aks-auditd provides you with an easy and highly configurable way to gain visibility into your AKS worker node and container kernel level activity. If you are running a multi-tenant cluster, having visibility into your AKS worker node activity is critical and the Kubernetes API server logs aren't always be enough. auditd provides a good solution to this.
By default, aks-auditd configures your auditd logging, using syslog as the default event forwarder to send auditd logs to your Log Analytics workspace. It uses a lightweight container deployed as a Daemonset, to setup and configure your auditd and oms rules. This container has two primary functions:
- Install
auditdonto the VMSS. - Configure audit rules and apply any changes made to your audit configuration. Each type of audit configuration (
omsandauditd) has it's ownConfigMap.
At a high-level, aks-auditd enables and configures the following pipeline:
Before deploying the DaemonSet, you must first enable the OMSAgent (auoms) on your AKS cluster to ensure the OMSAgent sends the telemetry to your Log Analytics workspace.
az vmss extension set --resource-group MC_aks-simuland_aks-simuland_northeurope --vmss-name aks-agentpool-49591645-vmss --name OmsAgentForLinux --publisher Microsoft.EnterpriseCloud.Monitoring --protected-settings '{\"workspaceKey\":\"...\"}' --settings '{\"workspaceId\":\"d421160f-40fa-4fbf-a198-780c7c881408\",\"skipDockerProviderInstall\":true}'
Update the LOG_ANALYTICS_WORKSPACE_ID environment variable within daemonset.yaml to specify your Log Analytics workspace ID.
Update the following ConfigMaps to update your auditd and oms configuration.
These correspond to audisp/plugins.d/ files and are intended to be used to send audit logs to remote systems. By default, we use Syslog as the event forwarder.
These configuration files are placed in your worker node's /etc/audit/rules.d/ and determine what the audit daemon will record and send to your remote server (Syslog by default). By default, aks-auditd creates a ruleset for auditing process execution on your VMSS and pods (10-procmon.rules).
These configuration files are placed in your /etc/opt/microsoft/omsagent//conf/omsagent.d/ and are used to configure the collection of events by the OMS agent on your host. By default teh OMS agent comes configured with syslog support. Available configurations can be found at https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/installer/conf/omsagent.d.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.