CIS-3.2.2 - Ensure that the audit policy covers key security concerns

Ensure that the audit policy covers key security concerns

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

Medium

Description of the the issue

Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment.

Related resources

APIServerInfo

What does this control test

Ensure that the audit policy created for the cluster covers key security concerns.

How to check it manually

Review the audit policy provided for the cluster and ensure that it covers at least the following areas :-

  • Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.
  • Modification of pod and deployment objects.
  • Use of pods/exec, pods/portforward, pods/proxy and services/proxy.

For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).

Remediation

Consider modification of the audit policy in use on the cluster to include these items, at a minimum.

Impact Statement

Increasing audit logging will consume resources on the nodes or other log destination.

Default Value

By default Kubernetes clusters do not log audit information.

Example

No example