Auditing IM service

Identity Management (IM) uses HTTP ingest endpoint to send the IM related audit records to the Audit logging service of the foundational services. IM sends the audit logs to zen-audit-svc when you enable auditing service for IM.

By default, the audit logs are disabled in IM. You can enable the auditing service in IM with the following methods:

Prerequisites

  • Ensure that the audit logging service (zen-audit) is running in your cluster.
$ oc get pods |grep zen-audit

zen-audit-789bfdc9d4-2hkmn                                      1/1     Running     0          3h25m

  • If zen-audit is not installed in your cluster, IM sends the audit logs to the docker logs in the container.

    The following is the sample platform-auth-idp configmap:

    apiVersion: v1
data:
 AUDIT_ENABLED_IDMGMT: "true"
 AUDIT_ENABLED_IDPROVIDER: "true"
 BASE_AUTH_URL: /v1
 BASE_OIDC_URL: https://127.0.0.1:8443/idauth/oidc/endpoint/OP
 CLUSTER_NAME: mycluster
 HTTP_ONLY: "true"
 MASTER_HOST: mycluster.icp
 NODE_ENV: production
 OAUTH2DB_DB_PORT: "3306"
 OIDC_ISSUER_URL: https://mycluster.icp:8443/oidc/endpoint/OP
 SESSION_TIMEOUT: "43200"
  .
  .
  .

Enabling auditing service with oc command

To enable the auditing in the IM with the oc command, complete the following steps:

  1. Edit the platform-auth-idp configmap in the foundational-services namespace:

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp

  2. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

  3. Save the configmap.

  4. Delete the the platform-auth-service, platform-identity-provider, and platform-identity-management pods.

    oc -n <your-foundational-services-namespace> delete pods <pod_name>

  5. To check whether the audit logs are generated, go to the zen-audit pod logs. Run the following command to see the zen-audit pod name. Replace the <common-services-namespace> variable with the namespace in which foundational services is installed.

    oc get pods -n <common-services-namespace> | grep zen-audit

  6. To see the pod logs, enter the following command. Replace the <zen-audit-pod-name> variable with the zen-audit pod name.

    oc logs -f <zen-audit-pod-name>

After you complete these steps, the audit logs are forwarded to the appropriate security information and event management [SIEM] tool that is configured within the foundational-services namespace.

Enabling auditing service with console

  1. Log in to the Red Hat® OpenShift® Container Platform console.

  2. From the navigation menu, click Workloads > Config Maps.

  3. Search for platform-auth-idp.

  4. Click ... > Edit Config Map.

  5. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

    Note: A resource is managed by example-authentication and any modifications may be overwritten warning message is displayed. You can ignore this message.

  6. Click Save.

  7. From the navigation menu, click Workloads > Deployments.

  8. Locate platform-auth-service pods.

  9. Click ... > Edit Deployment. A window for editing displays.

  10. Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.

  11. Click platform-auth-service.

  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of the pods must show as 1/1 under the Ready field name.

  13. To check whether the audit logs are generated, go to the zen-audit pod logs.

  14. Repeat steps 8 through 13 for the platform-identity-provider and platform-identity-management deployments.

To forward audit records to a SIEM solution such as Splunk, Mezmo, or QRadar, see Exporting Cloud Pak for Data audit records to a security information and event management solution.