Skip to main content

Traceability Loss - Kubernetes

Description

The kubernetes configuration does not set a logging property, which prevents log files from being created. These files are useful for identifying and tracking malicious actions or anomalous behavior. Alternatively, log files do not have sufficient level of detail.

Impact

Perform harmful actions without raising an alert.

Recommendation

Enable auditing on the Kubernetes API Server and set the desired audit log path.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: H
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 2.2
    • Temporal: 2.0
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The Kubernetes configuration includes the desired log path

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --audit-log-path=/path/to/log
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...

Non compliant code

The Kubernetes configuration does not set a log file configuration

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver

Requirements