Audit Policy Not Cover Key Security Concerns
- Query id: 1828a670-5957-4bc5-9974-47da228f75e2
- Query name: Audit Policy Not Cover Key Security Concerns
- Platform: Kubernetes
- Severity: Low
- Category: Observability
- URL: Github
Description¶
Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
Positive test num. 2 - yaml file
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["secrets","configmaps","tokenreviews"]
- level: Metadata
resources:
- group: ""
resources: ["pods","deployments"]
- level: None
resources:
- group: ""
resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]
Positive test num. 3 - yaml file
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets","configmaps","tokenreviews"]
- level: Metadata
resources:
- group: ""
resources: ["pods"]
- level: RequestResponse
resources:
- group: ""
resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets","configmaps","tokenreviews"]
- level: Metadata
resources:
- group: ""
resources: ["pods","deployments"]
- level: RequestResponse
resources:
- group: ""
resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]