CADF audit notifications in OpenStack services¶
MOSK services can emit notifications in the Cloud Auditing Data Federation (CADF) format, which is a standardized format for event data. The information contained in such notifications describes every action users perform in the cloud and is commonly used by organizations to perform security audits and intrusion detection.
Currently, the following MOSK services support the emission of CADF notifications:
Compute service (OpenStack Nova)
Block Storage service (OpenStack Cinder)
Images service (OpenStack Glance)
Networking service (OpenStack Neutron)
Orchestration service (OpenStack Heat)
DNS service (OpenStack Designate)
Bare Metal service (OpenStack Ironic)
Load Balancing service (OpenStack Octavia)
CADF notifications are enabled in the features:logging:cadf
section of
the OpenStackDeployment
custom resource. For example:
spec:
features:
logging:
cadf:
enabled: true
The way the notification messages get delivered to the consumers is controlled by the notification driver setting. The following options are supported:
messagingv2
- DefaultMessages get posted to the
notifications.info
queue in the MOSK message bus, which is RabbitMQ
log
Messages get posted to a standard log output and then collected by Mirantis StackLight
Configuration example:
spec:
features:
logging:
cadf:
enabled: true
driver: log