Traceability Loss - Kubernetes
Description
The kubernetes configuration does not set a logging property, which prevents log files from being created. These files are useful for identifying and tracking malicious actions or anomalous behavior. Alternatively, log files do not have sufficient level of detail.
Impact
Perform harmful actions without raising an alert.
Recommendation
Enable auditing on the Kubernetes API Server and set the desired audit log path.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: H
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: O
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
- Score:
- Base: 2.2
- Temporal: 2.0
- Severity:
- Base: Low
- Temporal: Low
Compliant code
The Kubernetes configuration includes the desired log path
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --audit-log-path=/path/to/log
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...
Non compliant code
The Kubernetes configuration does not set a log file configuration
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
Requirements
- 075.Record exceptional events in logs
- 376.Register severity level
- 377.Store logs based on valid regulation
- 378.Use of log management system
Fixes
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.