feat(query): implements "Beta - AKS Without Audit Logs" #7883
+292
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
KICS version: v2.1.17
|
github-actions
bot
added
terraform
…21538_84_enable_audit_logs
…21538_84_enable_audit_logs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reason for Proposed Changes
Currently there is no query to ensure that resources of type "azurerm_kubernetes_cluster" has proper audit logging enabled.
Quoting CIS_Azure_Kubernetes_Service_(AKS)_Benchmark_V1.8.0 page 17: "
2.1.1 Enable audit Logs (Manual)...Exporting logs and metrics to a dedicated, persistent datastore ensures availability of audit data following a cluster security event, and provides a central location for analysis of log and metric data collated from multiple sources.".Proposed Changes
Implemented the missing query.
To ensure audit logging is enabled the cluster must be associated with a "azurerm_monitor_diagnostic_setting" resource that includes either the "
kube-audit" and/or "kube-audit-admin" categories.The association is set through the target_resource_id, the log categories included must be set with the "enabled_log" blocks. Support for legacy "log" blocks was also included. The
enabled_log/logblocks should include the audit category in their "category" field.In the case of a "
azurerm_kubernetes_cluster" being associated with a "azurerm_monitor_diagnostic_setting" where the legacy "log" blocks are used with the right category/ies but set "enabled" tofalsethe query will point to the lines where enabled is set and point out it should be set totrueto fix the issue.NOTE this is my own interpretation given the CIS Benchmark and the entry's name. In truth the "Remediation" from the Benchmark is not particularly explicit/restrictive with which particular categories must be included. All there is to go off is the following remediation step (6) :
In the list of available logs, select the logs you wish to enable. For this example, enable the kube-audit and kube-audit-admin logs. Common logs include the kube-apiserver, kube-controller-manager, and kube-scheduler. You can return and change the collected logs once Log Analytics workspaces are enabled.; additionally it is suggested that not every single cluster must have these logs enabled but it seems like a manual decision that has to be done based on real world use context and cannot be done through static analysis.The official documentation puts extra emphasis on the
kube-apiserver,kube-auditandkube-audit-admincategories over thekube-controller-managerandkube-scheduler. It could be argued if thekube-apiserverflag being included should be enough to prevent the query from flagging.I submit this contribution under the Apache-2.0 license.