OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
Overview
Finding ID
Version
Rule ID
IA Controls
Severity
V-257517
CNTR-OS-000150
SV-257517r960879_rule
Medium
Description
The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestBodies will log the metadata and the request body for any create, update, or patch request. The AllRequestBodies will log the metadata and the request body for all read and write requests. As this generates a significant number of logs, this level is only to be used as needed. To capture sufficient data to investigate an issue, it is required to set the audit level to WriteRequestBodies.
For more detailed documentation on what is being logged, refer to https://docs.openshift.com/container-platform/4.8/security/audit-log-view.html.
Satisfies: SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000101-CTR-000205, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790
To determine at what level the OpenShift audit policy logging verbosity is configured, as a cluster-administrator:execute the following command:
oc get apiserver.config.openshift.io/cluster -ojsonpath='{.spec.audit.profile}'
If the output from the options does not return WriteRequestBodies or AllRequestBodies, this is a finding.
Fix Text (F-61176r921493_fix)
As the cluster administrator, update the APIServer.config.openshift.io/cluster object to set the profile to the defined level of detail. For example, to configure the profile to WriteRequestBodies, meaning that all write requests to any API server object are logged in their entirety, by executing the following: