Configuring IBM Cloud Private services to generate audit logs

You can configure your IBM Cloud Private to generate audit logs.

IBM Cloud Private provides two types of audit logs: one, icp-audit generated by IBM Cloud Private platform services, and two kube-audit generated by Kubernetes. You can enable or disable only kube-audit during installation of your cluster by updating the config.yaml file. You can enable or disable both types of audit logs after installation. By default, platform services do not generate any audit logs. You must enable audit logging for each service for which you need the logs.

IBM Cloud Private generates icp-audit logs for all create, read, update, and delete operations. You cannot configure log level for icp-audit logs. However, you can configure log level for kube-audit logs by updating the audit-policy.yaml file.

Note: Audit logging has a dependency on the logging service. Therefore, audit-logging-fluentd-ds-* pods run only when the logging service is deployed. Audit-logging chart deployment is enabled by default at installation time. If you disabled logging at install time by adding logging: disabled in the config.yaml file, you must also add audit-logging: disabled in the management_services section in the config.yaml file. Following is a sample of the management_services section:

management_services:
  logging: disabled
  audit-logging: disabled
  istio: disabled
  vulnerability-advisor: disabled
  storage-glusterfs: disabled
  storage-minio: disabled

Enabling and disabling audit logging for various IBM Cloud Private services

1. Navigate to ConfigMap: Navigation Menu > Configuration > ConfigMap.
2. Search for the ConfigMap of the service for which audit logging needs to be enabled.
3. Click Edit.
4. Set the key related to auditing to true or false to enable or disable audit logging for that service.
5. Click Submit.
6. Remove all the pods that belong to that service. The pods are re-created with auditing enabled or disabled. Services can be found in DaemonSets: Navigation Menu > Workload > DaemonSets or Deployments: Navigation Menu > Workload > Deployments.

The following table lists the IBM Cloud Private services and the ConfigMaps where the audit-related keys are set.

Note: Some IBM Cloud Private services such as platform-auth-service and platform-identity-provider can generate more detailed audit data. This can be enabled by setting AUDIT_DETAIL key to true in platform-auth-idp ConfigMap.

Enabling Kubernetes auditing

Kubernetes auditing can be enabled by updating the master.json file.

1. SSH to the master node as a root user.

2. Copy master.json file to tmp location. cp /etc/cfc/pods/master.json /tmp/

3. Edit copied master.json file by using any editor. vim /tmp/master.json

4. Add audit policy file path and audit log file path under apiserver config section in the command list after the last element.

   "--audit-policy-file=/etc/cfc/conf/audit-policy.yaml",
   "--audit-log-path=/var/log/k8saudit/audit.log",
   "--audit-log-maxage=3",
   "--audit-log-maxbackup=10",
   "--audit-log-maxsize=10"
   

   Note: Put a comma "," after the last element of the command list before adding the previous two fields.

5. Replace original master.json with the updated one by using the following command: cp /tmp/master.json /etc/cfc/pods/master.json

6. The master pod picks up the changes and the kube-apiserver is restarted with auditing enabled.

Note: For more information, see Auditing .