File: shared.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (108 lines) | stat: -rw-r--r-- 3,345 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
checktext: |-
  List the cluster log forwarders defined:

  > oc get clusterlogforwarder -n openshift-logging

  If there are no clusterlogforwarders defined, this is a finding.

  For each cluster log forwarder listed above, view the configuration details:

  > oc describe clusterlogforwarder/<CLF_NAME> -n openshift-logging

  Review the details of the cluster log forwarder. If the configuration is
  not set to forward logs the organization's centralized logging service,
  this is a finding.

fixtext: |-
  After the OpenShift Logging operator has been installed, you can
  create a ClusterLogForwarder instance to forward cluster logs to a log
  aggregator. A basic configuration that would forward OpenShift audit,
  application, and infrastructure logs to an rsyslog server that you manage
  separately, and is configured for mTLS authentication over TCP when
  sending Audit logs but traditional UDP access for other types of logs,
  can be provided by editing the appropriate values in the Secret resource
  below and changing the "url" parameters in the "outputs" section of the
  "spec" below, then running the command to apply it like this: 

  oc apply -f - << 'EOF' 
  --- 
  apiVersion: v1 
  kind: Secret 
  metadata:
    name: rsyslog-tls-secret 
    namespace: openshift-logging
  data:
    tls.crt: <base64 encoded client certificate> 
    tls.key: <base64 encoded client key> 
    ca-bundle.crt: <base64 encoded CA bundle that signed the
    certificate of your rsyslog server>
  ...  
  --- 
  apiVersion: logging.openshift.io/v1 
  kind: ClusterLogForwarder
  metadata:
    name: instance 
    namespace: openshift-logging
  spec:
    outputs: 
    - name: rsyslog-audit
      type: syslog 
      syslog:
        facility: security 
        rfc: RFC5424 
        severity: Informational
        appName: openshift 
        msgID: audit 
        procID: audit
      url: 'tls://rsyslogserver.example.com:514' 
      secret:
        name: rsyslog-tls-secret
    - name: rsyslog-apps
      type: syslog 
      syslog:
        facility: user 
        rfc: RFC5424 
        severity: Informational 
        appName: openshift 
        msgID: apps 
        procID: apps
      url: 'udp://rsyslogserver.example.com:514'
    - name: rsyslog-infra
      type: syslog 
      syslog:
        facility: local0 
        rfc: RFC5424 
        severity: Informational 
        appName: openshift 
        msgID: infra 
        procID: infra
      url: 'udp://rsyslogserver.example.com:514'
    pipelines: 
    - name: audit-logs
      inputRefs:
        - audit
      outputRefs:
        - rsyslog-audit
    - name: apps-logs
      inputRefs:
        - application
      outputRefs:
        - rsyslog-apps
    - name: infrastructure-logs
      inputRefs:
        - infrastructure
      outputRefs:
        - rsyslog-infra
  ...  
  EOF

  Please note that many log forwarding destinations are
  supported, and the fix does not require that you forward your
  audit logs to rsyslog over mTLS. To better understand how to
  configure the ClusterLogForwarder for your infrastructure and
  environment, please consult the OpenShift Logging documentation:
  https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html

srg_requirement: |-
  The container platform must initiate session auditing upon startup.