Auditing IM service

IM uses HTTP ingest endpoint to send the IM related audit records to the Audit logging service of the foundational services.

By default, the audit logs are disabled in IM. You can enable the auditing service in IM with the following methods:

Prerequisites

Ensure that the audit logging service (zen-audit) is running in IBM Cloud Pak for Data. The audit logging service is automatically installed when you install an instance of Cloud Pak for Data.

Enabling auditing service with oc command

To enable the auditing in the IM with the oc command, complete the following steps:

  1. Edit the platform-auth-idp configmap in the <foundational-services> namespace:

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    
  2. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'
  3. Save the configmap.

  4. Delete the the platform-auth-service, platform-identity-provider, and platform-identity-management pods.

    oc -n <your-foundational-services-namespace> delete pods <pod_name>
    
  5. To check whether the audit logs are generated, go to the zen-audit pod logs. If Zen is not installed, check if the /var/log/audit/ log files are generated in the icp-audit-service container of the platform-identity-provider pod.

    oc exec -it <platform-auth-service-pod-name> -c icp-audit-service – bash
    

After you complete these steps, the audit logs are forwarded to the appropriate security information and event management [SIEM] tool that are configured within the <foundational-services> namespace .

Enabling auditing service with console

  1. Log in to the OpenShift Container Platform console.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

    Note: A resource is managed by example-authentication and any modifications may be overwritten warning message is displayed. You can ignore this message.

  6. Click Save.

  7. From the navigation menu, click Workloads > Deployments.

  8. Locate platform-auth-service pods.

  9. Click ... > Edit Deployment. A window for editing displays.

  10. Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.

  11. Click platform-auth-service.

  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of the pods must show as 1/1 under the Ready field name.

  13. To check whether the audit logs are generated, go to the zen-audit pod logs. If Zen is not installed, check if the /var/log/audit/ log files are generated in the icp-audit-service container of the platform-auth-service pod.

  14. Repeat steps 8 through 13 for the platform-identity-provider and platform-identity-management deployments.

To forward audit records to a SIEM solution such as Splunk, Mezmo, or QRadar, see Exporting Cloud Pak for Data audit records to a security information and event management solution.