Beta - AKS Without Audit Logs
- Query id: 0493b840-50e8-430c-93bc-d794d72931a9
- Query name: Beta - AKS Without Audit Logs
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
Kubernets Clusters should register 'audit logs' for analysis following security events
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "positive1_1" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos1_1" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive1_1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive1_1.id
enabled_log {
category = "kube-controller-manager"
}
}
resource "azurerm_kubernetes_cluster" "positive1_2" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos1_2" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive1_2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive1_2.id
enabled_log {
category = "kube-controller-manager"
}
enabled_log {
category = "kube-apiserver"
}
}
Positive test num. 2 - tf file
# legacy "log" field
resource "azurerm_kubernetes_cluster" "positive2_1" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos2_1" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive2_1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive2_1.id
log {
category = "kube-controller-manager"
enabled = true
}
}
resource "azurerm_kubernetes_cluster" "positive2_2" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos2_2" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive2_2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive2_2.id
log {
category = "kube-controller-manager"
enabled = true
}
log {
category = "kube-apiserver"
enabled = true
}
}
Positive test num. 3 - tf file
# legacy "log" fields - enabled set to "false"
resource "azurerm_kubernetes_cluster" "positive3_1" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos3_1" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive3_1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive3_1.id
log {
category = "kube-audit"
enabled = false
}
}
resource "azurerm_kubernetes_cluster" "positive3_2" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_pos3_2" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.positive3_2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.positive3_2.id
log {
category = "kube-audit"
enabled = false
}
log {
category = "kube-audit-admin"
enabled = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "negative1_1" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_neg_1_1" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.negative1_1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.negative1_1.id
enabled_log {
category = "kube-audit"
}
}
resource "azurerm_kubernetes_cluster" "negative1_2" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_neg_1_2" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.negative1_2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.negative1_2.id
enabled_log {
category = "kube-audit-admin"
}
}
Negative test num. 2 - tf file
# legacy "log" fields
resource "azurerm_kubernetes_cluster" "negative2_1" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_neg2_1" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.negative2_1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.negative2_1.id
log {
category = "kube-audit"
enabled = true
}
}
resource "azurerm_kubernetes_cluster" "negative2_2" {
name = "myAKSCluster"
location = "eastus"
resource_group_name = "myResourceGroup"
dns_prefix = "myakscluster"
}
resource "azurerm_monitor_diagnostic_setting" "aks_diagnostics_neg2_2" {
name = "myAKSClusterLogs"
target_resource_id = azurerm_kubernetes_cluster.negative2_2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.negative2_2.id
log {
category = "kube-audit-admin"
enabled = true
}
}