FAQ: Why isn’t the containerized Agent monitoring audit events on my Azure Kubernetes clusters that have Ubuntu 18 nodes?

Azure includes default audit rules for Ubuntu 18 distributions enabled in Kubernetes clusters. These default audit rules prevent the F5 Distributed Cloud App Infrastructure Protection (AIP) containerized Agent from monitoring syscalls that trigger audit events. As a workaround, you can update the Distributed Cloud AIP Agent’s Helm chart or .yaml file to automatically move the default audit rules file to a different directory and restart the Ubuntu 18 nodes. This allows the Distributed Cloud AIP Agent to load its audit rules and monitor audit events.

To enable the Distributed Cloud AIP containerized Agent to monitor audit event on Ubuntu 18 distributions enabled in Azure Kubernetes clusters:

1. Deploy the Distributed Cloud AIP containerized Agent to the Azure Kubernetes cluster.
2. Do one of the following:
   • If you deploy the Distributed Cloud AIP Kubernetes DaemonSet through Helm, then do the following:
     1. Go to the Distributed Cloud AIP Helm chart.
     2. Find the daemonset.additionalRuntimeConfig variable.
     3. Set the workaround_audit_lock parameter value to true.
     4. Deploy the Distributed Cloud AIP Helm chart to the cluster.
     5. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found at https://github.com/weaveworks/kured/tree/master/charts/kured.
   • If you deploy the Distributed Cloud AIP Kubernetes DaemonSet through .yaml file, then do the following:
     1. Go to the Distributed Cloud AIP .yaml file.
     2. Find the DaemonSet’s containers > env > THREATSTACK_CONFIG_ARGS parameter, located here.
     3. In the THREATSTACK_CONFIG_ARGS value, add “workaround_audit_lock true”
     4. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found here.

        The kured DaemonSet carries out a rolling reboot of Ubuntu 18 distribution nodes on which the Distributed Cloud AIP Agent is configured.