search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
26 stars 442 forks source link

[GCP Audit Integration] gcp.audit.resource_name not extracted from k8s audit logs #6024

Open Danouchka opened 1 year ago

Danouchka commented 1 year ago

Hello

I have configured on GCP the following Log Router Sink

logName=("projects/elastic-sa/logs/cloudaudit.googleapis.com%2Factivity" OR "projects/elastic-sa/logs/cloudaudit.googleapis.com%2Fdata_access" OR "projects/elastic-sa/logs/cloudaudit.googleapis.com%2Fsystem_event")
((resource.type:("k8s_cluster" OR "gke_cluster") AND resource.labels.project_id="elastic-sa"  )
protoPayload.methodName:("CreateCluster" OR "DeleteCluster" OR "UpdateCluster" OR "deployments.create"  OR "io.k8s.core.v1.pods.delete" OR "io.k8s.core.v1.pods.create" OR "io.k8s.core.v1.pods.binding_create"  OR  "io.k8s.core.v1.pods.attach.create")
protoPayload.serviceName="k8s.io"
-protoPayload.resourceName:"core/v1/namespaces/gkebackup"
-protoPayload.resourceName:"core/v1/namespaces/kube-system"
-protoPayload.resourceName:"core/v1/namespaces/gmp-system")

This will produce for instance the following logs

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "dan.abitbol@elastic.co"
    },
    "authorizationInfo": [
      {
        "granted": true,
        "permission": "io.k8s.core.v1.pods.delete",
        "resource": "core/v1/namespaces/default/pods/debug4"
      }
    ],
    "methodName": "io.k8s.core.v1.pods.delete",
    "request": {
      "@type": "meta.k8s.io/__internal.DeleteOptions",
      "apiVersion": "meta.k8s.io/__internal",
      "kind": "DeleteOptions",
      "propagationPolicy": "Background"
    },
    "requestMetadata": {
      "callerIp": "34.22.255.76",
      "callerSuppliedUserAgent": "kubectl/v1.26.3 (linux/amd64) kubernetes/9e64410"
    },
    "resourceName": "core/v1/namespaces/default/pods/debug4",
    "response": {
      "@type": "core.k8s.io/v1.Pod",
      "apiVersion": "v1",
      "kind": "Pod",
      "metadata": {
        "creationTimestamp": "2023-04-27T11:50:35Z",
        "deletionGracePeriodSeconds": 30,
        "deletionTimestamp": "2023-04-27T20:59:07Z",
        "labels": {
          "run": "debug4"
        },
        "managedFields": [
          {
            "apiVersion": "v1",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:metadata": {
                "f:labels": {
                  ".": {},
                  "f:run": {}
                }
              },
              "f:spec": {
                "f:containers": {
                  "k:{\"name\":\"debug4\"}": {
                    ".": {},
                    "f:image": {},
                    "f:imagePullPolicy": {},
                    "f:name": {},
                    "f:resources": {},
                    "f:stdin": {},
                    "f:stdinOnce": {},
                    "f:terminationMessagePath": {},
                    "f:terminationMessagePolicy": {},
                    "f:tty": {}
                  }
                },
                "f:dnsPolicy": {},
                "f:enableServiceLinks": {},
                "f:hostNetwork": {},
                "f:restartPolicy": {},
                "f:schedulerName": {},
                "f:securityContext": {},
                "f:terminationGracePeriodSeconds": {}
              }
            },
            "manager": "kubectl-run",
            "operation": "Update",
            "time": "2023-04-27T11:50:35Z"
          },
          {
            "apiVersion": "v1",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:status": {
                "f:conditions": {
                  "k:{\"type\":\"ContainersReady\"}": {
                    ".": {},
                    "f:lastProbeTime": {},
                    "f:lastTransitionTime": {},
                    "f:status": {},
                    "f:type": {}
                  },
                  "k:{\"type\":\"Initialized\"}": {
                    ".": {},
                    "f:lastProbeTime": {},
                    "f:lastTransitionTime": {},
                    "f:status": {},
                    "f:type": {}
                  },
                  "k:{\"type\":\"Ready\"}": {
                    ".": {},
                    "f:lastProbeTime": {},
                    "f:lastTransitionTime": {},
                    "f:status": {},
                    "f:type": {}
                  }
                },
                "f:containerStatuses": {},
                "f:hostIP": {},
                "f:phase": {},
                "f:podIP": {},
                "f:podIPs": {
                  ".": {},
                  "k:{\"ip\":\"10.132.0.28\"}": {
                    ".": {},
                    "f:ip": {}
                  }
                },
                "f:startTime": {}
              }
            },
            "manager": "kubelet",
            "operation": "Update",
            "subresource": "status",
            "time": "2023-04-27T11:50:36Z"
          }
        ],
        "name": "debug4",
        "namespace": "default",
        "resourceVersion": "76620168",
        "uid": "6661e893-99d5-4a9d-ac16-254a177e9516"
      },
      "spec": {
        "containers": [
          {
            "image": "ubuntu",
            "imagePullPolicy": "Always",
            "name": "debug4",
            "resources": {},
            "stdin": true,
            "stdinOnce": true,
            "terminationMessagePath": "/dev/termination-log",
            "terminationMessagePolicy": "File",
            "tty": true,
            "volumeMounts": [
              {
                "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
                "name": "kube-api-access-pls9v",
                "readOnly": true
              }
            ]
          }
        ],
        "dnsPolicy": "ClusterFirst",
        "enableServiceLinks": true,
        "hostNetwork": true,
        "nodeName": "gke-sa-da-gke-lls-default-pool-1e5fc85d-9rug",
        "preemptionPolicy": "PreemptLowerPriority",
        "priority": 0,
        "restartPolicy": "Never",
        "schedulerName": "default-scheduler",
        "securityContext": {},
        "serviceAccount": "default",
        "serviceAccountName": "default",
        "terminationGracePeriodSeconds": 30,
        "tolerations": [
          {
            "effect": "NoExecute",
            "key": "node.kubernetes.io/not-ready",
            "operator": "Exists",
            "tolerationSeconds": 300
          },
          {
            "effect": "NoExecute",
            "key": "node.kubernetes.io/unreachable",
            "operator": "Exists",
            "tolerationSeconds": 300
          }
        ],
        "volumes": [
          {
            "name": "kube-api-access-pls9v",
            "projected": {
              "defaultMode": 420,
              "sources": [
                {
                  "serviceAccountToken": {
                    "expirationSeconds": 3607,
                    "path": "token"
                  }
                },
                {
                  "configMap": {
                    "items": [
                      {
                        "key": "ca.crt",
                        "path": "ca.crt"
                      }
                    ],
                    "name": "kube-root-ca.crt"
                  }
                },
                {
                  "downwardAPI": {
                    "items": [
                      {
                        "fieldRef": {
                          "apiVersion": "v1",
                          "fieldPath": "metadata.namespace"
                        },
                        "path": "namespace"
                      }
                    ]
                  }
                }
              ]
            }
          }
        ]
      },
      "status": {
        "conditions": [
          {
            "lastProbeTime": null,
            "lastTransitionTime": "2023-04-27T11:50:35Z",
            "status": "True",
            "type": "Initialized"
          },
          {
            "lastProbeTime": null,
            "lastTransitionTime": "2023-04-27T11:50:36Z",
            "status": "True",
            "type": "Ready"
          },
          {
            "lastProbeTime": null,
            "lastTransitionTime": "2023-04-27T11:50:36Z",
            "status": "True",
            "type": "ContainersReady"
          },
          {
            "lastProbeTime": null,
            "lastTransitionTime": "2023-04-27T11:50:35Z",
            "status": "True",
            "type": "PodScheduled"
          }
        ],
        "containerStatuses": [
          {
            "containerID": "containerd://415af393459f3a8bccabb0ddd595e3276d2b5206bc3d1f34866c5fc6e14cd35f",
            "image": "docker.io/library/ubuntu:latest",
            "imageID": "docker.io/library/ubuntu@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21",
            "lastState": {},
            "name": "debug4",
            "ready": true,
            "restartCount": 0,
            "started": true,
            "state": {
              "running": {
                "startedAt": "2023-04-27T11:50:36Z"
              }
            }
          }
        ],
        "hostIP": "10.132.0.28",
        "phase": "Running",
        "podIP": "10.132.0.28",
        "podIPs": [
          {
            "ip": "10.132.0.28"
          }
        ],
        "qosClass": "BestEffort",
        "startTime": "2023-04-27T11:50:35Z"
      }
    },
    "serviceName": "k8s.io",
    "status": {
      "code": 0
    }
  },
  "insertId": "c9f95099-6738-4781-8993-58d5fbb5c2c0",
  "resource": {
    "type": "k8s_cluster",
    "labels": {
      "location": "europe-west1",
      "cluster_name": "sa-da-gke-lls",
      "project_id": "elastic-sa"
    }
  },
  "timestamp": "2023-04-27T20:58:37.419997Z",
  "labels": {
    "authorization.k8s.io/reason": "access granted by IAM permissions.",
    "authorization.k8s.io/decision": "allow"
  },
  "logName": "projects/elastic-sa/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "c9f95099-6738-4781-8993-58d5fbb5c2c0",
    "producer": "k8s.io",
    "first": true,
    "last": true
  },
  "receiveTimestamp": "2023-04-27T20:59:08.485927903Z"
}

"resourceName": "core/v1/namespaces/default/pods/debug4" exists

So gcp.audit.resource_name should be set to "core/v1/namespaces/default/pods/debug4" but it is left empty

Danouchka commented 1 year ago

Using 8.6.2 cc @valerioarvizzigno @endorama

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)