support for audit logs

README.md

@@ -17,6 +17,7 @@ Once installed, the Fluent Bit Operator provides the following features:
   - [Prerequisites](#prerequisites)
   - [Quick Start](#quick-start)
   - [Logging Stack](#logging-stack)
+    - [Auditd](#auditd)
 - [API Doc](#api-doc)
 - [Best Practice](#best-practice)
   - [Plugin Grouping](#plugin-grouping)
@@ -103,6 +104,21 @@ green open ks-logstash-log-2020.04.26 uwQuoO90TwyigqYRW7MDYQ 1 1  99937 0  31.2m
 
 Success!
 
+#### Auditd
+The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. Refer to `manifests/logging-stack/auditd`, it supports a method for collecting audit logs from the Linux audit framework.
+
+```shell
+kubectl apply -f manifests/setup
+kubectl apply -f manifests/logging-stack/auditd
+```
+
+Within a couple of minutes, you should observe an index available:
+
+```shell
+$ curl localhost:9200/_cat/indices
+green open ks-logstash-log-2021.04.06 QeI-k_LoQZ2h1z23F3XiHg  5 1 404879 0 298.4mb 149.2mb
+``` 
+
 ## API Doc
 
 The listing below shows supported plugins currently. It is based on Fluent Bit v1.4.6. For more information, see API docs of each plugin.

manifests/logging-stack/auditd/auditd-lua-config.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluent-bit-auditd-config
+  namespace: kubesphere-logging-system
+data:
+  auditd.lua: |
+    function cb_replace(tag, timestamp, record)
+      if (record["log"] == nil) 
+      then
+          return  0, 0, 0
+          end
+
+      local new_record = {}
+      timeStr = os.date("!*t", timestamp["sec"])
+      t = string.format("%4d-%02d-%02dT%02d:%02d:%02d.%sZ",
+        timeStr["year"], timeStr["month"], timeStr["day"],
+        timeStr["hour"], timeStr["min"], timeStr["sec"],
+        timestamp["nsec"])
+      kubernetes = {}
+      kubernetes["pod_name"] = record["node_name"]
+      kubernetes["container_name"] = "auditd"
+      kubernetes["namespace_name"] = "kube-system"
+
+      new_record["time"] = t
+      new_record["log"] = record["log"]
+      new_record["kubernetes"] = kubernetes
+      return 1, timestamp, new_record
+    end
+

manifests/logging-stack/auditd/filter-auditd.yaml

@@ -0,0 +1,21 @@
+apiVersion: logging.kubesphere.io/v1alpha2
+kind: Filter
+metadata:
+  name: filter-audit-logs
+  namespace: kubesphere-logging-system
+  labels:
+    logging.kubesphere.io/enabled: "true"
+    logging.kubesphere.io/component: logging
+spec:
+  match: auditd
+  filters:
+  - recordModifier:
+      records:
+      - node_name ${NODE_NAME}
+  - lua:
+      script:
+        key: auditd.lua
+        name: fluent-bit-auditd-config
+      call: cb_replace
+      timeAsTable: true
+

manifests/logging-stack/auditd/input-auditd.yaml

@@ -0,0 +1,16 @@
+apiVersion: logging.kubesphere.io/v1alpha2
+kind: Input
+metadata:
+  name: auditd-input
+  namespace: kubesphere-logging-system
+  labels:
+    logging.kubesphere.io/enabled: "true"
+    logging.kubesphere.io/component: logging
+spec:
+  tail:
+    tag: auditd
+    path: /var/log/audit/audit.log
+    refreshIntervalSeconds: 10
+    memBufLimit: 5MB
+    db: /fluent-bit/tail/auditd.db
+    dbSync: Normal

manifests/logging-stack/auditd/output-auditd-elasticsearch.yaml

@@ -0,0 +1,16 @@
+apiVersion: logging.kubesphere.io/v1alpha2
+kind: Output
+metadata:
+  name: auditd-to-es
+  namespace: kubesphere-logging-system
+  labels:
+    logging.kubesphere.io/enabled: "true"
+    logging.kubesphere.io/component: logging
+spec:
+  matchRegex: auditd
+  es:
+    host: elasticsearch-logging-data.kubesphere-logging-system.svc
+    port: 9200
+    logstashPrefix: ks-logstash-log
+    logstashFormat: true
+    timeKey: "@timestamp"

pkg/operator/daemonset.go

@@ -2,6 +2,7 @@ package operator
 
 import (
 	"fmt"
+
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -116,6 +117,16 @@ func MakeDaemonSet(fb v1alpha2.FluentBit, logPath string) appsv1.DaemonSet {
 									Protocol:      "TCP",
 								},
 							},
+							Env: []corev1.EnvVar{
+								corev1.EnvVar{
+									Name: "NODE_NAME",
+									ValueFrom: &corev1.EnvVarSource{
+										FieldRef: &corev1.ObjectFieldSelector{
+											FieldPath: "spec.nodeName",
+										},
+									},
+								},
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "varlibcontainers",