Skip to content
Nuclei Templates

Ensure audit-log-path set

ID: audit-log-path-set

Severity: medium

Author: princechaddha

Tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security

Description

Section titled “Description”

Checks if the audit-log-path argument is properly set in the Kubernetes API server configuration, which is essential for maintaining a reliable audit trail.

YAML Source

Section titled “YAML Source”
id: audit-log-path-set


info:
  name: Ensure audit-log-path set
  author: princechaddha
  severity: medium
  description: Checks if the audit-log-path argument is properly set in the Kubernetes API server configuration, which is essential for maintaining a reliable audit trail.
  impact: |
    Without the audit-log-path argument, Kubernetes does not record API server audit logs, reducing the visibility into operations and making it harder to detect and respond to malicious activities.
  remediation: |
    Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored.
  reference:
    - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security


variables:
  argument: "audit-log-path"


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'kube-apiserver'


      - type: word
        words:
          - "audit-log-path"
        negative: true


    extractors:
      - type: dsl
        dsl:
          - '"API server configuration is missing the " + argument + " argument."'
# digest: 4a0a00473045022100e1b50502c2e2de455c7c71383104eba2e2a2a1f4ceeb94e47ac0de8c9c2e5706022062b56c1260112007885e0db54e7fe0fa25f490378366d214b425f7afff07df2b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml"

View on Github