OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257536	CNTR-OS-000340	SV-257536r921551_rule		Medium

Description
To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be made to the audit files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Although digital signatures are one example of protecting integrity, this control is not intended to cause a new cryptographic hash to be generated every time a record is added to a log file. Integrity protections can also be implemented by using cryptographic techniques for security function isolation and file system protections to protect against unauthorized changes.

Description

To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be made to the audit files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Although digital signatures are one example of protecting integrity, this control is not intended to cause a new cryptographic hash to be generated every time a record is added to a log file. Integrity protections can also be implemented by using cryptographic techniques for security function isolation and file system protections to protect against unauthorized changes.

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61271r921549_chk )
Verify the Cluster Log Forwarder is using an encrypted transport by executing the following: oc get clusterlogforwarder -n openshift-logging For each Cluster Log Forwarder, run the following command to display the configuration. oc describe clusterlogforwarder -n openshift-logging Review the configuration and determine if the transport is secure, such as tls:// or https://. If there are any transports configured that are not secured by TLS, this is a finding.

Check Text ( C-61271r921549_chk )

Verify the Cluster Log Forwarder is using an encrypted transport by executing the following:

oc get clusterlogforwarder -n openshift-logging

For each Cluster Log Forwarder, run the following command to display the configuration.

oc describe clusterlogforwarder -n openshift-logging

Review the configuration and determine if the transport is secure, such as tls:// or https://. If there are any transports configured that are not secured by TLS, this is a finding.

Fix Text (F-61195r921550_fix)
Edit the Cluster Log Forwarder configuration to configure TLS on the transport by executing the following: oc edit clusterlogforwarder -n openshift-logging For any output->url value that is not using a secure transport, edit the url to use a secure (https:// or tls://) transport. For detailed information regarding configuration of the Cluster Log Forwarder, refer to https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html.

Fix Text (F-61195r921550_fix)

Edit the Cluster Log Forwarder configuration to configure TLS on the transport by executing the following:

oc edit clusterlogforwarder -n openshift-logging

For any output->url value that is not using a secure transport, edit the url to use a secure (https:// or tls://) transport.

For detailed information regarding configuration of the Cluster Log Forwarder, refer to https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html.