Audit policy covers key security concerns
Set up the kubernetes integration.
Description
Ensure that the audit policy created for the cluster covers key security concerns.
Rationale
Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment.
Audit
Review the audit policy provided for the cluster and ensure that it covers at least the following areas:
- Access to Secrets managed by the cluster. Care should be taken to only log metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.
- Modification of pod and deployment objects.
- Use of pods/exec, pods/portforward, pods/proxy and services/proxy.
For most requests, minimally logging at the metadata level is recommended (the most basic level of logging).
Consider modification of the audit policy in use on the cluster to include these items, at a minimum.
Impact
Increasing audit logging will consume resources on the nodes or other log destination.
Default value
By default Kubernetes clusters do not log audit information.
References
- https://github.com/k8scop/k8s-security-dashboard/blob/master/configs/kubernetes/adv-audit.yaml
- https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
- https://github.com/falcosecurity/falco/blob/master/examples/k8s_audit_config/audit-policy.yaml
- https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735
CIS controls
Version 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.
Version 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data E- nforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).
