OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

STIG ID: CNTR-OS-000150  |  SRG: SRG-APP-000089-CTR-000150 |  Severity: medium |  CCI: CCI-000135,CCI-000169,CCI-000171,CCI-000172,CCI-000366 |  Vulnerability Id: V-257517 | 

Vulnerability Discussion

The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestBodies will log the metadata and the request body for any create, update, or patch request. The AllRequestBodies will log the metadata and the request body for all read and write requests. As this generates a significant number of logs, this level is only to be used as needed. To capture sufficient data to investigate an issue, it is required to set the audit level to WriteRequestBodies.

For more detailed documentation on what is being logged, refer to https://docs.openshift.com/container-platform/4.8/security/audit-log-view.html.

Satisfies: SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000101-CTR-000205, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790

Check

To determine at what level the OpenShift audit policy logging verbosity is configured, as a cluster-administrator:execute the following command:

oc get apiserver.config.openshift.io/cluster -ojsonpath='{.spec.audit.profile}'

If the output from the options does not return WriteRequestBodies or AllRequestBodies, this is a finding.

Fix

As the cluster administrator, update the APIServer.config.openshift.io/cluster object to set the profile to the defined level of detail. For example, to configure the profile to WriteRequestBodies, meaning that all write requests to any API server object are logged in their entirety, by executing the following:

oc patch apiserver.config.openshift.io/cluster --type=merge -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}'