auditing audispd vs kubernetes daemonsets
Steve Grubb
sgrubb at redhat.com
Mon Apr 13 13:57:58 UTC 2020
On Friday, April 10, 2020 4:39:37 PM EDT Gabriel Alford wrote:
> In the midst of discussing sending audit logs from a Red Hat CoreOS node to
> some central audit collection and evaluation tool, the question came up
> about using audispd instead of Daemonsets. Daemonsets are what is planned
> for OpenShift. As I understand it, the general principle is to allow
> auditing to flow through the subsystem, but does it need to flow through
> the entire auditing workflow?
I'd say that if you ask 10 people on this list, you may find 10 different ways
they are doing it. It really depends on your requirements. Some places care
that you don't mix security officer and system admin roles. (Security Officer may
have a system admin under investigation.) In that case, you have to keep the
logs separate and this is likely to a MLS system. Other, less demanding
sites, don't care because they are one in the same. They send audit logs into
syslog and then pick it apart later. And then there are some tools that have
their own audisp plugin and transport the logs themselves.
> Can a Daemonset be used instead of audispd, or are there reasons audispd
> should be used over a Daemonset that some of us just aren't aware of?
Entirely up to the system architect and their security requirements.
-Steve
More information about the Linux-audit
mailing list