Details
Do not disable advanced auditing.
Rationale:
‘AdvancedAuditing’ enables a much more general API auditing pipeline, which includes support for pluggable output backends and an audit policy specifying how different requests should be audited. Additionally, this enables auditing of failed authentication, authorization and login attempts which could prove crucial for protecting your production clusters. It is thus recommended not to disable advanced auditing.
Solution
Follow the Kubernetes documentation and set the desired audit policy in the ‘/etc/kubernetes/audit-policy.yaml’ file.
Then, edit the API server pod specification file ‘/etc/kubernetes/manifests/kube-apiserver.yaml’ and set the below parameters.
–audit-policy-file=/etc/kubernetes/audit-policy.yaml
Impact:
You would need to rotate logs and log them centrally to avoid filling up disk space.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.