software – no vendor lock-in • More than just subscriptions • FREE online training that helps MSPs get ahead • Compliant route to market for Service providers who work with end customers • Free test and dev

Solutions 3 4 2 4 Advanced Monitoring 4 4 3 2 Alerts and Notifications 4 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 supports the standard API logging available from Kubernetes. 3.1.9.2 OpenShift OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect Rancher server require manual configuration of the RKE cluster to perform backups. These can also write to local storage or an S3-compatible endpoint. Restoring an HA cluster requires deploying a new

..................................................................................... 7 1.3.10 Log Management ....................................................................................... visualization. 1.3.10 Log Management Fetching and analyzing log data is critical to understanding what is happening with a given cluster. Internal Kubernetes components use log library to log data; kubectl kubectl (the command line interface) can be used to fetch log data from containers. This data can be fed to an ELK (Elasticsearch, Logstash and Kibana) stack or Google Cloud logging for further analysis and

1. 15 - E n s u r e t h at t h e --audit-log-path ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 16 - E n s u r e t h at t h e --audit-log-maxage ar gu m e n t i s s e t as ap p r 17 - E n s u r e t h at t h e --audit-log-maxbackup ar gu m e n t i s s e t as ap - p r op r i at e ( S c or e d ) • 1. 1. 18 - E n s u r e t h at t h e --audit-log-maxsize ar gu m e n t i s s e t as ap tc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-format=json --audit-policy-file=/etc

kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true snapshot: false uid: 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled: true pod_security_policy: addgroup --gid 52034 etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content:

kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true snapshot: false uid: 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled: true pod_security_policy: addgroup --gid 52034 etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content:

argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) CIS 1 83 83 83 85 85 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider=

secret is the 32-byte base64-encoded string generated in the first step. 1.1.3 - Install the audit log configuration on all control plane nodes. Profile Applicability Level 1 Description Place the configuration that the --audit-log-path argument is set as appropriate (Scored) 1.1.16 - Ensure that the --audit-log-maxage argument is as appropriate (Scored) 1.1.17 - Ensure that the --audit-log-maxbackup argument argument is set as appropriate (Scored) 1.1.18 - Ensure that the --audit-log-maxsize argument is set as appropriate (Scored) 1.1.37 - Ensure that the AdvancedAuditing argument is not set to false (Scored)

--audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml extra- binds: option to map the audit log to the match("--audit-log-path=/var/log/kube-audit/audit-log.json").string' Returned Value: --audit-log-log=/var/log/kube-audit/audit-log.json Result: Pass 1.1.16 - Ensure that the --audit-log-maxage argument kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxage=\\d+").string' Returned Value: --audit-log-maxage=5 Result: Pass 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as

Rancher Self-Assessment Guide - v2.4 22 'false' is equal to 'false' 1.2.22 Ensure that the --audit-log-path argument is set (Scored) Result: PASS Remediation: Edit the API server pod specification file node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log Audit: /bin/ps -ef | grep grep kube-apiserver | grep -v grep Expected result: '--audit-log-path' is present 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) Result: PASS Remediation: