Audit logs

Audit logs track and record all activities related a remote access and actions taken during remote support session.

Audit logs in a remote support connection provides a detailed record of activities, mainly related to security, system operations, and system actions. It tracks all the activities performed by the IBM support representative and customer. The audit logs mainly consists the service node, OpenShift® Container Platform, and node audit details.

Service node audit

The service node audit contains utilities such as Rsyslog, Auditd(Audit Daemon), and Logrotate are used which come by default in RHEL.
Rsyslog
Rsyslog is used as a logging utility to generate log files for the commands directly executed only by the IBM support representative in the shell.
For example:
$ ls /var/log/fusion/
Example output:
audit.log  audit.log.1  audit.log-20241013

The latest logs are stored in the audit.log file. Only users with sudo access to service node can read these files.

Auditd(Audit Daemon)
The Auditd is configured to track all system calls that users execute. It provides detailed audits and tracks the ones that may not be run directly via the command line. This detailed audit captures even the implicit commands that SSR might run from a script. For ease of using this command, provided a wrapper script fusion-audit. The utility simply asks for start and end date time as a parameter lists the output, and saves the detailed output to a file.
For example:
[kni@tc11gen2001svcnode ~]$ fusion-audit
***********************************************************************
Welcome to IBM Fusion - Audit Daemon
This utility facilitates the generation of an audit report actions
performed by IBM support during the specified time filter.
***********************************************************************

Your current date in locale-specific format is as follows:
10/15/2024

Enter start date (in above format) and time, eg: DATE<space>HH:MM:SS
10/11/2024

Enter End date and time in similar format. Leave it blank for current time.

Current time is taken for end time filter

COMMAND: sudo ausearch -sc execve -ts 10/11/2024 -te now -ga ibmsupport -i

***********************************************************************
Output Summary from 10/11/2024 to now
***********************************************************************
type=PROCTITLE msg=audit(10/11/2024 18:09:45.548:10668) : proctitle=bash
type=PROCTITLE msg=audit(10/11/2024 18:09:45.634:10684) : proctitle=basename /usr/bin/bash
type=PROCTITLE msg=audit(10/11/2024 18:10:40.713:10694) : proctitle=oc get pods
type=PROCTITLE msg=audit(10/11/2024 18:10:43.984:10697) : proctitle=ls --color=auto
type=PROCTITLE msg=audit(10/11/2024 18:10:48.146:10702) : proctitle=ssh
***********************************************************************
Detailed Ausearch output saved as AuditReport_2024-10-15_05-45-04.log
[kni@tc11gen2001svcnode ~]$
Logrotate
Multiple files available in this folder as a log rotation rule is applied for this file. By default, weekly rotation is configured. If you want to change it, then see the Linux man page documentation.
For example:
$ cat /etc/logrotate.d/fusion
/var/log/fusion/audit.log {
    weekly
    rotate 7
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
    postrotate
        /bin/systemctl reload rsyslog > /dev/null
    endscript
}

OpenShift Container Platform audit

OpenShift Container Platform provides various logging profiles based on the needs. For more details on profile and the level of content that gets logged, refer to the Configuring the audit log policy.

For more information on how these logs can be queried based on filters, see Viewing audit logs.

Node audit

Node audit logs of compute hardware contains the record of actions performed by the user or services on the hardware. It helps you with ensuring accountability, traceability, and regulatory compliance for data access, modification, and security within the IBM Fusion HCI System.

Follow the steps to download the node audit logs:
  1. Go to Events in the IBM Fusion HCI System.
  2. Enter the text CEUSER in the search description.

    It lists all the alerts raised for the actions performed by the IBM support representative .

  3. Click Download.
  4. For any further auditing of actions performed on the node, collect system health check logs and contact IBM Support. For steps download logs, see Collecting log packages for IBM Fusion HCI System