of
podanddeploymentobjects. - Use of
pods/exec,pods/portforward,pods/proxyandservices/proxy.
For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).
Remediation
Consider modification of the audit policy in use on the cluster to include these items, at a minimum.
Impact Statement
Increasing audit logging will consume resources on the nodes or other log destination.
Default Value
By default Kubernetes clusters do not log audit information.
Example
No example
Updated about 1 month ago