Configuring IBM Cloud Private services to generate audit logs
You can configure your IBM Cloud Private to generate audit logs.
IBM Cloud Private provides two types of audit logs: one, icp-audit
generated by IBM Cloud Private platform services, and two kube-audit
generated by Kubernetes. You can enable or disable only kube-audit
during
installation of your cluster by updating the config.yaml
file. You can enable or disable both types of audit logs after installation. By default, platform services do not generate any audit logs. You must enable audit logging for
each service for which you need the logs.
IBM Cloud Private generates icp-audit
logs for all create, read, update, and delete operations. You cannot configure log level for icp-audit
logs. However, you can configure log level for kube-audit
logs by
updating the audit-policy.yaml
file.
Note: Audit logging has a dependency on the logging service. Therefore, audit-logging-fluentd-ds-*
pods run only when the logging service is deployed. Audit-logging chart deployment is enabled by default at installation
time. If you disabled logging at install time by adding logging: disabled
in the config.yaml file, you must also add audit-logging: disabled
in the management_services
section in the config.yaml file. Following
is a sample of the management_services
section:
management_services:
logging: disabled
audit-logging: disabled
istio: disabled
vulnerability-advisor: disabled
storage-glusterfs: disabled
storage-minio: disabled
Enabling and disabling audit logging for various IBM Cloud Private services
- Navigate to ConfigMap: Navigation Menu > Configuration > ConfigMap.
- Search for the ConfigMap of the service for which audit logging needs to be enabled.
- Click Edit.
- Set the key related to auditing to
true
orfalse
to enable or disable audit logging for that service. - Click Submit.
- Remove all the pods that belong to that service. The pods are re-created with auditing enabled or disabled. Services can be found in DaemonSets: Navigation Menu > Workload > DaemonSets or Deployments: Navigation Menu > Workload > Deployments.
The following table lists the IBM Cloud Private services and the ConfigMaps where the audit-related keys are set.
Service name | ConfigMap | Key | Pod location |
---|---|---|---|
auth-idp |
platform-auth-idp |
AUDIT_ENABLED_IDMGMT |
Navigation Menu > Workload > DaemonSets > auth-idp |
auth-idp |
platform-auth-idp |
AUDIT_ENABLED_IDPROVIDER |
Navigation Menu > Workload > DaemonSets > auth-idp |
auth-pdp |
auth-pdp |
AUDIT_ENABLED |
Navigation Menu > Workload > DaemonSets > auth-pdp |
platform-api |
platform-api |
AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > platform-api |
helm-api |
helm-api |
AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > helm-api |
helm-repo |
helm-repo |
AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > helm-repo |
vulnerability-advisor-ma-file-annotator |
vulnerability-advisor-audit-config |
MUTATION_ADVISOR_AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > vulnerability-advisor-ma-file-annotator |
vulnerability-advisor-ma-file-annotator |
vulnerability-advisor-audit-config |
SAS_API_SERVER_AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > vulnerability-advisor-ma-file-annotator |
key-management-lifecycle |
lifecycle-config |
AUDIT_ENABLED |
Navigation Menu > Workload > Deployments > key-management-lifecycle |
Note: Some IBM Cloud Private services such as platform-auth-service
and platform-identity-provider
can generate more detailed audit data. This can be enabled by setting AUDIT_DETAIL
key to
true in platform-auth-idp
ConfigMap.
Enabling Kubernetes auditing
Kubernetes auditing can be enabled by updating the master.json
file.
-
SSH to the master node as a root user.
-
Copy
master.json
file to tmp location.cp /etc/cfc/pods/master.json /tmp/
-
Edit copied
master.json
file by using any editor.vim /tmp/master.json
-
Add
audit policy file path
andaudit log file path
underapiserver
config section in thecommand
list after the last element."--audit-policy-file=/etc/cfc/conf/audit-policy.yaml", "--audit-log-path=/var/log/k8saudit/audit.log", "--audit-log-maxage=3", "--audit-log-maxbackup=10", "--audit-log-maxsize=10"
Note: Put a comma "," after the last element of the command list before adding the previous two fields.
-
Replace original
master.json
with the updated one by using the following command:cp /tmp/master.json /etc/cfc/pods/master.json
-
The master pod picks up the changes and the kube-apiserver is restarted with auditing enabled.
Note: For more information, see Auditing .