linux audit.log 設定 & RKE2 audit log 設定 & Rancher audit log 設定

# linux audit.log 設定 & RKE2 audit log 設定 & Rancher audit log 設定 * sles 檢查服務 ``` $ sudo systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2023-10-06 12:10:16 CST; 2 weeks 2 days ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 737 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 742 (auditd) Tasks: 2 CGroup: /system.slice/auditd.service └─ 742 /sbin/auditd Oct 19 02:24:11 client auditd[742]: Audit daemon rotating log files with keep option Oct 22 00:22:49 client auditd[742]: Audit daemon rotating log files with keep option Notice: journal has been rotated since unit was started, output may be incomplete. ``` * 可以針對服務做設定 ``` $ ls -l /etc/audit/rules.d total 8 -rw-r----- 1 root root 284 May 8 2022 audit.rules -rw-r----- 1 root root 1269 Jan 21 2022 docker.rules ``` ``` $ cat /etc/audit/auditd.conf # # This file controls the configuration of the audit daemon # local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = audit log_format = RAW flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 name_format = NONE ##name = mydomain max_log_file_action = ROTATE ...... ``` * 使用 ausearch 指令檢查服務 ``` # 列出所有由 sshd 服務引起的事件 $ ausearch -c sshd # 列出所有由 root 用戶引起的事件 $ ausearch -ui 0 # 列出所有對 /etc/passwd 文件的訪問事件 $ ausearch -m file -f /etc/passwd ``` * `/var/log/audit/audit.log` 是 log 存放位置 ``` $ cat /var/log/audit/audit.log ``` ## RKE2 audit log 設定 * 設定 config.yaml ``` $ echo "audit-policy-file: /etc/rancher/rke2/audit-policy.yaml" | sudo tee -a /etc/rancher/rke2/config.yaml $ sudo cat /etc/rancher/rke2/config.yaml node-name: - "rms" token: my-shared-secret audit-policy-file: /etc/rancher/rke2/audit-policy.yaml ``` * 可以根據不同 level 調整 log 訊息 ``` $ sudo vim /etc/rancher/rke2/audit-policy.yaml apiVersion: audit.k8s.io/v1 kind: Policy metadata: creationTimestamp: null rules: - level: Metadata ``` * 重啟 rke2 ``` $ sudo systemctl restart rke2-server.service ``` * log 訊息會放在 `/var/lib/rancher/rke2/server/logs/audit.log` ``` $ sudo less /var/lib/rancher/rke2/server/logs/audit.log ``` ## Rancher 開啟 audit log * rancher 所在的 rke2 cluster 需要先開啟 audit log 功能 ``` $ helm get values rancher -n cattle-system -o yaml > values.yaml ``` * 新增 audit log 設定 * level 3 代表最詳細的訊息，最少是 0 ![image.png](https://hackmd.io/_uploads/BJ3O_YwQa.png) ``` $ vim values.yaml global: cattle: psp: enabled: false hostname: bigred.cooloo9871.com auditLog: destination: sidecar hostPath: /var/log/rancher/audit/ level: 3 maxAge: 3 maxBackup: 1 maxSize: 100 ``` ``` $ helm upgrade rancher rancher-prime/rancher \ --namespace cattle-system \ -f values.yaml ``` * rancher pod 會以 sidecar 的方式收集 log ``` $ kubectl -n cattle-system get po NAME READY STATUS RESTARTS AGE helm-operation-2vh7p 0/2 Completed 0 59s rancher-bd9b97b8b-rw57m 2/2 Running 0 3m rancher-webhook-d884846bf-qtjkd 1/1 Running 0 12d ``` * 查看 log ``` $ kubectl -n cattle-system logs rancher-bd9b97b8b-rw57m -c rancher-audit-log ``` * 如果設定 `auditLog.destination: hostPath` rke2 本身就不需要開啟 audit log，rancher 就可以開啟 audit log 了 ``` $vim values.yaml global: cattle: psp: enabled: false hostname: 172.20.0.69.nip.io replicas: 1 auditLog: destination: hostPath hostPath: /var/log/rancher/audit/ level: 3 maxAge: 3 maxBackup: 1 maxSize: 100 ``` * rancher 啟用 audit log 後會直接透過 hostpath 掛載，就不會有 sidecar 了。 ``` $ kubectl -n cattle-system get po NAME READY STATUS RESTARTS AGE rancher-565ffc6d96-hvs8g 1/1 Running 0 35s rancher-webhook-584d789cb4-t5mcw 1/1 Running 1 (6d5h ago) 31d $ kubectl -n cattle-system get deploy rancher -o yaml | grep -A4 volumes: volumes: - hostPath: path: /var/log/rancher/audit/ type: DirectoryOrCreate name: audit-log $ ls -l /var/log/rancher/audit/ total 2136 -rw------- 1 root root 2185981 Nov 18 14:30 rancher-api-audit.log ``` ## GC rancher 使用 mysql 存 log * 需先安裝好 mysql，並建立能夠從任何來源登入的使用者 * 建立 rancher database ``` MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'bigred'@'%' IDENTIFIED BY 'bigred' WITH GRANT OPTION; MariaDB [(none)]> SELECT user,host FROM mysql.user; +-------------+-----------+ | User | Host | +-------------+-----------+ | PUBLIC | | | bigred | % | | mariadb.sys | localhost | | mysql | localhost | | root | localhost | +-------------+-----------+ 5 rows in set (0.002 sec) MariaDB [(none)]> create database rancher; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | rancher | | sys | +--------------------+ 5 rows in set (0.001 sec) ``` * 設定 rancher ``` $ helm get values rancher -n cattle-system -o yaml > values.yaml ``` * 新增以下設定 auditLog 與 mysql 位置 ``` $ nano values.yaml ..... auditLog: destination: "server" level: 3 auditLogServer: replicas: "1" serverPort: "9000" DBHost: "192.168.11.150" DBPort: "3306" DBUser: "bigred" DBPassword: "bigred" DBName: "rancher" ``` * 重新 upgrade rancher ``` $ helm upgrade rancher rancher-prime/rancher \ --namespace cattle-system \ -f values.yaml ``` * 部屬好 rancher 後確認 mysql 是否有資料 ``` MariaDB [(none)]> use rancher; MariaDB [rancher]> show tables; +----------------------+ | Tables_in_rancher | +----------------------+ | audit_archivelog | | audit_log_origin | | audit_log_parsed | | audit_log_resources | | k8s_audit_archivelog | | schema_migrations | +----------------------+ 6 rows in set (0.001 sec) MariaDB [rancher]> select * from audit_log_resources; +-------------------------------+----------------+ | resourceType | resourceAction | +-------------------------------+----------------+ | clusterrolebindings | Create | | clusterrolebindings | Delete | | clusterrolebindings | Update | | clusterroles | Create | | clusterroles | Delete | | clusterroles | Update | ....... ``` ### 設定 UI * Cluster Management -> Audit Log 填入 `http://rancher-auditlog-server.cattle-system:9000` ![image](https://hackmd.io/_uploads/S1yCDp5oR.png) * 就可以在 rancher 介面上查看 log ![image](https://hackmd.io/_uploads/HJ2gFaqiC.png) ## RKE2 downstream cluster 設定 audit log * 編輯 rke2 cluster yaml 新增以下參數 ![image](https://hackmd.io/_uploads/HkniRK9SJx.png) ``` apiVersion: provisioning.cattle.io/v1 kind: Cluster spec: rkeConfig: machineGlobalConfig: audit-policy-file: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata ``` * log 會放在 master 節點的以下位置 ``` $ ls -l /var/lib/rancher/rke2/server/logs/audit.log -rw------- 1 root root 6466103 Dec 26 16:08 /var/lib/rancher/rke2/server/logs/audit.log ``` #### 相關連結 https://ee.docs.rancher.cn/v2.6/docs/logging/audit/installation/#%E9%AB%98%E5%8F%AF%E7%94%A8%E9%83%A8%E7%BD%B2 https://gmcloud.notion.site/Rancher-Version-a01cf9e1754145c0a1d8078721704514