Auditing as well as monitoring capabilities are essential part of
requirements noted in security standards such as FIPS-140-2, PCI-DSS,
SoX, ISO 27017 and corporate policies. The common way to add the auditing
capability for OpenStack services is to adopt the CADF (Cloud Audit Data
Federation) model, which describes details of resource activity or events
in JSON format by answering the seven W
questions:
What, When, Who, On What, Where, From Where, To Where.
OpenStack services can enable CADF through pyCADF (Python-based CADF library). To minimize CADF adoption costs in OpenStack, you can leverage OpenStack messaging infrastructure and publish audit events as OpenStack notifications with no need to wait for acknowledgment.
For API requests, an OpenStack service should include an audit middleware into pipeline currently implemented in the Keystone project. The audit middleware generates an audit event based on an audit map, which specifies what type of data should be extracted from API requests and replies.