Description

The kubernetes configuration does not set a logging property, which prevents log files from being created. These files are useful for identifying and tracking malicious actions or anomalous behavior. Alternatively, log files do not have sufficient level of detail.

Impact

Perform harmful actions without raising an alert.

Recommendation

Enable auditing on the Kubernetes API Server and set the desired audit log path.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: N
• Attack complexity: H
• Privileges required: H
• User interaction: N
• Scope: U
• Confidentiality: N
• Integrity: L
• Availability: N

Temporal

• Exploit code maturity: P
• Remediation level: O
• Report confidence: C

Result

• Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
• Score:
• Base: 2.2
• Temporal: 2.0
• Severity:
• Base: Low
• Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: H
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Result 4.0

• Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
• Score:
• CVSS-BT: 1.2
• Severity:
• CVSS-BT: Low

Compliant code

The Kubernetes configuration includes the desired log path

                apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
- command:
+
- kube-apiserver
+
- --audit-log-path=/path/to/log
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...

            

Non compliant code

The Kubernetes configuration does not set a log file configuration

                apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
- command:
+
- kube-apiserver

            

Requirements

• 075.Record exceptional events in logs
• 376.Register severity level
• 377.Store logs based on valid regulation
• 378.Use of log management system

Fixes

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.