계: Environment
이 섹션에는 소스 코드 외부에 있지만 제작 중인 제품의 보안에는 여전히 중요한 내용이 모두 포함되어 있습니다. 이 섹션에서 다루는 문제들은 소스 코드와 직접적으로 관련이 없기 때문에 나머지 섹션과 분리했습니다.
Kubernetes Misconfiguration: Unconfigured API Server Logging
Abstract
Kubernetes API 서버가 감사 이벤트를 기록하는 정책을 정의하지 않고 시작됩니다.
Explanation
감사 정책 파일이 지정되지 않은 경우 Kubernetes API 서버는 이벤트를 기록하지 않습니다. 이벤트 로그에는 보안 사고를 식별하고 정책 위반을 모니터링하며 거부 없음 제어를 지원하는 데 사용되는 중요한 데이터가 포함됩니다.
예제 1: 다음 구성은
예제 1: 다음 구성은
--audit-policy-file 플래그 없이 Kubernetes API 서버를 시작합니다.
...
spec:
containers:
- command:
- kube-apiserver
- --audit-log-path=<the log file path>
image: example.domain/kube-apiserver-amd64:v1.6.0
...
References
[1] Audit Policy The Kubernetes Authors
[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 3.2.1
[3] Standards Mapping - Common Weakness Enumeration CWE ID 778
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.kubernetes_misconfiguration_unconfigured_api_server_logging.base