FAQ: Why isn’t the containerized Agent monitoring audit events on my Azure Kubernetes clusters that have Ubuntu 18 nodes?

Azure includes default audit rules for Ubuntu 18 distributions enabled in Kubernetes clusters. These default audit rules prevent the Threat StackⓇ containerized Agent from monitoring syscalls that trigger audit events. As a workaround, you can update the Threat Stack Agent’s Helm chart or .yaml file to automatically move the default audit rules file to a different directory and restart the Ubuntu 18 nodes. This allows the Threat Stack Agent to load its audit rules and monitor audit events.

To enable the Threat Stack containerized Agent to monitor audit event on Ubuntu 18 distributions enabled in Azure Kubernetes clusters:

  1. Deploy the Threat Stack containerized Agent to the Azure Kubernetes cluster.
  2. Do one of the following:
    • If you deploy the Threat Stack Kubernetes DaemonSet through Helm, then do the following:
      1. Go to the Threat Stack Helm chart.
      2. Find the daemonset.additionalRuntimeConfig variable.
      3. Set the workaround_audit_lock parameter value to true.
      4. Deploy the Threat Stack Helm chart to the cluster.
      5. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found at https://github.com/weaveworks/kured/tree/master/charts/kured.
    • If you deploy the Threat Stack Kubernetes DaemonSet through .yaml file, then do the following:
      1. Go to the Threat Stack .yaml file.
      2. Find the DaemonSet’s containers > env > THREATSTACK_CONFIG_ARGS parameter, located here.
      3. In the THREATSTACK_CONFIG_ARGS value, add “workaround_audit_lock true”
      4. Deploy the weaveworks/kured DaemonSet to the Azure Kubernetes cluster. Files can be found here.

        The kured DaemonSet carries out a rolling reboot of Ubuntu 18 distribution nodes on which the Threat Stack Agent is configured.

Was this article helpful?
0 out of 0 found this helpful