UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MKE must be configured to send audit data to a centralized log server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260915 CNTR-MK-000310 SV-260915r966102_rule Medium
Description
Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident response, scales effectively, provides redundancy, and helps organizations meet compliance requirements. This is the recommended best practice for managing Kubernetes environments, especially in enterprise settings.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64644r966100_chk )
Check centralized log server configuration.

Via CLI, execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "journald", or "" (where is the naming of a third-party Docker logging driver plugin).

Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected.

If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.
Fix Text (F-64552r966101_fix)
Configure logging driver by setting the log-driver and log-opts keys to appropriate values in the daemon.json file. Refer to this link for extra assistance: https://docs.docker.com/config/containers/logging/syslog/.

Via CLI:
Linux:
1. As a trusted user on the host OS, open the /etc/docker/daemon.json file for editing. If the file does not exist, it must be created.

2. Set the "log-driver" property to one of the following:
"syslog", "journald", or "" (where is the naming of a third-party MKE logging driver plugin).
Note: Mirantis recommends the "journald" setting.

The following example sets the log driver to journald:

{
"log-driver": "journald"
}


3. Configure the "log-opts" object as required by the selected "log-driver".

4. Save the file.

5. Restart the Docker daemon by executing the following:

sudo systemctl restart docker

Configure rsyslog to send logs to the SEIM system.

1. Edit the /etc/rsyslog.conf file and add the IP address of remote server.
Example: *.* @@loghost.example.com

2. Work with the SIEM administrator to configure an alert when no audit data is received from Mirantis.