File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.79-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,704 kB
  • sloc: xml: 244,677; sh: 84,647; python: 33,203; makefile: 27
file content (70 lines) | stat: -rw-r--r-- 2,643 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
documentation_complete: true


title: 'Configure Kubernetes API Server Maximum Audit Log Size'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To rotate audit logs upon reaching a maximum size,
    edit the <tt>openshift-kube-apiserver</tt> configmap
    and set the <tt>audit-log-maxsize</tt> parameter to
    an appropriate size in MB. For example, to set it to 100 MB:
    <pre>
    "apiServerArguments":{
      ...
      "audit-log-maxsize": ["100"],
      ...
    </pre>

rationale: |-
    OpenShift automatically rotates log files. Retaining old log files ensures that
    OpenShift Operators have sufficient log data available for carrying out any
    investigation or correlation. If you have set file size of 100 MB and the number of
    old log files to keep as 10, there would be approximately 1 GB of log data
    available for use in analysis.

identifiers:
  cce@ocp4: CCE-83607-2


severity: medium

references:
    cis@ocp4: 1.2.23
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>audit-log-maxsize</tt> is set to <tt>100</tt> or as appropriate'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["audit-log-maxsize"]'</pre>
    The output should return a value of <pre>["100"]</pre> or as appropriate.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "at least one"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["audit-log-maxsize"][:]'
    values:
    - value: 100
      operation: "greater than or equal"
      type: "int"
      entity_check: "at least one"