File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (47 lines) | stat: -rw-r--r-- 2,129 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 

title: Ensure that Audit Log Webhook Is Configured

{{% set default_jqfilter = '.spec' %}}
{{% set default_api_path = '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' %}}

{{% set v6_default_jqfilter = '.items[].spec' %}}
{{% set v6_default_api_path = '/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders' %}}

{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}

{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ default_jqfilter %}}
{{% set v6_dump_path = v6_default_api_path ~ ',' ~ v6_default_jqfilter ~ ',' ~ v6_default_jqfilter %}}

description: |-
  Audit is on by default and the best practice is to ship audit logs off an cluster for retention.
  HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster
  custom resource. The forementioned resource can be configured to log to different third party systems.
  For more information on this, please reference the official documentation:
  {{{ weblink(link="https://hypershift-docs.netlify.app/reference/api/") }}}

rationale: |-
  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
  tamper with the logs because of the logs being stored off-site.

severity: medium

identifiers:
  cce@ocp4: CCE-86103-9

references:
  cis@ocp4: 1.2.21
  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4

platform: ocp4-on-hypershift

ocil_clause: 'Audit Webhook not configured'

ocil: |-
    Run the following command to verify that the audit webhook is configured:
    <pre>oc get hostedclusters {{.hypershift_cluster}} -n clusters -ojson | jq -r '.items[].spec.auditWebhook'</pre>
    The output should contain a properly configured webhook.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting_suppressed({hypershift_path: dump_path, hypershift_path: v6_dump_path}) | indent(4) }}}