C-0254 - Enable audit Logs

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-aks-t1.2.0

Severity

Medium

Description of the the issue

Exporting logs and metrics to a dedicated, persistent datastore ensures availability of audit data following a cluster security event, and provides a central location for analysis of log and metric data collated from multiple sources.

Related resources

What does this control test

With Azure Kubernetes Service (AKS), the control plane components such as the kube-apiserver and kube-controller-manager are provided as a managed service. You create and manage the nodes that run the kubelet and container runtime, and deploy your applications through the managed Kubernetes API server. To help troubleshoot your application and services, you may need to view the logs generated by these control plane components.

To help collect and review data from multiple sources, Azure Monitor logs provides a query language and analytics engine that provides insights to your environment. A workspace is used to collate and analyze the data, and can integrate with other Azure services such as Application Insights and Security Center.

How to check it manually

Remediation

Azure audit logs are enabled and managed in the Azure portal. To enable log collection for the Kubernetes master components in your AKS cluster, open the Azure portal in a web browser and complete the following steps:

  1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't select the resource group that contains your individual AKS cluster resources, such as MC_myResourceGroup_myAKSCluster_eastus.
  2. On the left-hand side, choose Diagnostic settings.
  3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
  4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
  5. Select an existing workspace or create a new one. If you create a workspace, provide a workspace name, a resource group, and a location.
  6. In the list of available logs, select the logs you wish to enable. For this example, enable the kube-audit and kube-audit-admin logs. Common logs include the kube-apiserver, kube-controller-manager, and kube-scheduler. You can return and change the collected logs once Log Analytics workspaces are enabled.
  7. When ready, select Save to enable collection of the selected logs.

Impact Statement

What is collected from Kubernetes clusters
Container insights includes a predefined set of metrics and inventory items collected that are written as log data in your Log Analytics workspace. All metrics listed below are collected by default every one minute.

Node metrics collected
The following list is the 24 metrics per node that are collected:

cpuUsageNanoCores
cpuCapacityNanoCores
cpuAllocatableNanoCores
memoryRssBytes
memoryWorkingSetBytes
memoryCapacityBytes
memoryAllocatableBytes
restartTimeEpoch
used (disk)
free (disk)
used_percent (disk)
io_time (diskio)
writes (diskio)
reads (diskio)
write_bytes (diskio)
write_time (diskio)
iops_in_progress (diskio)
read_bytes (diskio)
read_time (diskio)
err_in (net)
err_out (net)
bytes_recv (net)
bytes_sent (net)
Kubelet_docker_operations (kubelet)
Container metrics
The following list is the eight metrics per container collected:

cpuUsageNanoCores
cpuRequestNanoCores
cpuLimitNanoCores
memoryRssBytes
memoryWorkingSetBytes
memoryRequestBytes
memoryLimitBytes
restartTimeEpoch
Cluster inventory
The following list is the cluster inventory data collected by default:

KubePodInventory – 1 per minute per container
KubeNodeInventory – 1 per node per minute
KubeServices – 1 per service per minute
ContainerInventory – 1 per container per minute

Default Value

By default, cluster control plane logs aren't sent to be Logged.

Example

No example