For CIS 1.6 3.2.2 what are the key security concerns that need to be covered by the security-policy ?

[jorgegutierrez2077]

Using benchmark cis-1.6 with kube-bench-0.5.0-1

Finding WARN with the 3.2.2 check, however it is not clear on the suggested remediation what are the expected key security concerns that need to be covered.

kube-bench --benchmark cis-1.6 --nosummary --check 3.2.2

[INFO] 1 Master Node Security Configuration

[INFO] 2 Etcd Node Configuration

[INFO] 3 Control Plane Configuration
[INFO] 3.2 Logging
[WARN] 3.2.2 Ensure that the audit policy covers key security concerns (Manual)

== Remediations controlplane ==
3.2.2 Consider modification of the audit policy in use on the cluster to include these items, at a
minimum.

[INFO] 4 Worker Node Security Configuration

[INFO] 5 Kubernetes Policies

== Summary total ==
0 checks PASS
0 checks FAIL
1 checks WARN
0 checks INFO.

At a very least would be needed a reference of where to list those key security concerns

[mozillazg]

For detail remediation please download the benchmark PDF from CIS: https://www.cisecurity.org/benchmark/kubernetes/

[yoavrotems]

Thanks to @mozillazg, as @mozillazg mentioned really for more information you should go to CIS and check out the full book (for free).
In kube-bench aspect if you are asking why it outcome with WARN state it because the test is a "manual test" which means the is a manually user interfering need.
In this specific case we can't predict the desired output so we can't automate it

Audit:
Review the audit policy provided for the cluster and ensure that it covers at least the following areas :-
• Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.
• Modification of pod and deployment objects.
• Use of pods/exec, pods/portforward, pods/proxy and services/proxy.
For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).