Configuring IBM Cloud Private services to generate audit logs

You can configure your IBM® Cloud Private to generate audit logs.

IBM Cloud Private provides two types of audit logs:

icp-audit is generated by IBM Cloud Private platform services
kube-audit is generated by Kubernetes

You can enable or disable only kube-audit during installation of your cluster by updating the config.yaml file. You can enable or disable both types of audit logs after installation. By default, platform services do not generate any audit logs. You must enable audit logging for each service for which you need the logs.

IBM Cloud Private generates icp-audit logs for all create, read, update, and delete operations. You cannot configure log level for icp-audit logs. However, you can configure log level for kube-audit logs by updating the audit-policy.yaml file.

Enabling and disabling audit logging for various IBM Cloud Private services

Navigate to the ConfigMap. Click Navigation Menu > Configuration > ConfigMap.
Search for the ConfigMap of the service for which audit logging needs to be enabled.
From the options menu, click Edit.
Set the key that is related to auditing to true or false to enable or disable audit logging for that service.
Click Submit.
Remove all the pods that belong to that service. The pods are re-created with auditing enabled or disabled. Find your service.
- Services are found in DaemonSets. Click Navigation Menu > Workload > DaemonSets.
- Services are also found in Deployments. Click Navigation Menu > Workload > Deployments.

The following table lists the IBM Cloud Private services and the ConfigMaps where the audit-related keys are set.

Table 1. IBM Cloud Private services and the ConfigMaps where the audit-related keys are set.
Service name	ConfigMap	Key	Pod location
`auth-idp` (Authentication audit logs)	`platform-auth-idp`	`AUDIT_ENABLED_IDMGMT`, `AUDIT_ENABLED_IDPROVIDER`	`Navigation Menu > Workload > DaemonSets > auth-idp`
`auth-pdp` (Authorization audit logs)	`auth-pdp`	`AUDIT_ENABLED`	`Navigation Menu > Workload > DaemonSets > auth-pdp`
`auth-pap` (Policy administration point audit logs)	`auth-pap`	`AUDIT_ENABLED`	`Navigation Menu > Workload > DaemonSets > auth-pap`
`platform-api`	`platform-api`	`AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > platform-api`
`helm-api`	`helm-api`	`AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > helm-api`
`helm-repo`	`helm-repo`	`AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > helm-repo`
`vulnerability-advisor-ma-file-annotator`	`vulnerability-advisor-audit-config`	`MUTATION_ADVISOR_AUDIT_ENABLED`, `SAS_API_SERVER_AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > vulnerability-advisor-ma-file-annotator`
`vulnerability-advisor-ma-process-annotator`	`vulnerability-advisor-audit-config`	`MUTATION_ADVISOR_AUDIT_ENABLED`, `SAS_API_SERVER_AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > vulnerability-advisor-ma-process-annotator`
`key-management-lifecycle`	`lifecycle-config`	`AUDIT_ENABLED`	`Navigation Menu > Workload > Deployments > key-management-lifecycle`

Note: Some IBM Cloud Private services such as auth-idp, auth-pdp, and auth-pap can generate more detailed audit data. This detailed logging can be enabled by setting the AUDIT_DETAIL key to true in the respective ConfigMap.

Enabling Kubernetes auditing

Kubernetes auditing (kube-audit) can be enabled by updating the master.json file.

Use Secure Shell (SSH) to connect to the master node as a root user.
Copy master.json file to tmp location.
```
cp /etc/cfc/pods/master.json /tmp/
```
Edit copied master.json file by using any editor.
```
vim /tmp/master.json
```
Add audit policy file path and audit log file path under apiserver config section in the command list after the last element.
```
"--audit-policy-file=/etc/cfc/conf/audit-policy.yaml",
"--audit-log-path=/var/log/k8saudit/audit.log",
"--audit-log-maxage=3",
"--audit-log-maxbackup=10",
"--audit-log-maxsize=10"
```
Note: Put a comma , after the last element of the command list before you add the previous two fields.
Replace original master.json with the updated one.
```
cp /tmp/master.json /etc/cfc/pods/master.json
```
The master pod picks up the changes and the kube-apiserver is restarted with auditing enabled.

For more information, see Auditing Opens in a new tab .

Disabling Kubernetes auditing

Kubernetes auditing (kube-audit) can be disabled by updating the master.json file.

Use SSH to connect to the master node as a root user.
Copy master.json file to tmp location.
```
cp /etc/cfc/pods/master.json /tmp/
```
Edit copied master.json file by using any editor.
```
vim /tmp/master.json
```
Remove "--audit-policy-file=/etc/cfc/conf/audit-policy.yaml" from the apiserver config section.
Note: To re-enable kube-audit, follow all the steps in Enabling Kubernetes auditing section.

Replace original master.json with an updated one.

cp /tmp/master.json /etc/cfc/pods/master.json

The master pod picks up the changes and the kube-apiserver is restarted with auditing disabled.

For more information, see Audit Policy Opens in a new tab .