MKE must be configured to send audit data to a centralized log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260915	CNTR-MK-000310	SV-260915r966102_rule		Medium

Description
Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident response, scales effectively, provides redundancy, and helps organizations meet compliance requirements. This is the recommended best practice for managing Kubernetes environments, especially in enterprise settings.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64644r966100_chk )
Check centralized log server configuration. Via CLI, execute the following commands as a trusted user on the host operating system: cat /etc/docker/daemon.json Verify that the "log-driver" property is set to one of the following: "syslog", "journald", or "" (where is the naming of a third-party Docker logging driver plugin). Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected. If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Check Text ( C-64644r966100_chk )

Check centralized log server configuration.

Via CLI, execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "journald", or "" (where is the naming of a third-party Docker logging driver plugin).

Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected.

If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Fix Text (F-64552r966101_fix)
Configure logging driver by setting the log-driver and log-opts keys to appropriate values in the daemon.json file. Refer to this link for extra assistance: https://docs.docker.com/config/containers/logging/syslog/. Via CLI: Linux: 1. As a trusted user on the host OS, open the /etc/docker/daemon.json file for editing. If the file does not exist, it must be created. 2. Set the "log-driver" property to one of the following: "syslog", "journald", or "" (where is the naming of a third-party MKE logging driver plugin). Note: Mirantis recommends the "journald" setting. The following example sets the log driver to journald: { "log-driver": "journald" } 3. Configure the "log-opts" object as required by the selected "log-driver". 4. Save the file. 5. Restart the Docker daemon by executing the following: sudo systemctl restart docker Configure rsyslog to send logs to the SEIM system. 1. Edit the /etc/rsyslog.conf file and add the IP address of remote server. Example: . @@loghost.example.com 2. Work with the SIEM administrator to configure an alert when no audit data is received from Mirantis.

Fix Text (F-64552r966101_fix)

Configure logging driver by setting the log-driver and log-opts keys to appropriate values in the daemon.json file. Refer to this link for extra assistance: https://docs.docker.com/config/containers/logging/syslog/.

Via CLI:
Linux:
1. As a trusted user on the host OS, open the /etc/docker/daemon.json file for editing. If the file does not exist, it must be created.

2. Set the "log-driver" property to one of the following:
"syslog", "journald", or "" (where is the naming of a third-party MKE logging driver plugin).
Note: Mirantis recommends the "journald" setting.

The following example sets the log driver to journald:

{
"log-driver": "journald"
}

3. Configure the "log-opts" object as required by the selected "log-driver".

4. Save the file.

5. Restart the Docker daemon by executing the following:

sudo systemctl restart docker

Configure rsyslog to send logs to the SEIM system.

1. Edit the /etc/rsyslog.conf file and add the IP address of remote server.
Example: *.* @@loghost.example.com

2. Work with the SIEM administrator to configure an alert when no audit data is received from Mirantis.