You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md
+7-13Lines changed: 7 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -221,8 +221,8 @@ As discussed here and in the guidance, many features and tooling exist in and ar
221
221
Kubernetes that can enhance the isolation boundaries between
222
222
pods. Based on relevant threats and risk posture, you should pick and choose
223
223
between them, instead of trying to apply all the recommendations. Having said that, cluster
224
-
level isolation remains the strictest workload isolation mechanism, in spite of
225
-
improvements mentioned earlier here and in the guide.
224
+
level isolation i.e. running workloads in dedicated clusters, remains the strictest workload
225
+
isolation mechanism, in spite of improvements mentioned earlier here and in the guide.
226
226
227
227
## Network Separation and Hardening
228
228
@@ -313,17 +313,12 @@ responsible, and who's accountable, for each layer of logging.
313
313
314
314
One area that deserves more focus is what exactly should alert or be logged. The
315
315
document outlines a sample policy in [Appendix L: Audit Policy](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF#page=55) that logs all
316
-
RequestResponse's including metadata and request / response bodies. While
317
-
helpful for a demo, it may not be practical for production.
316
+
RequestResponse's including metadata and request / response bodies. While helpful for a demo, it may not be practical for production.
318
317
319
318
Each organization needs to evaluate their
320
-
own threat model and build an
321
-
audit policy that complements or helps troubleshooting incident response. Think
322
-
about how someone would attack your organization and what audit trail could
323
-
identify it. Review more advanced options for tuning audit logs in
324
-
the official [audit logging documentation](/docs/tasks/debug-application-cluster/audit/#audit-policy).
325
-
It's crucial to tune your audit logs to only include events that meet your
326
-
threat model.
319
+
own threat model and build an audit policy that complements or helps troubleshooting incident response. Think
320
+
about how someone would attack your organization and what audit trail could identify it. Review more advanced options for tuning audit logs in the official [audit logging documentation](/docs/tasks/debug-application-cluster/audit/#audit-policy).
321
+
It's crucial to tune your audit logs to only include events that meet your threat model. A minimal audit policy that logs everything at `metadata` level can also be a good starting point.
327
322
328
323
Audit logging configurations can also be tested with
329
324
kind following these [instructions](https://kind.sigs.k8s.io/docs/user/auditing).
@@ -383,8 +378,7 @@ easier cluster upgrades.
383
378
384
379
Additionally, it's worth reiterating from the guidance that periodic
385
380
vulnerability scans and penetration tests can be performed on the various system
386
-
components to proactively look for insecure configurations and
387
-
zero-day vulnerabilities.
381
+
components to proactively look for insecure configurations and vulnerabilities.
0 commit comments