The --audit-policy-file flag should be set for Kubernetes logging to be enabled

문서 > Datadog 보안 > OOTB Rules > The --audit-policy-file flag should be set for Kubernetes logging to be enabled

Classification:

compliance

Framework:

cis-kubernetes

Control:

3.2.1

Set up the kubernetes integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Kubernetes can audit the details of requests made to the API server. The --audit-policy-file flag must be set for this logging to be enabled.

Rationale

Logging is an important detective control for all systems, to detect potential unauthorised access.

Audit

Run the following command on one of the cluster master nodes:

ps -ef | grep kube-apiserver

Verify that the --audit-policy-file is set. Review the contents of the file specified and ensure that it contains a valid audit policy.

Remediation

Create an audit policy file for your cluster.

Impact

Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.

Default value

Unless the --audit-policy-file flag is specified, no auditing will be carried out.

References

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

CIS controls

Version 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.