openshift · bergerhoffer · Jul 18, 2022 · May 17, 2022
diff --git a/modules/gathering-data-audit-logs.adoc b/modules/gathering-data-audit-logs.adoc
@@ -29,7 +29,7 @@ endif::viewing[]
 
 .Procedure
 
-. Run the `oc adm must-gather` command with the `-- /usr/bin/gather_audit_logs` flag:
+. Run the `oc adm must-gather` command with `-- /usr/bin/gather_audit_logs`:
 +
 [source,terminal]
 ----

diff --git a/modules/nodes-nodes-audit-config-about.adoc b/modules/nodes-nodes-audit-config-about.adoc
@@ -6,7 +6,7 @@
 [id="about-audit-log-profiles_{context}"]
 = About audit log policy profiles
 
-Audit log profiles define how to log requests that come to the OpenShift API server, the Kubernetes API server, and the OAuth API server.
+Audit log profiles define how to log requests that come to the OpenShift API server, Kubernetes API server, OpenShift OAuth API server, and OpenShift OAuth server.
 
 {product-title} provides the following predefined audit policy profiles:
 
@@ -35,7 +35,7 @@ It is not recommended to disable audit logging by using the `None` profile unles
 |===
 [.small]
 --
-1. Sensitive resources, such as `Secret`, `Route`, and `OAuthClient` objects, are never logged past the metadata level.
+1. Sensitive resources, such as `Secret`, `Route`, and `OAuthClient` objects, are only ever logged at the metadata level. OpenShift OAuth server events are only ever logged at the metadata level.
 --
 
 By default, {product-title} uses the `Default` audit log profile. You can use another audit policy profile that also logs request bodies, but be aware of the increased resource usage (CPU, memory, and I/O).
diff --git a/modules/nodes-nodes-audit-log-basic-viewing.adoc b/modules/nodes-nodes-audit-log-basic-viewing.adoc
@@ -6,15 +6,15 @@
 [id="nodes-nodes-audit-log-basic-viewing_{context}"]
 = Viewing the audit logs
 
-You can view the logs for the OpenShift API server, Kubernetes API server, and OpenShift OAuth API server for each control plane node.
+You can view the logs for the OpenShift API server, Kubernetes API server, OpenShift OAuth API server, and OpenShift OAuth server for each control plane node.
 
 .Procedure
 
 To view the audit logs:
 
-* View the OpenShift API server logs:
+* View the OpenShift API server audit logs:
 
-.. List the OpenShift API server logs that are available for each control plane node:
+.. List the OpenShift API server audit logs that are available for each control plane node:
 +
 [source,terminal]
 ----
@@ -32,7 +32,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T00-13-00.128.log
 ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
 
-.. View a specific OpenShift API server log by providing the node name and the log name:
+.. View a specific OpenShift API server audit log by providing the node name and the log name:
 +
 [source,terminal]
 ----
@@ -52,9 +52,9 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=openshift-apiserver
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"381acf6d-5f30-4c7d-8175-c9c317ae5893","stage":"ResponseComplete","requestURI":"/metrics","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","uid":"825b60a0-3976-4861-a342-3b2b561e8f82","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.129.2.6"],"userAgent":"Prometheus/2.23.0","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:02:04.086545Z","stageTimestamp":"2021-03-08T18:02:04.107102Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"prometheus-k8s\" of ClusterRole \"prometheus-k8s\" to ServiceAccount \"prometheus-k8s/openshift-monitoring\""}}
 ----
 
-* View the Kubernetes API server logs:
+* View the Kubernetes API server audit logs:
 
-.. List the Kubernetes API server logs that are available for each control plane node:
+.. List the Kubernetes API server audit logs that are available for each control plane node:
 +
 [source,terminal]
 ----
@@ -72,7 +72,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T18-37-07.511.log
 ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
 
-.. View a specific Kubernetes API server log by providing the node name and the log name:
+.. View a specific Kubernetes API server audit log by providing the node name and the log name:
 +
 [source,terminal]
 ----
@@ -92,9 +92,9 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=kube-apiserver/audi
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"cfce8a0b-b5f5-4365-8c9f-79c1227d10f9","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-scheduler/serviceaccounts/openshift-kube-scheduler-sa","verb":"get","user":{"username":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","uid":"2574b041-f3c8-44e6-a057-baef7aa81516","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-scheduler-operator","system:authenticated"]},"sourceIPs":["10.128.0.8"],"userAgent":"cluster-kube-scheduler-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"serviceaccounts","namespace":"openshift-kube-scheduler","name":"openshift-kube-scheduler-sa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:06:42.512619Z","stageTimestamp":"2021-03-08T18:06:42.516145Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:cluster-kube-scheduler-operator\" of ClusterRole \"cluster-admin\" to ServiceAccount \"openshift-kube-scheduler-operator/openshift-kube-scheduler-operator\""}}
 ----
 
-* View the OpenShift OAuth API server logs:
+* View the OpenShift OAuth API server audit logs:
 
-.. List the OpenShift OAuth API server logs that are available for each control plane node:
+.. List the OpenShift OAuth API server audit logs that are available for each control plane node:
 +
 [source,terminal]
 ----
@@ -112,7 +112,7 @@ ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T17-36-06.510.log
 ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
 
-.. View a specific OpenShift OAuth API server log by providing the node name and the log name:
+.. View a specific OpenShift OAuth API server audit log by providing the node name and the log name:
 +
 [source,terminal]
 ----
@@ -131,3 +131,45 @@ $ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-apiserver/aud
 ----
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"dd4c44e2-3ea1-4830-9ab7-c91a5f1388d6","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/users/~","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.0.32.4","10.128.0.1"],"userAgent":"dockerregistry/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"users","name":"~","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T17:47:43.653187Z","stageTimestamp":"2021-03-08T17:47:43.660187Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"basic-users\" of ClusterRole \"basic-user\" to Group \"system:authenticated\""}}
 ----
+
+* View the OpenShift OAuth server audit logs:
+
+.. List the OpenShift OAuth server audit logs that are available for each control plane node:
++
+[source,terminal]
+----
+$ oc adm node-logs --role=master --path=oauth-server/
+----
++
+.Example output
+[source,terminal]
+----
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2022-05-11T18-57-32.395.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2022-05-11T19-07-07.021.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2022-05-11T19-06-51.844.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
+----
+
+.. View a specific OpenShift OAuth server audit log by providing the node name and the log name:
++
+[source,terminal]
+----
+$ oc adm node-logs <node_name> --path=oauth-server/<log_name>
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-server/audit-2022-05-11T18-57-32.395.log
+----
++
+.Example output
+[source,terminal]
+----
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"13c20345-f33b-4b7d-b3b6-e7793f805621","stage":"ResponseComplete","requestURI":"/login","verb":"post","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["10.128.2.6"],"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0","responseStatus":{"metadata":{},"code":302},"requestReceivedTimestamp":"2022-05-11T17:31:16.280155Z","stageTimestamp":"2022-05-11T17:31:16.297083Z","annotations":{"authentication.openshift.io/decision":"error","authentication.openshift.io/username":"kubeadmin","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+----
++
+The possible values for the `authentication.openshift.io/decision` annotation are `allow`, `deny`, or `error`.
diff --git a/modules/security-audit-log-filtering.adoc b/modules/security-audit-log-filtering.adoc
@@ -57,3 +57,12 @@ $ oc adm node-logs node-1.example.com  \
   --path=oauth-apiserver/audit.log \
   | jq 'select(.verb != "get")'
 ----
+
+* Filter OpenShift OAuth server audit logs by events that identified a username and failed with an error:
++
+[source,terminal]
+----
+$ oc adm node-logs node-1.example.com  \
+  --path=oauth-server/audit.log \
+  | jq 'select(.annotations["authentication.openshift.io/username"] != null and .annotations["authentication.openshift.io/decision"] == "error")'
+----