-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CMP-2375: Implement a new rule for checking audit logging is enabled
We already have a rule that checks that audit logging is configured to a specific level called audit_profile_set. While this works, it was being used for CIS OpenShift controls 3.2.1 and 3.2.2. CIS 3.2.1 is really just checking if audit logging is enabled, or that the profile isn't set to `None`. CIS 3.2.2 is checking that the audit profile is set to `WriteRequestBodies`. Using the same rule for both controls was causing confusion because control 3.2.1 should be satisfied by default with OpenShift using the `Default` audit profile. Control 3.2.2 is a level 2 control that requires users to make a change to the api server configuration to remediate the finding. This commit breaks the rule into two separate rules so that its easier to see that one rule is clearly for CIS 3.2.1 and the other is for CIS 3.2.2.
- Loading branch information
Showing
5 changed files
with
60 additions
and
3 deletions.
There are no files selected for viewing
56 changes: 56 additions & 0 deletions
56
applications/openshift/logging/audit_logging_enabled/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
|
|
||
| title: Ensure that API server audit logging is enabled | ||
|
|
||
| description: |- | ||
| OpenShift has the ability to audit API server requests. Audit provides a | ||
| security-relevant chronological set of records documenting the sequence of | ||
| activities that have affected system by individual users, administrators, or | ||
| other components of the system. Audit works at the API server level, logging | ||
| all requests coming to the server. | ||
| Verify that audit logging is enabled by checking that the API server audit | ||
| log configuration is not set to `None`, which explicitly disables the | ||
| functionality. | ||
| For more information on how to configure the audit profile, please visit | ||
| {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/audit-log-policy-config.html", | ||
| text="the documentation") }}} | ||
| rationale: |- | ||
| Logging is an important detective control for all systems, to detect potential | ||
| unauthorised access. | ||
| identifiers: | ||
| cce@ocp4: CCE-90619-8 | ||
|
|
||
| references: | ||
| cis@ocp4: 3.2.1 | ||
| nerc-cip: CIP-003-8 R4,CIP-003-8 R4.1,CIP-003-8 R4.2,CIP-003-8 R5.2,CIP-003-8 R6,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 | ||
| nist: AU-2,AU-3,AU-3(1),AU-6,AU-6(1),AU-7,AU-7(1),AU-8,AU-8(1),AU-9,AU-12,AU-12(1),AU-12(3),CM-5(1),SI-11,SI-12,SI-4(20),SI-4(23) | ||
| pcidss: Req-2.2,Req-12.5.5 | ||
| srg: SRG-APP-000089-CTR-000150,SRG-APP-000090-CTR-000155,SRG-APP-000101-CTR-000205 | ||
|
|
||
| ocil_clause: 'Audit logging is not enabled' | ||
|
|
||
| ocil: |- | ||
| Run the following command to retrieve the current audit profile: | ||
| <pre>$ oc get apiservers cluster -ojsonpath='{.spec.audit.profile}'</pre> | ||
| Make sure the value is not set to `None`. | ||
| severity: medium | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}} | ||
| template: | ||
| name: yamlfile_value | ||
| vars: | ||
| ocp_data: "true" | ||
| filepath: /apis/config.openshift.io/v1/apiservers/cluster | ||
| yamlpath: "spec.audit.profile" | ||
| values: | ||
| - value: "None" | ||
| type: "string" | ||
| operation: "not equal" |
2 changes: 2 additions & 0 deletions
2
applications/openshift/logging/audit_logging_enabled/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| --- | ||
| default_result: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3581,7 +3581,6 @@ CCE-90614-9 | |
| CCE-90616-4 | ||
| CCE-90617-2 | ||
| CCE-90618-0 | ||
| CCE-90619-8 | ||
| CCE-90620-6 | ||
| CCE-90621-4 | ||
| CCE-90622-2 | ||
|
|
||