Configuring custom auditd logs for GKE

Overview

This project is a quick example of how to properly bootstrap GKE worker nodes to configure auditd with custom rules and streaming the events to Google Cloud Logging via fluentd.

Auditd on Ubuntu vs ChromiumOS

To highlight the unique characteristics of using auditd using ChromiumOS, the distro used for COS-optimized images for GKE, the below table compares the standard capabilities included with Ubuntu vs ChromiumOS.

		Ubuntu	COS
kauditd (kernel space)	kernel space auditd daemon, writes to syslog	✅	✅
auditd (user space)	user space auditd daemon, writes logs	✅	❌
auditctl	configures auditd (kauditd)	✅	✅
aureport	creates audit reports	✅	❌
ausearch	searches auditd logs	✅	❌

Solution

Given the exclusion of the auditd daemon from the COS image, the standard configuration files located at /etc/audit are not used, and logs are not written to the standard /var/logs/audit.log location. Instead, auditctl configures the rules for thekauditd daemon, that then emits events via syslog managed by journalctl.

This sample project performs the following:

Defines a set of custom auditd rules exposed as a ConfigMap
Defines a custom configuration for the Stack Driver fluentd logging agent exposed as a ConfigMap
Defines a DaemonSet that bootstraps [1] any worker nodes running a COS image that configures auditd and the fluentd logging agent.

Usage

Set default region and project in gcloud cli gcloud config set project <project-name> && gcloud config set compute/region us-east1
Run ./init.sh to setup a test cluster and deploy the sample resources
Observe the auditd logs in Cloud Logging with the following query filter: logName="projects/<project-name>/logs/linux-auditd-customized"
Run ./destroy.sh to clean up the test cluster

Supporting Documentation: