1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Rotate log files on reaching 100 MB or as appropriate.

Rationale:

Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB:

--audit-log-maxsize=100

Impact:

None

Default Value:

By default, auditing is not enabled.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/concepts/cluster-administration/audit/

https://github.com/kubernetes/features/issues/22

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv6|6.3, CSCv7|6.4

Plugin: Unix

Control ID: 777a94ed50844e8e81875c4cd566aba10fe5fd48f304a8a2e5cc315db44fff37