File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (70 lines) | stat: -rw-r--r-- 2,687 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
documentation_complete: true


title: 'Configure the Kubernetes API Server Maximum Retained Audit Logs'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To configure how many rotations of audit logs are retained,
    edit the <tt>openshift-kube-apiserver</tt> configmap
    and set the <tt>audit-log-maxbackup</tt> parameter to
    <tt>10</tt> or to an organizationally appropriate value:
    <pre>
    "apiServerArguments":{
      ...
      "audit-log-maxbackup": [10],
      ...
    </pre>

rationale: |-
    OpenShift automatically rotates the log files. Retaining old log files ensures
    OpenShift Operators will have sufficient log data available for carrying out
    any investigation or correlation. For example, if the audit log size is set to
    100 MB and the number of retained log files is set to 10, OpenShift Operators
    would have approximately 1 GB of log data to use during analysis.

identifiers:
  cce@ocp4: CCE-83739-3


severity: low

references:
    cis@ocp4: 1.2.22
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>audit-log-maxbackup</tt> is set to <tt>10</tt> or as appropriate'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["audit-log-maxbackup"][0]'</pre>
    The output should return a value of <pre>10</pre> or as appropriate.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "at least one"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["audit-log-maxbackup"][:]'
    values:
    - value: '10'
      operation: "pattern match"
      type: "string"
      entity_check: "at least one"