diff --git a/applications/openshift/logging/audit_profile_set/rule.yml b/applications/openshift/logging/audit_profile_set/rule.yml new file mode 100644 index 000000000000..438c12eeef23 --- /dev/null +++ b/applications/openshift/logging/audit_profile_set/rule.yml @@ -0,0 +1,71 @@ +prodtype: ocp4 + +title: Ensure that the cluster's audit profile is properly set + +description: |- +

+ OpenShift can audit the details of requests made to the API server through + the standard Kubernetes audit capabilities. +

+ +

+ In OpenShift, auditing of the API Server is on by default. Audit provides a + security-relevant chronological set of records documenting the sequence of + activities that have affected system by individual users, administrators, or + other components of the system. Audit works at the API server level, logging + all requests coming to the server. Each audit log contains two entries: +

+ +

+ The request line containing: +

+ + + +

+ The response line containing: +

+ + + +

+ For more information on how to configure the audit profile, please visit + {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html", + text="the documentation") }}} +

+ +rationale: |- + Logging is an important detective control for all systems, to detect potential + unauthorised access. + +identifiers: + cce@ocp4: CCE-83577-7 + +references: + cis: 3.2.1,3.2.2 + +severity: medium + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/config.openshift.io/v1/apiservers/cluster + yamlpath: "spec.audit.profile" + xccdf_variable: var_openshift_audit_profile \ No newline at end of file diff --git a/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml b/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..b49fd368b988 --- /dev/null +++ b/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: PASS diff --git a/applications/openshift/logging/group.yml b/applications/openshift/logging/group.yml new file mode 100644 index 000000000000..927585a469ba --- /dev/null +++ b/applications/openshift/logging/group.yml @@ -0,0 +1,8 @@ +documentation_complete: true + +prodtype: ocp4 + +title: 'OpenShift - Logging Settings' + +description: |- + Contains evaluations for the cluster's logging configuration settings. diff --git a/applications/openshift/logging/var_openshift_audit_profile.var b/applications/openshift/logging/var_openshift_audit_profile.var new file mode 100644 index 000000000000..7e6743ce881f --- /dev/null +++ b/applications/openshift/logging/var_openshift_audit_profile.var @@ -0,0 +1,19 @@ +documentation_complete: true + +title: 'Configure the OpenShift Audit Profile' + +description: |- + Audit log profiles define how to log requests that come to the OpenShift + API server, the Kubernetes API server, and the OAuth API server. + +type: string + +operator: equals + +interactive: false + +options: + default: "Default" + Default: "Default" + WriteRequestBodies: "WriteRequestBodies" + AllRequestBodies: "AllRequestBodies" \ No newline at end of file diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile index b9b2b9ce574b..bd15e8b53e55 100644 --- a/ocp4/profiles/cis.profile +++ b/ocp4/profiles/cis.profile @@ -158,6 +158,7 @@ selections: #### 3.2 Logging # 3.2.1 Ensure that a minimal audit policy is created # 3.2.2 Ensure that the audit policy covers key security concerns + - audit_profile_set ### 4 Worker Nodes ### diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index e0562485625c..a39b145df02b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -98,7 +98,6 @@ CCE-83568-6 CCE-83569-4 CCE-83570-2 CCE-83575-1 -CCE-83577-7 CCE-83579-3 CCE-83581-9 CCE-83583-5