1.1.37 Ensure that the AdvancedAuditing argument is not set to false - audit-policy-file

Information

Do not disable advanced auditing.

Rationale:

'AdvancedAuditing' enables a much more general API auditing pipeline, which includes support for pluggable output backends and an audit policy specifying how different requests should be audited. Additionally, this enables auditing of failed authentication, authorization and login attempts which could prove crucial for protecting your production clusters. It is thus recommended not to disable advanced auditing.

Solution

Follow the Kubernetes documentation and set the desired audit policy in the '/etc/kubernetes/audit-policy.yaml' file.

Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' and set the below parameters.

--audit-policy-file=/etc/kubernetes/audit-policy.yaml

In the same API server pod specification file ensure that if the '--feature-gates' argument is present, it does not include AdvancedAuditing=false.

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CSCv6|14.6, CSCv7|14.9

Plugin: Unix

Control ID: 0539ace7d3b2f828d980dcb932a56e3ab223302d090e5cc191fc0ea079acb435