Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the –audit-log-maxbackup parameter, or it is set too low, causing insufficient retention of audit log backup files. This can lead to old audit logs being overwritten or deleted too soon, reducing log history for security and troubleshooting.
Impact#
If exploited, insufficient audit log retention can hinder the ability to investigate security incidents or unauthorized activities, making it easier for attackers to cover their tracks and reducing compliance with auditing requirements.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –audit-log-maxbackup parameter to 10 or to an appropriate value.