ocp4/CIS: Address 3.2

applications/openshift/logging/audit_profile_set/rule.yml

@@ -0,0 +1,71 @@
+prodtype: ocp4
+
+title: Ensure that the cluster's audit profile is properly set
+
+description: |-
+  <p>
+  OpenShift can audit the details of requests made to the API server through
+  the standard Kubernetes audit capabilities. 
+  </p>
+
+  <p>
+  In OpenShift, auditing of the API Server is on by default. Audit provides a
+  security-relevant chronological set of records documenting the sequence of
+  activities that have affected system by individual users, administrators, or
+  other components of the system. Audit works at the API server level, logging
+  all requests coming to the server. Each audit log contains two entries:
+  </p>
+
+  <p>
+  The request line containing:
+  </p>
+
+  <ul>
+    <li>A Unique ID allowing to match the response line (see #2)</li>
+    <li>The source IP of the request</li>
+    <li>The HTTP method being invoked</li>
+    <li>The original user invoking the operation</li>
+    <li>The impersonated user for the operation (self meaning himself)</li>
+    <li>The impersonated group for the operation (lookup meaning user's group)</li>
+    <li>The namespace of the request or none</li>
+    <li>The URI as requested</li>
+  </ul>
+
+  <p>
+  The response line containing:
+  </p>
+
+  <ul>
+    <li>The aforementioned unique ID</li>
+    <li>The response code</li>
+  </ul>
+
+  <p>
+  For more information on how to configure the audit profile, please visit 
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html",
+              text="the documentation") }}}
+  </p>
+
+rationale: |-
+  Logging is an important detective control for all systems, to detect potential
+  unauthorised access.
+
+identifiers:
+  cce@ocp4: CCE-83577-7
+
+references:
+  cis: 3.2.1,3.2.2
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/config.openshift.io/v1/apiservers/cluster
+    yamlpath: "spec.audit.profile"
+    xccdf_variable: var_openshift_audit_profile

applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/logging/group.yml

@@ -0,0 +1,8 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'OpenShift - Logging Settings'
+
+description: |-
+    Contains evaluations for the cluster's logging configuration settings.

applications/openshift/logging/var_openshift_audit_profile.var

@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Configure the OpenShift Audit Profile'
+
+description: |-
+  Audit log profiles define how to log requests that come to the OpenShift
+  API server, the Kubernetes API server, and the OAuth API server.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "Default"
+  Default: "Default"
+  WriteRequestBodies: "WriteRequestBodies"
+  AllRequestBodies: "AllRequestBodies"

ocp4/profiles/cis.profile

@@ -158,6 +158,7 @@ selections:
   #### 3.2 Logging
   # 3.2.1 Ensure that a minimal audit policy is created
   # 3.2.2 Ensure that the audit policy covers key security concerns
+    - audit_profile_set
 
   ### 4 Worker Nodes
   ###

shared/references/cce-redhat-avail.txt

@@ -98,7 +98,6 @@ CCE-83568-6
 CCE-83569-4
 CCE-83570-2
 CCE-83575-1
-CCE-83577-7
 CCE-83579-3
 CCE-83581-9
 CCE-83583-5