Audit logs
Audit logs track and record all activities related a remote access and actions taken during remote support session.
Audit logs in a remote support connection provides a detailed record of activities, mainly related to security, system operations, and system actions. It tracks all the activities performed by the IBM support representative and customer. The audit logs mainly consists the service node, OpenShift® Container Platform, and node audit details.
Service node audit
Rsyslog
, Auditd(Audit
Daemon)
, and Logrotate
are used which come by default in RHEL.Rsyslog
Rsyslog
is used as a logging utility to generate log files for the commands directly executed only by the IBM support representative in the shell.For example:
Example output:$ ls /var/log/fusion/
audit.log audit.log.1 audit.log-20241013
The latest logs are stored in the
audit.log
file. Only users withsudo
access to service node can read these files.
Auditd(Audit Daemon)
- The
Auditd
is configured to track all system calls that users execute. It provides detailed audits and tracks the ones that may not be run directly via the command line. This detailed audit captures even the implicit commands that SSR might run from a script. For ease of using this command, provided a wrapper scriptfusion-audit
. The utility simply asks for start and end date time as a parameter lists the output, and saves the detailed output to a file.For example:[kni@tc11gen2001svcnode ~]$ fusion-audit *********************************************************************** Welcome to IBM Fusion - Audit Daemon This utility facilitates the generation of an audit report actions performed by IBM support during the specified time filter. *********************************************************************** Your current date in locale-specific format is as follows: 10/15/2024 Enter start date (in above format) and time, eg: DATE<space>HH:MM:SS 10/11/2024 Enter End date and time in similar format. Leave it blank for current time. Current time is taken for end time filter COMMAND: sudo ausearch -sc execve -ts 10/11/2024 -te now -ga ibmsupport -i *********************************************************************** Output Summary from 10/11/2024 to now *********************************************************************** type=PROCTITLE msg=audit(10/11/2024 18:09:45.548:10668) : proctitle=bash type=PROCTITLE msg=audit(10/11/2024 18:09:45.634:10684) : proctitle=basename /usr/bin/bash type=PROCTITLE msg=audit(10/11/2024 18:10:40.713:10694) : proctitle=oc get pods type=PROCTITLE msg=audit(10/11/2024 18:10:43.984:10697) : proctitle=ls --color=auto type=PROCTITLE msg=audit(10/11/2024 18:10:48.146:10702) : proctitle=ssh *********************************************************************** Detailed Ausearch output saved as AuditReport_2024-10-15_05-45-04.log [kni@tc11gen2001svcnode ~]$
Logrotate
- Multiple files available in this folder as a log rotation rule is applied for this file. By
default, weekly rotation is configured. If you want to change it, then see the Linux man page
documentation.For example:
$ cat /etc/logrotate.d/fusion /var/log/fusion/audit.log { weekly rotate 7 compress delaycompress missingok notifempty create 0640 root adm postrotate /bin/systemctl reload rsyslog > /dev/null endscript }
OpenShift Container Platform audit
OpenShift Container Platform provides various logging profiles based on the needs. For more details on profile and the level of content that gets logged, refer to the Configuring the audit log policy.
For more information on how these logs can be queried based on filters, see Viewing audit logs.
Node audit
Node audit logs of compute hardware contains the record of actions performed by the user or services on the hardware. It helps you with ensuring accountability, traceability, and regulatory compliance for data access, modification, and security within the IBM Fusion HCI System.
- Go to IBM Fusion HCI System. in the
- Enter the text
CEUSER
in the search description.It lists all the alerts raised for the actions performed by the IBM support representative .
- Click Download.
- For any further auditing of actions performed on the node, collect system health check logs and contact IBM Support. For steps download logs, see Collecting log packages for IBM Fusion HCI System