Audit logs are used to monitor the system and search for suspicious behavior. Host and Kubernetes API audit logging can be enabled to produce extra audit logs for analysis. Enabling audit logging is optional. If enabled it generates some load and data on the non-compute nodes (NCNs).
By default, host and Kubernetes API audit logging are not enabled. It is not required for both to be enabled or disabled at the same time.
Host audit logs are stored in the /var/log/audit/HostOS
directory on each NCN.
Host audit logging uses a maximum of 60GB on each NCN when using log rotation settings.
The log rotation settings are enabled after editing the CSI settings and rebooting the NCNs.
The Kubernetes API audit logs are stored in the /var/log/audit/kl8s/apiserver
directory on each master NCN.
Kubernetes API audit logging uses a maximum of 1GB on each master NCN when using log rotation settings.
The method for updating the audit log settings varies depending on the state of the system.
Select one of the following options to enable audit logging based on the installation status of the system. For each of the following options, only enable the desired level of audit logging. It is not required to enable both.
NOTE: This step needs to happen at the same time that csi config init
is normally run during the install.
To update the audit log settings during the installation, use one of the following options:
csi
toolDuring the installation, audit logging is enabled or disabled by modifying the CSI settings.
To enable or disable audit logging, use the following flags with the csi config init
command.
For more information on using flags, see csi config init -h
.
Host audit logging
Set to true
to enable host logging or to false
to disable host logging.
pit# csi config init --ncn-mgmt-node-auditing-enabled=true [other config init options]
Kubernetes API audit logging
Set to true
to enable Kubernetes API logging or to false
to disable Kubernetes API logging.
pit# csi config init --k8s-api-auditing-enabled=true [other config init options]
system_config.yaml
Adjust the audit log settings by editing the system_config.yaml
file.
View the current settings with the following command:
pit# cd /var/www/ephemeral/prep
pit# grep audit system_config.yaml
Example output:
k8s-api-auditing-enabled: false
ncn-mgmt-node-auditing-enabled: false
Choose either of the following options:
csi
tool from ncn-m001
Enable audit logging using the csi
tool on ncn-m001
.
Install the csi
tool on ncn-m001
, if it is not already installed.
If the csi
command is not installed on ncn-m001
, then locate the cray-site-init
RPM on ncn-m001
and install it.
ncn-m001# find /mnt/pitdata -name cray-site-init*
ncn-m001# rpm -Uvh --force <rpm file path>
It is also possible to enable audit logging without csi
. See Modify BSS from a Kubernetes NCN.
Enable audit logging.
Host audit logging
ncn-m001# TOKEN=$(curl -k -s -S -d grant_type=client_credentials -d client_id=admin-client \
-d client_secret=`kubectl get secrets admin-client-auth -o jsonpath='{.data.client-secret}' | base64 -d` \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token | jq -r '.access_token') \
csi handoff bss-update-param --limit <mgmt-node-xname> --set ncn-mgmt-node-auditing-enabled=true
Kubernetes API audit logging
ncn-m001# TOKEN=$(curl -k -s -S -d grant_type=client_credentials -d client_id=admin-client \
-d client_secret=`kubectl get secrets admin-client-auth -o jsonpath='{.data.client-secret}' | base64 -d` \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token | jq -r '.access_token') \
csi handoff bss-update-param --limit <mgmt-node-xname> --set k8s-api-auditing-enabled=true
Enable audit logging with Boot Script Service (BSS) parameters.
Configure the Cray CLI, if it is not already.
Enable audit logging.
Host audit logging
ncn-mw# XNAME=<node_xname>
ncn-mw# PARAMS=$(cray bss bootparameters list --hosts "${XNAME}" --format json | jq '.[] |."params"' | tr -d \")
ncn-mw# PARAMS="$PARAMS ncn-mgmt-node-auditing-enabled=true"
ncn-mw# cray bss bootparameters update --hosts "${XNAME}" --params "${PARAMS}"
Kubernetes API audit logging
ncn-mw# XNAME=<node_xname>
ncn-mw# PARAMS=$(cray bss bootparameters list --hosts "${XNAME}" --format json | jq '.[] |."params"' | tr -d \")
ncn-mw# PARAMS="$PARAMS k8s-api-auditing-enabled=true"
ncn-mw# cray bss bootparameters update --hosts "${XNAME}" --params "${PARAMS}"
Changes made post-install will not be reflected until after the NCN is rebooted.
Host audit logging
ncn# craysys metadata get ncn-mgmt-node-auditing-enabled
Kubernetes API audit logging
ncn# craysys metadata get k8s-api-auditing-enabled
This section is only necessary if the audit logging settings were changed after the CSM install. If the desired audit logging settings were made as part of the CSM install, then skip this section.
Restart each NCN to apply the new settings after the CSI setting is changed.
Follow the Reboot NCNs procedure.