Detections
Analytics
CNTR-R2-000060 - Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application when accounts are created. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.Within Rancher RKE2, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know where within the container platform the event occurred.
To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.
Satisfies: SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000092-CTR-000165, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000101-CTR-000205, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000343-CTR-000780, SRG-APP-000358-CTR-000805, SRG-APP-000374-CTR-000865, SRG-APP-000375-CTR-000870, SRG-APP-000381-CTR-000905, SRG-APP-000409-CTR-000990, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000503-CTR-001275, SRG-APP-000504-CTR-001280, SRG-APP-000505-CTR-001285, SRG-APP-000506-CTR-001290, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300, SRG-APP-000509-CTR-001305, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790, SRG-APP-00516-CTR-001325
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Audit logging and policies:Edit the /etc/rancher/rke2/config.yaml file, and enable the audit policy:
audit-policy-file: /etc/rancher/rke2/audit-policy.yaml
1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.
--audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml)
--audit-log-mode=blocking-strict
If configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server
2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.
If using RKE2 v1.24 or older, set:
profile: cis-1.6
If using RKE2 v1.25 or newer, set:
profile: cis-1.23
Available with October 2023 releases (v1.25.15+rke2r1, v1.26.10+rke2r1, v1.27.7+rke2r1, v1.28.3+rke2r1), use the generic profile "cis".
If configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server
3. Edit the audit policy file, by default located at /etc/rancher/rke2/audit-policy.yaml to look like below:
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: rke2-audit-policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["*"]
If configuration files are updated on a host, restart the RKE2 Service. Run the command "systemctl restart rke2-server" for server hosts and "systemctl restart rke2-agent" for agent hosts.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_RKE2_V2R4_STIG.zip
Item Details
Audit Name: DISA Rancher Government Solutions RKE2 STIG v2r4
References: CAT|II, CCI|CCI-000018, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000135, CCI|CCI-000172, CCI|CCI-000366, CCI|CCI-001403, CCI|CCI-001404, CCI|CCI-001464, CCI|CCI-001487, CCI|CCI-001851, CCI|CCI-001889, CCI|CCI-001890, CCI|CCI-002130, CCI|CCI-002234, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-254555r1056186_rule, STIG-ID|CNTR-R2-000060, Vuln-ID|V-254555
Plugin: Unix
Control ID: c7c170f33b478efdb72e0e6cc5dac2457a765979645b5f3d43922cae7ff61fba