Profile Applicability:
Level 1
Description:
All modifications to deployment configuration files—such as Infrastructure as Code (IaC) templates, Kubernetes manifests, and deployment scripts—must be logged and auditable. This includes tracking who made changes, what was changed, when the change occurred, and why it was made. Auditing changes enhances accountability and supports compliance and security monitoring.
Rationale:
Auditing deployment configuration changes helps detect unauthorized or unintended modifications that could lead to security vulnerabilities, service disruptions, or compliance violations. It provides a forensic trail for incident investigations and supports continuous improvement in configuration management.
Impact:
Pros:
Improves accountability and traceability of configuration changes.
Enables detection of unauthorized or risky modifications.
Supports compliance with regulatory and organizational policies.
Facilitates forensic analysis and troubleshooting.
Cons:
Requires appropriate logging and monitoring infrastructure.
May increase storage and management overhead for audit logs.
Default value:
Deployment configuration changes may occur without comprehensive logging or audit trails.
Audit:
Verify version control system logs, commit histories, and access logs to confirm that all changes to deployment configurations are recorded with appropriate metadata. Check for regular reviews of these audit logs.
Remediation:
Implement version control systems with logging enabled. Configure CI/CD pipelines to record deployment configuration changes. Establish policies requiring regular audit log reviews and incident response procedures.
References:
NIST SP 800-53 – Audit and Accountability: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
CIS Controls v8, Control 8 – Audit Log Management: https://www.cisecurity.org/controls/audit-log-management/
OWASP Secure Configuration Guide: https://owasp.org/www-project-secure-configuration-guide/