argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) CIS 1 83 83 83 85 85 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider=

secret is the 32-byte base64-encoded string generated in the first step. 1.1.3 - Install the audit log configuration on all control plane nodes. Profile Applicability Level 1 Description Place the configuration that the --audit-log-path argument is set as appropriate (Scored) 1.1.16 - Ensure that the --audit-log-maxage argument is as appropriate (Scored) 1.1.17 - Ensure that the --audit-log-maxbackup argument argument is set as appropriate (Scored) 1.1.18 - Ensure that the --audit-log-maxsize argument is set as appropriate (Scored) 1.1.37 - Ensure that the AdvancedAuditing argument is not set to false (Scored)

1. 15 - E n s u r e t h at t h e --audit-log-path ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 16 - E n s u r e t h at t h e --audit-log-maxage ar gu m e n t i s s e t as ap p r 17 - E n s u r e t h at t h e --audit-log-maxbackup ar gu m e n t i s s e t as ap - p r op r i at e ( S c or e d ) • 1. 1. 18 - E n s u r e t h at t h e --audit-log-maxsize ar gu m e n t i s s e t as ap tc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-format=json --audit-policy-file=/etc

--audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml extra- binds: option to map the audit log to the match("--audit-log-path=/var/log/kube-audit/audit-log.json").string' Returned Value: --audit-log-log=/var/log/kube-audit/audit-log.json Result: Pass 1.1.16 - Ensure that the --audit-log-maxage argument kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxage=\\d+").string' Returned Value: --audit-log-maxage=5 Result: Pass 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as

Rancher Self-Assessment Guide - v2.4 22 'false' is equal to 'false' 1.2.22 Ensure that the --audit-log-path argument is set (Scored) Result: PASS Remediation: Edit the API server pod specification file node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log Audit: /bin/ps -ef | grep grep kube-apiserver | grep -v grep Expected result: '--audit-log-path' is present 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) Result: PASS Remediation:

Self-Assessment Guide - Rancher v2.5 22 'false' is equal to 'false' 1.2.22 Ensure that the --audit-log-path argument is set (Scored) Result: PASS Remediation: Edit the API server pod specification file node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log Audit: /bin/ps -ef | grep grep kube-apiserver | grep -v grep Expected result: '--audit-log-path' is present 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) Result: PASS Remediation:

..................................................................................... 7 1.3.10 Log Management ....................................................................................... visualization. 1.3.10 Log Management Fetching and analyzing log data is critical to understanding what is happening with a given cluster. Internal Kubernetes components use log library to log data; kubectl kubectl (the command line interface) can be used to fetch log data from containers. This data can be fed to an ELK (Elasticsearch, Logstash and Kibana) stack or Google Cloud logging for further analysis and

Solutions 3 4 2 4 Advanced Monitoring 4 4 3 2 Alerts and Notifications 4 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 supports the standard API logging available from Kubernetes. 3.1.9.2 OpenShift OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect Prometheus solution with its Alert Manager. This is a standard pattern for Kubernetes. 3.3.6 External Log Shipping • SUSE Rancher: 4 • OpenShift: 4 • Tanzu: 2 • Anthos: 3 3.3.6.1 SUSE Rancher

multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility to integrate multiple external log receivers Third-party ELK required for

preventing the node from reaching the Juniper Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example: preventing the node from reaching the Juniper Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example: credentials in your manifests. 1. Install docker if you don't already have docker installed. 2. Log in to the Juniper Networks repository where you pull the container images. docker login enterprise-hub