CNTR-K8-000600 - The Kubernetes API Server must have an audit policy set.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When Kubernetes is started, components and user services are started. For auditing startup events, and events for components and services, it is important that auditing begin on startup. Within Kubernetes, audit data for all components is generated by the API server. To enable auditing to begin, an audit policy must be defined for the events and the information to be stored with each event. It is also necessary to give a secure location where the audit logs are to be stored. If an audit log path is not specified, all audit data is sent to studio.

Solution

Edit the Kubernetes API Server manifest and set '--audit-policy-file' to the audit policy file.

Note: If the API server is running as a Pod, then the manifest will also need to be updated to mount the host system filesystem where the audit policy file resides.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R8_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001464, Rule-ID|SV-242401r863977_rule, STIG-ID|CNTR-K8-000600, Vuln-ID|V-242401

Plugin: Unix

Control ID: 83b9cc1d61f795ad79ec58582153270b2a4833eb2a5d6f79d2710443e3a4c524