Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6513

Integrity of audit logs (system and operation logs) should be protected by restricting them as "append only"

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • openshift-4.14
    • Logging
    • False
    • None
    • False
    • Not Selected

      Issue:

      There are no append-only log file attribute for all the audit logs.

       

      Below is my testing result:

      ~~~

      $ oc debug node/master-0.416securecluster.lab.upshift.rdu2.redhat.com
      Temporary namespace openshift-debug-c9svd is created for debugging node...
      Starting pod/master-0416secureclusterlabupshiftrdu2redhatcom-debug-vrm7p ...
      To use host binaries, run `chroot /host`
      Pod IP: 10.0.88.34
      If you don't see a command prompt, try pressing enter.
      sh-5.1# chroot /host

      sh-5.1# ls -altr  /var/log/audit/audit.log
      rw------. 1 root root 428626 Oct  4 02:14 /var/log/audit/audit.log
      sh-5.1# lsattr  /var/log/audit/audit.log
      ---------------------- /var/log/audit/audit.log

      ~~~

      There is no append-only log file attribute in the test output.

       

      Expectation:

      The below output for the audit logs is expected.

      $  lsattr /var/log/audit/audit.log
      ----a------e------ /var/log/audit/audit.log

       

      Security Implications:
      It is a risk of log tampering and lack of audibility and traceability.

       

              jamparke@redhat.com Jamie Parker
              sasakshi@redhat.com Sakshi sakshi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: