Authentication and authorization audit logs
Your product generates authentication and authorization audit logs. The auth-idp service generates authentication audit events and auth-pdp service generates authorization audit logs.
The Platform UI (Zen) service also generates some authorization audit logs. To view these audit logs, you must create the zen-audit-config configmap.
The audit logs contain the following fields.
| Field name | Data saved | Description | Example |
|---|---|---|---|
| initiator.id | Source of an action | ID of the source that initiated the action | LDAP ID; ID of an API key |
| initiator.typeURI | URI of the source | URI of the source of action | service; user |
| initiator.credential.type | Type of ID | Type of ID of the source of action | token; API key |
| target.name | Target of an action | The endpoint on which the action is initiated. | service; resource |
| target.id | ID of the target | Cloud Resource Name (CRN) value of the service or resource | crn:v1:icp:private:platform-service:::core:service:metering-service |
| target.typeURI | URI of the target | URI of the target on which the action is initiated. | resource; API key; secret |
| action | Action that is requested | The action that triggers an event. | create; update; delete; deploy; authenticate |
| outcome | Result of the action | success; pending; failure | |
| reason.reasonCode | HTTP response code | The response code of the result. | 200 for success |
| severity | Severity level | The severity level of the event. | critical; normal |
| eventTime | Timestamp | The time, date, and time zone of the event. | 2018-04-20 20:15:00.32 +0000 UTC |
All create, read, update, and delete operations that are related to a directory, user, user group, and team are logged.
Each service that generates audit data writes audit records to a /var/log/audit/<service_name>-audit.log file inside the audit sidecar container in the respective pod. For example:
- Authentication logs are saved to the
/var/log/audit/platform-identity-management-audit.logfile. - Authorization logs are saved to the
/app/logs/audit/pdp-audit.logfile.
The /var/log/audit directory is shared with the audit container, which is a sidecar container. An emptyDir volume is used for sharing the /var/log/audit directory between the two containers. The audit container
(also known as auto agent) sends the data to systemd journal.
You can use a security information and event management (SIEM) tool of your choice to view these logs.
zen-audit-config configmap
You can publish the audit logs to the zen-audit pod stdout logs on your cluster.
Create a custom configmap to export your audit records to the zen-audit pod stdout logs on the cluster. Complete these steps from your cluster node.
- Log in to the cluster by using the
oc logincommand. -
Change to the project where your IBM Cloud Pak is installed.
oc project <IBM Cloud Pak-namespace}}> -
Create the configmap. You can use a custom name for the configmap. The default
zen-audit-configname is used in the following steps. {: #create-cm}cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: zen-audit-config namespace: <IBM Cloud Pak-namespace}}> data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type stdout </store> </match> EOF -
Patch the
zenServicecustom resource to specify the custom configmap.oc patch zenService lite-cr \ -n <IBM Cloud Pak-namespace}}> \ --type="json: \ --patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": 'zen-audit-config' }]' -
Delete all
zen-auditpods to force a restart to pick up changes. {: #delete-pods}-
Get the names of all
zen-auditpods.oc get pods | grep zen-audit -
Delete the
zen-auditpods. Repeat the command for eachzen-auditpod.oc delete pod <zen-audit-pod-name>
You can now see the audit events in the
zen-auditpod stdout logs. -