Alcide kAudit is designed to automatically analyze Kubernetes audit logs to detect anomalous behavior of users and service accounts. kAudit automatically detects security-related issues related to Kubernetes' administrative actions, especially anomalous behavior that can only be detected from observing extended context over multiple activities. In addition, kAudit supports Audit rules to detect violations of organization compliance policies regarding Kubernetes usage. Incident forensics, along with audit statistics, are presented in graphical and tabular summaries for easy investigation and analysis.
In this tutorial we will learn how to install kAudit in your environment and it's infrastructure on AWS EKS.

Alcide Code-to-production security

Alcide kAudit can be used for:

For this tutorial you will need an EKS cluster, with sufficient priviliges to install resources.

Alcide Code-to-production security

Alcide kAudit consumes EKS audit log stream. In the following steps we will configure the required infrastructure components to stream Kubernetes audit logs from your EKS cluster to Alcide kAudit.

Alcide Code-to-production security

Let's begin by opening your terminal ...

export AWS_PROFILE=<AWS Account hosting logs profile name>
export AWS_DEFAULT_REGION=<region>
export CLUSTER_NAME=<EKS cluster name>
export EKS_ACCOUNT_ID=<eks AWS account ID>

For example:

export AWS_PROFILE=auditlogs-account
export AWS_DEFAULT_REGION=eu-west-1
export CLUSTER_NAME=myCluster
export EKS_ACCOUNT_ID=123456789012
cd /tmp
git clone https://github.com/alcideio/kaudit.git
cd kaudit
aws cloudformation create-stack --stack-name $CLUSTER_NAME-logs \
--template-body file://deploy/pre-install/aws/cloudformation/logsAccount.json \
--capabilities CAPABILITY_IAM \
--parameters ParameterKey="SourceAccount",ParameterValue="$EKS_ACCOUNT_ID" \
             ParameterKey="ApplicationComponent",ParameterValue="audit-analyzer"
echo It may take a few minutes...
aws cloudformation wait stack-create-complete --stack-name $CLUSTER_NAME-logs
export Logs_Destination_ARN=$(aws cloudformation describe-stacks --stack-name $CLUSTER_NAME-logs \
--query 'Stacks[].Outputs[?starts_with(OutputKey, `Destination`) == `true`][].[OutputValue]' --output text)
if [[ $Logs_Destination_ARN == "arn:aws:logs"* ]]; then; echo "We are ready, you can keep going..."; else echo "We can't get the Logs Destination ARN"; fi
export AWS_PROFILE=<eks AWS account profile name>
export AWS_DEFAULT_REGION=<region>
aws eks update-cluster-config \
    --name $CLUSTER_NAME \
    --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
aws cloudformation create-stack --stack-name $CLUSTER_NAME-eks \
--template-body file://deploy/pre-install/aws/cloudformation/eksAccount.json \
--parameters ParameterKey="DestinationARN",ParameterValue="$Logs_Destination_ARN" \
             ParameterKey="EKSClusterName",ParameterValue="$CLUSTER_NAME"
aws cloudformation wait stack-create-complete --stack-name $CLUSTER_NAME-eks

Alcide Code-to-production security

export AWS_PROFILE=<eks account profile name>
export AWS_DEFAULT_REGION=<region>
if [[ $(echo -n \
        $(aws kinesis get-records --shard-iterator \
          $(aws kinesis get-shard-iterator \
          --shard-id shardId-000000000000 \
          --shard-iterator-type TRIM_HORIZON \
          --stream-name $CLUSTER_NAME-logs-Stream \
          --query 'ShardIterator') \
        --limit 1 --query 'Records[].[Data]' --output text) \
        | base64 -d | zcat | grep messageType) ]]; then
  echo "We are ready, you can continue :)"
else
  echo "The logs still not received, please try again in a few moments..."
fi

Alcide Code-to-production security

In order to generate Alcide kAudit deployment manifest we will use Helm template

export AWS_PROFILE=<logs account profile name>
export AWS_DEFAULT_REGION=<region>
export CLUSTER_NAME=<EKS cluster name>
export ALCIDE_DOCKERHUB_TOKEN=<ask Alcide support>
helm template kaudit deploy/charts/kaudit \
  --set k8sAuditEnvironment="eks" \
  --set namespace="alcide-kaudit" \
  --set runOptions.eulaSign="true" \
  --set image.pullSecretToken="${ALCIDE_DOCKERHUB_TOKEN}" \
  --set clusterName="${CLUSTER_NAME}" \
  --set aws.region="${AWS_DEFAULT_REGION}" \
  --set aws.accessKeyId="$(aws cloudformation describe-stacks --stack-name $CLUSTER_NAME-logs \
--query 'Stacks[].Outputs[?starts_with(OutputKey, `kAuditUserKeyID`) == `true`][].[OutputValue]' --output text)" \
  --set aws.secretAccessKey="$(echo -n $(aws cloudformation describe-stacks --stack-name $CLUSTER_NAME-logs \
--query 'Stacks[].Outputs[?starts_with(OutputKey, `kAuditUserKeySecret`) == `true`][].[OutputValue]' --output text) | base64)" \
  --set aws.kinesisStreamName="$(aws cloudformation describe-stacks --stack-name $CLUSTER_NAME-logs \
--query 'Stacks[].Outputs[?starts_with(OutputKey, `StreamName`) == `true`][].[OutputValue]' --output text)" \
  > kaudit-$CLUSTER_NAME.yaml

Create a dedicated Namespace

kubectl create ns alcide-kaudit

Deploy kAudit

kubectl apply -f kaudit-$CLUSTER_NAME.yaml

All done! now to access kAudit UI just run this

kubectl port-forward -n alcide-kaudit service/kaudit-$CLUSTER_NAME 7000:443

Open your browser and go to

https://127.0.0.1:7000

Alcide Code-to-production security

In this codelab we:

Alcide Code-to-production security