STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Mirantis Kubernetes Engine Security Technical Implementation Guide

V-260915

CAT II (Medium)

MKE must be configured to send audit data to a centralized log server.

Rule ID

SV-260915r966102_rule

STIG

Mirantis Kubernetes Engine Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-000140CCI-000154CCI-001851CCI-002702

Discussion

Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident response, scales effectively, provides redundancy, and helps organizations meet compliance requirements. This is the recommended best practice for managing Kubernetes environments, especially in enterprise settings.

Check Content

Check centralized log server configuration.

Via CLI, execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "journald", or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin).

Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected.

If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Fix Text

Configure logging driver by setting the log-driver and log-opts keys to appropriate values in the daemon.json file. Refer to this link for extra assistance: https://docs.docker.com/config/containers/logging/syslog/.

Via CLI:
Linux:
1. As a trusted user on the host OS, open the /etc/docker/daemon.json file for editing. If the file does not exist, it must be created.

2. Set the "log-driver" property to one of the following: 
"syslog", "journald", or "<plugin>" (where <plugin> is the naming of a third-party MKE logging driver plugin).
Note: Mirantis recommends the "journald" setting.

The following example sets the log driver to journald:

{
  "log-driver": "journald"
}


3. Configure the "log-opts" object as required by the selected "log-driver".

4. Save the file.

5. Restart the Docker daemon by executing the following:

sudo systemctl restart docker

Configure rsyslog to send logs to the SEIM system.

1. Edit the /etc/rsyslog.conf file and add the IP address of remote server.
Example: *.* @@loghost.example.com

2. Work with the SIEM administrator to configure an alert when no audit data is received from Mirantis.