Host operating system¶
The integrity of any containerized cluster is fundamentally reliant on the security of the underlying host operating system (OS). As the infrastructure foundation, the host OS represents a critical attack surface that requires rigorous monitoring beyond standard application or container logs. This section details the mechanisms used to establish visibility, enforce compliance standards, and maintain a defensible security posture across all infrastructure nodes.
auditd¶
The Linux Audit Daemon (auditd) serves as the foundational security telemetry agent for every node within the cluster infrastructure. In a distributed environment, relying solely on container-level logs or standard application output creates significant visibility gaps regarding the underlying host OS.
The use of auditd addresses these issues by operating directly on the host, capturing authoritative data on system events regardless of whether they originate from a privileged user, a system service, or a containerized workload. This ensures that the security posture of the cluster is monitored at the infrastructure level, providing a consistent and tamper-resistant record of activity.
Deployment of auditd is a prerequisite for meeting compliance baselines such as CIS Benchmark and other regulatory standards applicable to production clusters.
These frameworks mandate that all hosts maintain a verifiable audit trail of administrative access, authentication events, and modifications to system configuration. By standardizing the audit configuration across all nodes, the organization establishes a defensible security baseline that proves adherence to governance policies.
This uniformity is essential for passing security audits, as it demonstrates that the cluster infrastructure itself is not just the applications running on top of it, but subject to rigorous monitoring and control.
From an operational security perspective, auditd is the primary mechanism for establishing accountability and attribution within the cluster. It tracks the execution of privileged commands, the usage of identity switching tools such as sudo, and access to sensitive host files. In a cluster environment where administrators may access multiple nodes to troubleshoot or deploy services, distinguishing between legitimate maintenance and potential abuse is critical.
The audit subsystem binds these actions to specific user identities, ensuring that every change to the host environment is attributable to a distinct actor. This data is vital for enforcing least-privilege models and detecting lateral movement between nodes.
In the context of incident response, auditd provides a reliable, persistent record of cluster infrastructure activity. Should a node be compromised or behave abnormally, the audit logs provide the historical context necessary to reconstruct the event and determine how access was gained and what actions were performed on the host. To be effective in a clustered environment, these logs are typically forwarded from the individual nodes to a centralized SIEM or logging platform, enabling aggregate analysis and the correlation of events across the entire infrastructure.
auditd module¶
TechPreview
Mirantis provides the auditd host OS configuration module that allows managing auditd settings for machines of both management and MOSK clusters without rebuilding the node from scratch. Such approach prevents workload evacuation and significantly reduces configuration time. You can roll out auditd configuration granularly per node (label-based) with an ability to roll back the changes.