From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B68E8C2BA19 for ; Mon, 13 Apr 2020 13:58:17 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0BE992072C for ; Mon, 13 Apr 2020 13:58:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="JCsXowv3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0BE992072C Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586786296; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=HK1w2uyjxcHH8+r8w4plum1yTARj6v0oZnOwY/OqDFU=; b=JCsXowv3zO5Ix7xuyrxX5jmG9OGVWO4cec1AEdJ9KaDdVLEHQ0rG3QOvvImtQSDI1OwVkK Zu1lqlN3L48EtxjDmfsgBCXotGiLVXW3YlsBD9y2p+pWtMES+IDURnj8kJ4cAB/KGoP7i4 DjFmOlO0roYQYSpowbNyf3ETAbr13vE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-114--ggLFKWBN0q9FNRLu8CXHA-1; Mon, 13 Apr 2020 09:58:13 -0400 X-MC-Unique: -ggLFKWBN0q9FNRLu8CXHA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E8958CF990; Mon, 13 Apr 2020 13:58:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A81905E001; Mon, 13 Apr 2020 13:58:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1027E934E8; Mon, 13 Apr 2020 13:58:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 03DDw5IK007305 for ; Mon, 13 Apr 2020 09:58:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 00A8E5C1D4; Mon, 13 Apr 2020 13:58:05 +0000 (UTC) Received: from x2.localnet (ovpn-112-110.phx2.redhat.com [10.3.112.110]) by smtp.corp.redhat.com (Postfix) with ESMTP id ECE885C1B2; Mon, 13 Apr 2020 13:57:59 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Subject: Re: auditing audispd vs kubernetes daemonsets Date: Mon, 13 Apr 2020 09:57:58 -0400 Message-ID: <4644525.9UYIb4EAcv@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: linux-audit@redhat.com Cc: Gabriel Alford , Juan Osorio Robles X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Friday, April 10, 2020 4:39:37 PM EDT Gabriel Alford wrote: > In the midst of discussing sending audit logs from a Red Hat CoreOS node to > some central audit collection and evaluation tool, the question came up > about using audispd instead of Daemonsets. Daemonsets are what is planned > for OpenShift. As I understand it, the general principle is to allow > auditing to flow through the subsystem, but does it need to flow through > the entire auditing workflow? I'd say that if you ask 10 people on this list, you may find 10 different ways they are doing it. It really depends on your requirements. Some places care that you don't mix security officer and system admin roles. (Security Officer may have a system admin under investigation.) In that case, you have to keep the logs separate and this is likely to a MLS system. Other, less demanding sites, don't care because they are one in the same. They send audit logs into syslog and then pick it apart later. And then there are some tools that have their own audisp plugin and transport the logs themselves. > Can a Daemonset be used instead of audispd, or are there reasons audispd > should be used over a Daemonset that some of us just aren't aware of? Entirely up to the system architect and their security requirements. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit