Kubernetes DynamicAuditing must not be enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242398	CNTR-K8-000450	SV-242398r918161_rule		Medium

Description
Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can cover their tracks is to change or delete audit records. This will either make the attack unnoticeable or make it more difficult to investigate how the attack took place and what changes were made. The audit data can be protected through audit log file protections and user authorization. One way for an attacker to thwart these measures is to send the audit logs to another source and filter the audited results before sending them on to the original target. This can be done in Kubernetes through the configuration of dynamic audit webhooks through the DynamicAuditing flag.

Description

Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can cover their tracks is to change or delete audit records. This will either make the attack unnoticeable or make it more difficult to investigate how the attack took place and what changes were made. The audit data can be protected through audit log file protections and user authorization. One way for an attacker to thwart these measures is to send the audit logs to another source and filter the audited results before sending them on to the original target. This can be done in Kubernetes through the configuration of dynamic audit webhooks through the DynamicAuditing flag.

STIG	Date
Kubernetes Security Technical Implementation Guide	2023-08-29

Details

Check Text ( C-45673r918159_chk )
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * Review the feature-gates setting, if one is returned. If the feature-gates setting is available and contains the DynamicAuditing flag set to "true", this is a finding. On each Control Plane and Worker node, run the command: ps -ef \| grep kubelet If the "--feature-gates" option exists, this is a finding. Note the path to the config file (identified by: --config). Inspect the content of the config file: If the "featureGates" setting is present and has the "DynamicAuditing" flag set to "true", this is a finding.

Check Text ( C-45673r918159_chk )

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

Review the feature-gates setting, if one is returned.

If the feature-gates setting is available and contains the DynamicAuditing flag set to "true", this is a finding.

On each Control Plane and Worker node, run the command:
ps -ef | grep kubelet

If the "--feature-gates" option exists, this is a finding.

Note the path to the config file (identified by: --config).

Inspect the content of the config file:
If the "featureGates" setting is present and has the "DynamicAuditing" flag set to "true", this is a finding.

Fix Text (F-45631r918160_fix)
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * If any "--feature-gates" setting is available and contains the "DynamicAuditing" flag, remove the flag or set it to false. On the each Control Plane and Worker Node, run the command: ps -ef \| grep kubelet Remove the "--feature-gates option" if present. Note the path to the config file (identified by: --config). Edit the Kubernetes Kubelet config file: If the "featureGates" setting is present, remove the "DynamicAuditing" flag or set the flag to false. Restart the kubelet service using the following command: service kubelet restart

Fix Text (F-45631r918160_fix)

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

If any "--feature-gates" setting is available and contains the "DynamicAuditing" flag, remove the flag or set it to false.

On the each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

Remove the "--feature-gates option" if present.

Note the path to the config file (identified by: --config).

Edit the Kubernetes Kubelet config file:
If the "featureGates" setting is present, remove the "DynamicAuditing" flag or set the flag to false.

Restart the kubelet service using the following command:
service kubelet restart