Auditing IM service

Identity Management (IM) uses HTTP ingest endpoint to send the IM related audit records to the Audit logging service of the foundational services.

If Zen is installed, IM sends the audit logs to zen-audit-svc when you enable auditing service for IM. If Zen is not installed, but you installed Fluentd in version 4.6.16 or a later 4.6.x version, you can enable the auditing service.

By default, the audit logs are disabled in IM. You can enable the auditing service in IM with the following methods:

After you enable the auditing service, successful login events are included in the logs. However, third-party login failures are not reported.

Prerequisites

  • If Zen is installed: Ensure that the audit logging service (zen-audit) is running in your cluster.
$ oc get pods |grep zen-audit

zen-audit-789bfdc9d4-2hkmn                                      1/1     Running     0          3h25m

  • If Zen is not installed: If Zen and zen-audit is not installed in your cluster, IM sends the audit logs to the docker logs in the container.

    The following is the sample platform-auth-idp configmap:

    apiVersion: v1
data:
 AUDIT_ENABLED_IDMGMT: "true"
 AUDIT_ENABLED_IDPROVIDER: "true"
 BASE_AUTH_URL: /v1
 BASE_OIDC_URL: https://127.0.0.1:8443/idauth/oidc/endpoint/OP
 CLUSTER_NAME: mycluster
 HTTP_ONLY: "true"
 MASTER_HOST: mycluster.icp
 NODE_ENV: production
 OAUTH2DB_DB_PORT: "3306"
 OIDC_ISSUER_URL: https://mycluster.icp:8443/oidc/endpoint/OP
 SESSION_TIMEOUT: "43200"
  .
  .
  .

Enabling auditing service with oc command

If Zen is installed

To enable the auditing in the IM with the oc command, complete the following steps:

  1. Edit the platform-auth-idp configmap in the foundational-services namespace:

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp

  2. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

  3. Save the configmap.

  4. Delete the platform-auth-service, platform-identity-provider, and platform-identity-management pods.

    oc -n <your-foundational-services-namespace> delete pods <pod_name>

  5. If Zen is installed: To check whether the audit logs are generated, set the type value to "stdout" in the zen-audit-secret secret as shown in the following steps.

    1. Edit the zen-audit-secret secret by using the oc edit secret zen-audit-secret -n <namespace> command. Replace the <namespace> value with the namespace in which foundational services is installed.

    2. Then, go to the fluent.conf file key settings and uncomment the following section. The fluent.conf file key setting is Base64 encoded, so you can't update it in the secret YAML file.

        &lt;store&gt;
    @type "stdout"
  &lt;/store&gt;

  6. If Zen is installed: To check whether the audit logs are generated, go to the zen-audit pod logs. Run the following command to see the zen-audit pod name. Replace the <your-foundational-services-namespace> value with the namespace in which foundational services is installed.

    oc get pods -n &lt;your-foundational-services-namespace&gt; | grep zen-audit

  7. To see the pod logs, enter the following command. Replace the <zen-audit-pod-name> value with the zen-audit pod name.

    oc logs -f <zen-audit-pod-name>

After you complete these steps, the audit logs are forwarded to the appropriate security information and event management SIEM tool that is configured within the foundational-services namespace.

If Fluentd is installed in version 4.6.16 or a later 4.6.x version

To enable the auditing in the IM with the oc command, complete the following steps:

  1. Check that the following items exist in the same namespace where foundational services exists:

    1. To check if the common-audit-logging service is present, run the oc get svc | grep common-audit command.
    2. To check if the audit-tls audit secret exists, run the oc get secret | grep audit command.
    3. To check if the audit-fluentd pod is present, run the oc get pods | grep audit-fluentd command.

  2. Edit the platform-auth-idp configmap in the foundational-services namespace:

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp

  3. Make the following updates in the platform-auth-idp configmap:

    • Specify the AUDIT_URL, AUDIT_ENABLED_IDMGMT, and AUDIT_ENABLED_IDPROVIDER values. The following example shows the values of these parameters under the data section:
    data:
  AUDIT_ENABLED_IDMGMT: "true"
  AUDIT_ENABLED_IDPROVIDER: "true"
  AUDIT_URL: 'https://common-audit-logging:9880/icp-audit.http'
    • Add the AUDIT_SECRET parameter under the data section. Set the value to audit-tls.
    AUDIT_SECRET: 'audit-tls'

    All these values are mandatory.

  4. Save the configmap.

If Fluentd is configured with SIEM systems, such as QRadar, you can check the IM audit events directly in QRadar, or other SIEM systems.

Enabling auditing service with console

If Zen is installed

  1. Log in to the Red Hat® OpenShift® Container Platform console.

  2. From the navigation menu, click Workloads > Config Maps.

  3. Search for platform-auth-idp.

  4. Click ... > Edit Config Map.

  5. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

    Note: A resource is managed by example-authentication and any modifications may be overwritten warning message is displayed. You can ignore this message.

  6. Click Save.

  7. Delete the platform-auth-service, platform-identity-provider, and platform-identity-management pods.

    oc -n <your-foundational-services-namespace> delete pods <pod_name>

  8. To check whether the audit logs are generated, select Actions > Edit configmap. In the zen-audit-config configmap YAML file, set the type value to stdout.

      <store> 
    @type stdout
  </store>

  9. Restart the zen-audit pod and check the zen-audit pod logs.

To forward audit records to a SIEM solution such as Splunk, Mezmo, or QRadar, see Exporting Cloud Pak for Data audit records to a security information and event management solution.

If Zen is not installed in version 4.6.16 or a later 4.6.x version

  1. Log in to the Red Hat® OpenShift® Container Platform console.

  2. From the navigation menu, click Workloads > Config Maps.

  3. Search for platform-auth-idp.

  4. Click ... > Edit Config Map.

  5. Make the following updates in the platform-auth-idp configmap:

    • Specify the AUDIT_URL, AUDIT_ENABLED_IDMGMT, and AUDIT_ENABLED_IDPROVIDER values. The following example shows the values of these parameters under the data section:

      data:
  AUDIT_ENABLED_IDMGMT: "true"
  AUDIT_ENABLED_IDPROVIDER: "true"
  AUDIT_URL: 'https://common-audit-logging:9880/icp-audit.http'

    • Add the AUDIT_SECRET parameter under the data section. Set the value to audit-tls.

      AUDIT_SECRET: 'audit-tls'

      All these values are mandatory.

      Note: A resource is managed by example-authentication and any modifications may be overwritten warning message is displayed. You can ignore this message.

  6. Click Save.

Recorded information

The following information is recorded in the audit trail.

  • The event type is captured from the request that was started and the API that was called, such as /token for an authentication event.
  • When the event occurred is captured from the HTTP request timestamp.
  • Where the event occurred is captured with the container details by using Red Hat® OpenShift® Container Platform environment variables and Docker variables.
  • The source and destination address of the event are captured from HTTP request details and HTTP headers.
  • The outcome of the event is captured from the HTTP response code.
  • The identities of individuals, subjects, objects, or entities that are associated with the event are captured from HTTP payloads.