Detections
Analytics

CNTR-R2-000060 Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

Information

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application when accounts are created. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

Within Rancher RKE2, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know where within the container platform the event occurred.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.

Satisfies: SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000092-CTR-000165, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000101-CTR-000205, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000343-CTR-000780, SRG-APP-000358-CTR-000805, SRG-APP-000374-CTR-000865, SRG-APP-000375-CTR-000870, SRG-APP-000381-CTR-000905, SRG-APP-000409-CTR-000990, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000503-CTR-001275, SRG-APP-000504-CTR-001280, SRG-APP-000505-CTR-001285, SRG-APP-000506-CTR-001290, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300, SRG-APP-000509-CTR-001305, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790, SRG-APP-00516-CTR-001325

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Audit logging and policies:

Edit the /etc/rancher/rke2/config.yaml file, and enable the audit policy:
audit-policy-file: /etc/rancher/rke2/audit-policy.yaml

1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.

--audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml)
--audit-log-mode=blocking-strict

If configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.

If using RKE2 v1.24 or older, set:
profile: cis-1.6

If using RKE2 v1.25 or newer, set:
profile: cis-1.23

Available with October 2023 releases (v1.25.15+rke2r1, v1.26.10+rke2r1, v1.27.7+rke2r1, v1.28.3+rke2r1), use the generic profile "cis".

If configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

3. Edit the audit policy file, by default located at /etc/rancher/rke2/audit-policy.yaml to look like below:

apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
 name: rke2-audit-policy
rules:
 - level: Metadata
 resources:
 - group: ""
 resources: ["secrets"]
 - level: RequestResponse
 resources:
 - group: ""
 resources: ["*"]

If configuration files are updated on a host, restart the RKE2 Service. Run the command "systemctl restart rke2-server" for server hosts and "systemctl restart rke2-agent" for agent hosts.

See Also

https://workbench.cisecurity.org/benchmarks/0

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AC-2(4), 800-53|AC-6(9), 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-4(1), 800-53|AU-8b., 800-53|AU-12c., 800-53|AU-14(1), 800-53|CM-6b., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000018, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000135, CCI|CCI-000172, CCI|CCI-000366, CCI|CCI-001403, CCI|CCI-001404, CCI|CCI-001464, CCI|CCI-001487, CCI|CCI-001851, CCI|CCI-001889, CCI|CCI-001890, CCI|CCI-002130, CCI|CCI-002234, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-254555r1028345_rule, STIG-ID|CNTR-R2-000060, Vuln-ID|V-254555

Plugin: Unix

Control ID: 2232074253dd6c7b1dd25d6b3a24e41198affaa7a09cb3902142538437b5f969