OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257524	CNTR-OS-000220	SV-257524r921515_rule		Medium

Description
Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository simplifies log storage, retention, and retrieval. It provides a single source of truth for audit logs, making it easier to manage and analyze log data. Centralized audit logs are crucial for incident response and forensic investigations. When a security incident occurs, having audit logs in a central repository allows security teams to quickly access relevant log data for analysis. It facilitates incident reconstruction, root cause analysis, and the identification of the scope and impact of the incident. This is vital for effective incident response and minimizing the impact of security breaches. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000092-CTR-000165, SRG-APP-000358-CTR-000805

Description

Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository simplifies log storage, retention, and retrieval. It provides a single source of truth for audit logs, making it easier to manage and analyze log data. Centralized audit logs are crucial for incident response and forensic investigations. When a security incident occurs, having audit logs in a central repository allows security teams to quickly access relevant log data for analysis. It facilitates incident reconstruction, root cause analysis, and the identification of the scope and impact of the incident. This is vital for effective incident response and minimizing the impact of security breaches. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000092-CTR-000165, SRG-APP-000358-CTR-000805

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61259r921513_chk )
Determine if cluster log forwarding is configured. 1. Verify the cluster-logging operator is installed by executing the following: oc get subscription/cluster-logging -n openshift-logging (Example Output: NAME PACKAGE SOURCE CHANNEL cluster-logging cluster-logging redhat-operators stable ) If the cluster-logging operator is not present, this is a finding. 2. List the cluster log forwarders defined by executing the following: oc get clusterlogforwarder -n openshift-logging If there are no clusterlogforwarders defined, this is a finding. 3. For each cluster log forwarder listed above, view the configuration details by executing the following: oc describe clusterlogforwarder/ -n openshift-logging Review the details of the cluster log forwarder. If the configuration is not set to forward logs the organization's centralized logging service, this is a finding.

Check Text ( C-61259r921513_chk )

Determine if cluster log forwarding is configured.

1. Verify the cluster-logging operator is installed by executing the following:

oc get subscription/cluster-logging -n openshift-logging
(Example Output:
NAME PACKAGE SOURCE CHANNEL
cluster-logging cluster-logging redhat-operators stable
)

If the cluster-logging operator is not present, this is a finding.

2. List the cluster log forwarders defined by executing the following:

oc get clusterlogforwarder -n openshift-logging

If there are no clusterlogforwarders defined, this is a finding.

3. For each cluster log forwarder listed above, view the configuration details by executing the following:

oc describe clusterlogforwarder/ -n openshift-logging

Review the details of the cluster log forwarder.

If the configuration is not set to forward logs the organization's centralized logging service, this is a finding.

Fix Text (F-61183r921514_fix)
To configure log forwarding, the OpenShift Cluster Logging operator first must be installed, and then the Cluster Log Forwarder is configured to forward logs to a centralized log aggregation service. To install the OpenShift Cluster Logging operator, execute the following command to apply the subscription manifests to the cluster: oc apply -f - << 'EOF' --- apiVersion: project.openshift.io/v1 kind: Project metadata: labels: kubernetes.io/metadata.name: openshift-logging openshift.io/cluster-monitoring: "true" name: openshift-logging spec: {} ... --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: openshift-logging namespace: openshift-logging spec: targetNamespaces: - openshift-logging ... --- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: labels: operators.coreos.com/cluster-logging.openshift-logging: "" name: cluster-logging namespace: openshift-logging spec: channel: stable installPlanApproval: Automatic name: cluster-logging source: redhat-operators sourceNamespace: openshift-marketplace ... EOF After the OpenShift Logging operator has finished installing, a ClusterLogForwarder instance can be created to forward cluster logs to a log aggregator. A basic configuration that would forward OpenShift audit, application, and infrastructure logs to an rsyslog server that is managed separately and is configured for mTLS authentication over TCP when sending audit logs, but traditional UDP access for other types of logs, can be provided by editing the appropriate values in the Secret resource below and changing the "url" parameters in the "outputs" section of the "spec" below, then running the command to apply (Example): oc apply -f - << 'EOF' --- apiVersion: v1 kind: Secret metadata: name: rsyslog-tls-secret namespace: openshift-logging data: tls.crt: tls.key: ca-bundle.crt: ... --- apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: rsyslog-audit type: syslog syslog: facility: security rfc: RFC5424 severity: Informational appName: openshift msgID: audit procID: audit url: 'tls://rsyslogserver.example.com:514' secret: name: rsyslog-tls-secret - name: rsyslog-apps type: syslog syslog: facility: user rfc: RFC5424 severity: Informational appName: openshift msgID: apps procID: apps url: 'udp://rsyslogserver.example.com:514' - name: rsyslog-infra type: syslog syslog: facility: local0 rfc: RFC5424 severity: Informational appName: openshift msgID: infra procID: infra url: 'udp://rsyslogserver.example.com:514' pipelines: - name: audit-logs inputRefs: - audit outputRefs: - rsyslog-audit - name: apps-logs inputRefs: - application outputRefs: - rsyslog-apps - name: infrastructure-logs inputRefs: - infrastructure outputRefs: - rsyslog-infra ... EOF Note that many log forwarding destinations are supported, and the fix does not require that users forward audit logs to rsyslog over mTLS. To better understand how to configure the ClusterLogForwarder, consult the OpenShift Logging documentation: https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html

Fix Text (F-61183r921514_fix)

To configure log forwarding, the OpenShift Cluster Logging operator first must be installed, and then the Cluster Log Forwarder is configured to forward logs to a centralized log aggregation service.

To install the OpenShift Cluster Logging operator, execute the following command to apply the subscription manifests to the cluster:

oc apply -f - << 'EOF'
---
apiVersion: project.openshift.io/v1
kind: Project
metadata:
labels:
kubernetes.io/metadata.name: openshift-logging
openshift.io/cluster-monitoring: "true"
name: openshift-logging
spec: {}
...
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: openshift-logging
namespace: openshift-logging
spec:
targetNamespaces:
- openshift-logging
...
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
labels:
operators.coreos.com/cluster-logging.openshift-logging: ""
name: cluster-logging
namespace: openshift-logging
spec:
channel: stable
installPlanApproval: Automatic
name: cluster-logging
source: redhat-operators
sourceNamespace: openshift-marketplace
...
EOF

After the OpenShift Logging operator has finished installing, a ClusterLogForwarder instance can be created to forward cluster logs to a log aggregator. A basic configuration that would forward OpenShift audit, application, and infrastructure logs to an rsyslog server that is managed separately and is configured for mTLS authentication over TCP when sending audit logs, but traditional UDP access for other types of logs, can be provided by editing the appropriate values in the Secret resource below and changing the "url" parameters in the "outputs" section of the "spec" below, then running the command to apply (Example):

oc apply -f - << 'EOF'
---
apiVersion: v1
kind: Secret
metadata:
name: rsyslog-tls-secret
namespace: openshift-logging
data:
tls.crt:
tls.key:
ca-bundle.crt:
...
---
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
outputs:
- name: rsyslog-audit
type: syslog
syslog:
facility: security
rfc: RFC5424
severity: Informational
appName: openshift
msgID: audit
procID: audit
url: 'tls://rsyslogserver.example.com:514'
secret:
name: rsyslog-tls-secret
- name: rsyslog-apps
type: syslog
syslog:
facility: user
rfc: RFC5424
severity: Informational
appName: openshift
msgID: apps
procID: apps
url: 'udp://rsyslogserver.example.com:514'
- name: rsyslog-infra
type: syslog
syslog:
facility: local0
rfc: RFC5424
severity: Informational
appName: openshift
msgID: infra
procID: infra
url: 'udp://rsyslogserver.example.com:514'
pipelines:
- name: audit-logs
inputRefs:
- audit
outputRefs:
- rsyslog-audit
- name: apps-logs
inputRefs:
- application
outputRefs:
- rsyslog-apps
- name: infrastructure-logs
inputRefs:
- infrastructure
outputRefs:
- rsyslog-infra
...
EOF

Note that many log forwarding destinations are supported, and the fix does not require that users forward audit logs to rsyslog over mTLS. To better understand how to configure the ClusterLogForwarder, consult the OpenShift Logging documentation:
https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html