Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-254555 | CNTR-R2-000060 | SV-254555r870265_rule | Medium |
Description |
---|
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application when accounts are created. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. Within Rancher RKE2, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know where within the container platform the event occurred. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality. Satisfies: SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000092-CTR-000165, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000101-CTR-000205, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000343-CTR-000780, SRG-APP-000358-CTR-000805, SRG-APP-000374-CTR-000865, SRG-APP-000375-CTR-000870, SRG-APP-000381-CTR-000905, SRG-APP-000409-CTR-000990, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000503-CTR-001275, SRG-APP-000504-CTR-001280, SRG-APP-000505-CTR-001285, SRG-APP-000506-CTR-001290, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300, SRG-APP-000509-CTR-001305, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790, SRG-APP-00516-CTR-001325 |
STIG | Date |
---|---|
Rancher Government Solutions RKE2 Security Technical Implementation Guide | 2022-10-13 |
Check Text ( C-58039r870264_chk ) |
---|
Audit logging and policies: 1. On all hosts running RKE2 Server, run the command: kubectl get po -n kube-system -l component=kube-apiserver -o=jsonpath="{.items[*].spec.containers[*].command}" If --audit-policy-file is not set, this is a finding. If --audit-log-mode is not set or = "blocking-strict", this is a finding. 2. Ensure the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc./rancher/rke2/config.yaml, contains CIS profile setting. Run the following command: cat /etc./rancher/rke2/config.yaml If a value for profile is not found, this is a finding. (Example: "profile: cis-1.6" ) 3. Check the contents of the audit-policy file. By default RKE2 expects the audit-policy file to be located at /etc./rancher/rke2/audit-policy.yaml; however, this location can be overridden in the /etc./rancher/rke2/config.yaml file with argument 'kube-apiserver-arg: "audit-policy-file=/etc./rancher/rke2/audit-policy.yaml"'. If the audit policy file does not exist or does not look like the following, this is a finding. # Log all requests at the RequestResponse level. apiVersion: audit.k8s.io/vX (Where X is the latest apiVersion) kind: Policy rules: - level: RequestResponse |
Fix Text (F-57988r859234_fix) |
---|
Audit logging and policies: Edit the /etc./rancher/rke2/config.yaml file, and enable the audit policy: audit-policy-file: /etc./rancher/rke2/audit-policy.yaml 1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc./rancher/rke2/config.yaml, so that it contains required configuration. --audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc./rancher/rke2/audit-policy.yaml) --audit-log-mode=blocking-strict If configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc./rancher/rke2/config.yaml, so that it contains required configuration. For example: profile: cis-1.6 If configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 3. Edit the audit policy file, by default located at /etc./rancher/rke2/audit-policy.yaml to look like below: # Log all requests at the RequestResponse level. apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse If configuration files are updated on a host, restart the RKE2 Service. Run the command: 'systemctl restart rke2-server' for server hosts and 'systemctl restart rke2-agent' for agent hosts. |