Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257517 | CNTR-OS-000150 | SV-257517r921494_rule | Medium |
Description |
---|
The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestBodies will log the metadata and the request body for any create, update, or patch request. The AllRequestBodies will log the metadata and the request body for all read and write requests. As this generates a significant number of logs, this level is only to be used as needed. To capture sufficient data to investigate an issue, it is required to set the audit level to WriteRequestBodies. For more detailed documentation on what is being logged, refer to https://docs.openshift.com/container-platform/4.8/security/audit-log-view.html. Satisfies: SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000101-CTR-000205, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790 |
STIG | Date |
---|---|
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide | 2023-08-28 |
Check Text ( C-61252r921492_chk ) |
---|
To determine at what level the OpenShift audit policy logging verbosity is configured, as a cluster-administrator:execute the following command: oc get apiserver.config.openshift.io/cluster -ojsonpath='{.spec.audit.profile}' If the output from the options does not return WriteRequestBodies or AllRequestBodies, this is a finding. |
Fix Text (F-61176r921493_fix) |
---|
As the cluster administrator, update the APIServer.config.openshift.io/cluster object to set the profile to the defined level of detail. For example, to configure the profile to WriteRequestBodies, meaning that all write requests to any API server object are logged in their entirety, by executing the following: oc patch apiserver.config.openshift.io/cluster --type=merge -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}' |