diff --git a/modules/gathering-data-audit-logs.adoc b/modules/gathering-data-audit-logs.adoc index c14b7b3c7638..8cad571812e2 100644 --- a/modules/gathering-data-audit-logs.adoc +++ b/modules/gathering-data-audit-logs.adoc @@ -29,7 +29,7 @@ endif::viewing[] .Procedure -. Run the `oc adm must-gather` command with the `-- /usr/bin/gather_audit_logs` flag: +. Run the `oc adm must-gather` command with `-- /usr/bin/gather_audit_logs`: + [source,terminal] ---- diff --git a/modules/nodes-nodes-audit-config-about.adoc b/modules/nodes-nodes-audit-config-about.adoc index e34877c3fc48..4fc2c3a453bd 100644 --- a/modules/nodes-nodes-audit-config-about.adoc +++ b/modules/nodes-nodes-audit-config-about.adoc @@ -6,7 +6,7 @@ [id="about-audit-log-profiles_{context}"] = About audit log policy profiles -Audit log profiles define how to log requests that come to the OpenShift API server, the Kubernetes API server, and the OAuth API server. +Audit log profiles define how to log requests that come to the OpenShift API server, Kubernetes API server, OpenShift OAuth API server, and OpenShift OAuth server. {product-title} provides the following predefined audit policy profiles: @@ -35,7 +35,7 @@ It is not recommended to disable audit logging by using the `None` profile unles |=== [.small] -- -1. Sensitive resources, such as `Secret`, `Route`, and `OAuthClient` objects, are never logged past the metadata level. +1. Sensitive resources, such as `Secret`, `Route`, and `OAuthClient` objects, are only ever logged at the metadata level. OpenShift OAuth server events are only ever logged at the metadata level. -- By default, {product-title} uses the `Default` audit log profile. You can use another audit policy profile that also logs request bodies, but be aware of the increased resource usage (CPU, memory, and I/O). diff --git a/modules/nodes-nodes-audit-log-basic-viewing.adoc b/modules/nodes-nodes-audit-log-basic-viewing.adoc index 52b4b07ac268..8d62dbf17fd0 100644 --- a/modules/nodes-nodes-audit-log-basic-viewing.adoc +++ b/modules/nodes-nodes-audit-log-basic-viewing.adoc @@ -6,15 +6,15 @@ [id="nodes-nodes-audit-log-basic-viewing_{context}"] = Viewing the audit logs -You can view the logs for the OpenShift API server, Kubernetes API server, and OpenShift OAuth API server for each control plane node. +You can view the logs for the OpenShift API server, Kubernetes API server, OpenShift OAuth API server, and OpenShift OAuth server for each control plane node. .Procedure To view the audit logs: -* View the OpenShift API server logs: +* View the OpenShift API server audit logs: -.. List the OpenShift API server logs that are available for each control plane node: +.. List the OpenShift API server audit logs that are available for each control plane node: + [source,terminal] ---- @@ -32,7 +32,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T00-13-00.128.log ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log ---- -.. View a specific OpenShift API server log by providing the node name and the log name: +.. View a specific OpenShift API server audit log by providing the node name and the log name: + [source,terminal] ---- @@ -52,9 +52,9 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=openshift-apiserver {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"381acf6d-5f30-4c7d-8175-c9c317ae5893","stage":"ResponseComplete","requestURI":"/metrics","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","uid":"825b60a0-3976-4861-a342-3b2b561e8f82","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.129.2.6"],"userAgent":"Prometheus/2.23.0","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:02:04.086545Z","stageTimestamp":"2021-03-08T18:02:04.107102Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"prometheus-k8s\" of ClusterRole \"prometheus-k8s\" to ServiceAccount \"prometheus-k8s/openshift-monitoring\""}} ---- -* View the Kubernetes API server logs: +* View the Kubernetes API server audit logs: -.. List the Kubernetes API server logs that are available for each control plane node: +.. List the Kubernetes API server audit logs that are available for each control plane node: + [source,terminal] ---- @@ -72,7 +72,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T18-37-07.511.log ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log ---- -.. View a specific Kubernetes API server log by providing the node name and the log name: +.. View a specific Kubernetes API server audit log by providing the node name and the log name: + [source,terminal] ---- @@ -92,9 +92,9 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=kube-apiserver/audi {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"cfce8a0b-b5f5-4365-8c9f-79c1227d10f9","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-scheduler/serviceaccounts/openshift-kube-scheduler-sa","verb":"get","user":{"username":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","uid":"2574b041-f3c8-44e6-a057-baef7aa81516","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-scheduler-operator","system:authenticated"]},"sourceIPs":["10.128.0.8"],"userAgent":"cluster-kube-scheduler-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"serviceaccounts","namespace":"openshift-kube-scheduler","name":"openshift-kube-scheduler-sa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:06:42.512619Z","stageTimestamp":"2021-03-08T18:06:42.516145Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:cluster-kube-scheduler-operator\" of ClusterRole \"cluster-admin\" to ServiceAccount \"openshift-kube-scheduler-operator/openshift-kube-scheduler-operator\""}} ---- -* View the OpenShift OAuth API server logs: +* View the OpenShift OAuth API server audit logs: -.. List the OpenShift OAuth API server logs that are available for each control plane node: +.. List the OpenShift OAuth API server audit logs that are available for each control plane node: + [source,terminal] ---- @@ -112,7 +112,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T17-36-06.510.log ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log ---- -.. View a specific OpenShift OAuth API server log by providing the node name and the log name: +.. View a specific OpenShift OAuth API server audit log by providing the node name and the log name: + [source,terminal] ---- @@ -131,3 +131,45 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-apiserver/aud ---- {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"dd4c44e2-3ea1-4830-9ab7-c91a5f1388d6","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/users/~","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.0.32.4","10.128.0.1"],"userAgent":"dockerregistry/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"users","name":"~","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T17:47:43.653187Z","stageTimestamp":"2021-03-08T17:47:43.660187Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"basic-users\" of ClusterRole \"basic-user\" to Group \"system:authenticated\""}} ---- + +* View the OpenShift OAuth server audit logs: + +.. List the OpenShift OAuth server audit logs that are available for each control plane node: ++ +[source,terminal] +---- +$ oc adm node-logs --role=master --path=oauth-server/ +---- ++ +.Example output +[source,terminal] +---- +ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2022-05-11T18-57-32.395.log +ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.log +ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2022-05-11T19-07-07.021.log +ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.log +ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2022-05-11T19-06-51.844.log +ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log +---- + +.. View a specific OpenShift OAuth server audit log by providing the node name and the log name: ++ +[source,terminal] +---- +$ oc adm node-logs --path=oauth-server/ +---- ++ +For example: ++ +[source,terminal] +---- +$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-server/audit-2022-05-11T18-57-32.395.log +---- ++ +.Example output +[source,terminal] +---- +{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"13c20345-f33b-4b7d-b3b6-e7793f805621","stage":"ResponseComplete","requestURI":"/login","verb":"post","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["10.128.2.6"],"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0","responseStatus":{"metadata":{},"code":302},"requestReceivedTimestamp":"2022-05-11T17:31:16.280155Z","stageTimestamp":"2022-05-11T17:31:16.297083Z","annotations":{"authentication.openshift.io/decision":"error","authentication.openshift.io/username":"kubeadmin","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} +---- ++ +The possible values for the `authentication.openshift.io/decision` annotation are `allow`, `deny`, or `error`. diff --git a/modules/security-audit-log-filtering.adoc b/modules/security-audit-log-filtering.adoc index 17004f039759..0333612374f7 100644 --- a/modules/security-audit-log-filtering.adoc +++ b/modules/security-audit-log-filtering.adoc @@ -57,3 +57,12 @@ $ oc adm node-logs node-1.example.com \ --path=oauth-apiserver/audit.log \ | jq 'select(.verb != "get")' ---- + +* Filter OpenShift OAuth server audit logs by events that identified a username and failed with an error: ++ +[source,terminal] +---- +$ oc adm node-logs node-1.example.com \ + --path=oauth-server/audit.log \ + | jq 'select(.annotations["authentication.openshift.io/username"] != null and .annotations["authentication.openshift.io/decision"] == "error")' +----