FAQ: Why isn’t the containerized Agent monitoring audit events on my Azure Kubernetes clusters that have Ubuntu 18 nodes?

Azure includes default audit rules for Ubuntu 18 distributions enabled in Kubernetes clusters. These default audit rules prevent the App Infrastructure Protection (AIP) containerized Agent from monitoring syscalls that trigger audit events. As a workaround, you can update the AIP Agent’s Helm chart or .yaml file to automatically move the default audit rules file to a different directory and restart the Ubuntu 18 nodes. This allows the AIP Agent to load its audit rules and monitor audit events.

To enable the AIP containerized Agent to monitor audit event on Ubuntu 18 distributions enabled in Azure Kubernetes clusters:

  1. Deploy the AIP containerized Agent to the Azure Kubernetes cluster.
  2. Do one of the following:
    • If you deploy the AIP Kubernetes DaemonSet through Helm, then do the following:
      1. Go to the AIP Helm chart.
      2. Find the daemonset.additionalRuntimeConfig variable.
      3. Set the workaround_audit_lock parameter value to true.
      4. Deploy the AIP Helm chart to the cluster.
      5. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found at https://github.com/weaveworks/kured/tree/master/charts/kured.
    • If you deploy the AIP Kubernetes DaemonSet through .yaml file, then do the following:
      1. Go to the AIP .yaml file.
      2. Find the DaemonSet’s containers > env > THREATSTACK_CONFIG_ARGS parameter, located here.
      3. In the THREATSTACK_CONFIG_ARGS value, add “workaround_audit_lock true”
      4. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found here.

        The kured DaemonSet carries out a rolling reboot of Ubuntu 18 distribution nodes on which the AIP Agent is configured.

Was this article helpful?
0 out of 0 found this helpful