File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (80 lines) | stat: -rw-r--r-- 2,966 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
documentation_complete: true


title: 'Configure the Audit Log Path'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To enable auditing on the OpenShift API Server, the audit log path must be set.
    Edit the <tt>openshift-apiserver</tt> configmap
    and set the <tt>audit-log-path</tt> to a suitable path and file
    where audit logs should be written. For example:
    <pre>
    "apiServerArguments":{
      ...
      "audit-log-path":"/var/log/openshift-apiserver/audit.log",
      ...
    </pre>

rationale: |-
    Auditing of the API Server is not enabled by default. Auditing the API Server
    provides a security-relevant chronological set of records documenting the sequence
    of activities that have affected the system by users, administrators, or other
    system components.

identifiers:
  cce@ocp4: CCE-83547-0


severity: high

references:
    cis@ocp4: 1.2.20
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>audit-log-path</tt> does not contain a valid audit file path'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["audit-log-path"]'</pre>
    The output should return a valid audit log path.

warnings:
    - general: |-
        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-apiserver/configmaps/config") | indent(8) }}}

template:
    name: yamlfile_value
    vars:
        ocp_data: "true"
        filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
        yamlpath: '.data["config.yaml"]'
        check_existence: "at_least_one_exists"
        values:
            - value: '\"audit-log-path\"\s*:\s*\[\s*\".+\"\s*\]'
              type: "string"
              operation: "pattern match"
template:
    name: yamlfile_value
    vars:
        ocp_data: "true"
        filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
        yamlpath: '.apiServerArguments[:]'
        check_existence: "none_exist"
        values:
            - key: 'basic-auth-file'
              type: "string"
              operation: "pattern match"