Reino: Security Features

La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.

Kubernetes Misconfiguration: Insufficient Cloud Log Rotation

YAML

Abstract

El número de registros de auditoría retenido es insuficiente.

Explanation

El servidor API de Kubernetes rota automáticamente los archivos de registro. Para facilitar el análisis posterior al incidente y la detección de amenazas, así como para cumplir con los requisitos de cumplimiento, debe conservar una cantidad suficiente de datos de registro. La marca --audit-log-maxbackup define el número máximo de archivos de registro que se deben retener. O esta marca no está presente en el comando para iniciar un servidor API de Kubernetes o la cantidad máxima de archivos de registro para retener es inferior a 10.

Ejemplo 1: El siguiente comando inicia un servidor API de Kubernetes y establece la marca --audit-log-maxbackup en 2, que conserva solo dos archivos de registro, lo que es insuficiente.


...
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --audit-log-maxbackup=2
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Audit Policy The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.20

[4] Standards Mapping - Common Weakness Enumeration CWE ID 778

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[6] Standards Mapping - FIPS200 CM

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_insufficient_cloud_log_rotation.base