lacework-global-800
Enable Linux auditd logging (Manual)
Description
Run the auditd logging daemon to obtain verbose operating system logs from Google Kubernetes Engine (GKE) nodes running Container-Optimized OS (COS).
Remediation
Using Command Line:
Download the example manifests:
curl https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-node-tools/master/os-audit/cos-auditd-logging.yaml > cos-auditd-logging.yaml
Edit the example manifests, if needed, and then deploy using:
kubectl apply -f cos-auditd-logging.yaml
Verify that the logging Pods have started. If you defined a different Namespace
in the manifests, replace cos-auditd
with the name of the namespace in use:
kubectl get pods --namespace=cos-auditd
References
https://cloud.google.com/kubernetes-engine/docs/how-to/linux-auditd-logging
https://cloud.google.com/container-optimized-os/docs