AU-12(b): ability to send logs to centralized server

[shawndwells]

For AU-12(a): system must offer auditing, add the following language:

OpenShift logs events through the Red Hat Enterprise Linux 7 Audit subsystem. To verift audit is enabled, run the following command:

$ /bin/systemctl status  auditd.service

The output will indicate the status of the audit daemon    

[shawndwells]

For AU-12(b): admins should be able to select what events to audit:

Audit rules may be added/removed through modifying the /etc/audit/audit.rules or applicable file under /etc/audit/rules.d/. It is recommended that OpenShift specific audit rules be added to /etc/audit/rules.d/openshift.rules.

[rlucente-se-jboss]

For tenant application logs, this is a shared responsibility between OpenShift and the tenant security control implementation. OpenShift provides centralized log capture and aggregation, provided the tenant writes logging data to stdout or stderr streams. Tenants must provide fluentd plugins to forward logs from other sources or locations to the centralized log service.

[rlucente-se-jboss]

OpenShift logs are captured by syslogd which must also be configured to forward logs to the same centralized OpenShift log service. Kubernetes event logs are not captured by the centralized log service, but only reside in the etcd database. The etcd database must be configured with a fluentd plugin to forward Kubernetes events to the centralized log service.