1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Retain 10 or an appropriate number of old log files.

Rationale:

Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value.

--audit-log-maxbackup=10

Impact:

None

Default Value:

By default, auditing is not enabled.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/concepts/cluster-administration/audit/

https://github.com/kubernetes/features/issues/22

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv6|6.3, CSCv7|6.4

Plugin: Unix

Control ID: 1b2a48712f3521bf43556390d2de28ef57eb0495cc96cd5d3537210694f82779