CADF audit notifications in OpenStack services

MOSK services can emit notifications in the Cloud Auditing Data Federation (CADF) format, which is a standardized format for event data. The information contained in such notifications describes every action users perform in the cloud and is commonly used by organizations to perform security audits and intrusion detection.

Currently, the following MOSK services support the emission of CADF notifications:

• Compute service (OpenStack Nova)

• Block Storage service (OpenStack Cinder)

• Images service (OpenStack Glance)

• Networking service (OpenStack Neutron)

• Orchestration service (OpenStack Heat)

• DNS service (OpenStack Designate)

• Bare Metal service (OpenStack Ironic)

• Load Balancing service (OpenStack Octavia)

CADF notifications are enabled in the features:logging:cadf section of the OpenStackDeployment custom resource. For example:

spec:
  features:
    logging:
      cadf:
        enabled: true

The way the notification messages get delivered to the consumers is controlled by the notification driver setting. The following options are supported:

• messagingv2 - Default

  Messages get posted to the notifications.info queue in the MOSK message bus, which is RabbitMQ

• log

  Messages get posted to a standard log output and then collected by Mirantis StackLight

Configuration example:

spec:
  features:
    logging:
      cadf:
        enabled: true
        driver: log