add a daemonset yaml for disabling auditd logging#67
Conversation
|
this yaml was tested on a sample cluster, audit logs stopped coming after the DS was deployed |
|
it may benefit from some readme notes updates. @wangzhen127 you've been one of the authors of the DS long time ago. Interested to review? |
| name: cleanup-auditd | ||
| spec: | ||
| hostPID: true | ||
| containers: |
There was a problem hiding this comment.
from security perspective it is better to have a init container, so the high priv container executes and shuts down instead of hanging around giving possibility to hack into it.
| hostPID: true | ||
| containers: | ||
| - name: auditd-disabler | ||
| image: busybox |
There was a problem hiding this comment.
don't use images from dockerhub
There was a problem hiding this comment.
switched to GKE-specific gke.gcr.io/gke-distroless/bash (init) and gke.gcr.io/pause:3.8 (main)
I've also replaced 'ubuntu' in the "auditd enabler" yaml with gke.gcr.io/gke-distroless/bash for consistency
eugenenuke
force-pushed
the
cleanup-auditd-daemonset
branch
from
1b31363 to
2ec55bf
Compare
| command: | ||
| - /bin/bash | ||
| - -c | ||
| - "chroot /host systemctl enable --now cloud-audit-setup.service" |
There was a problem hiding this comment.
I like the improvement. Have you tested it manually?
There was a problem hiding this comment.
yes, the updated "installer" and "disabler"
|
do you think you can throw some minimal instructions in a readme before the official docs are updated? Other than that it looks good |
eugenenuke
force-pushed
the
cleanup-auditd-daemonset
branch
from
2ec55bf to
09bc8db
Compare
|
the README was updated, PTAL |
|
|
||
| - `cos-auditd-logging.yaml`: A DaemonSet that enables and starts the `cloud-audit-setup` and `audit-rules` services on the host. | ||
|
|
||
| - `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state. No newline at end of file |
There was a problem hiding this comment.
| - `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state. | |
| - `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state. | |
| - | |
| After logging was enabled, remove the daemonset `cos-auditd-logging`, wait for all Pods deleted. Than ensure that the second DaemonSet is fully rolled out and succeeded on all nodes. After this, the `cleanup-auditd` daemonset can be deleted. |
There was a problem hiding this comment.
Thanks. I added some more details to make it more autonomous
eugenenuke
force-pushed
the
cleanup-auditd-daemonset
branch
from
09bc8db to
696cc01
Compare
2 participants
fixes: #66