Container technology is gaining traction among businesses due to the efficiency gains it offers. In this regard, the organization makes extensive use of his Kubernetes for deploying, scaling and managing containerized applications. The organization needs to audit his Kubernetes to ensure regulatory compliance, find anomalies, and identify security risks. The Wazuh open source platform plays a key role in monitoring her Kubernetes and other components of an organization’s infrastructure.
What is Kubernetes
Kubernetes is an open-source container management solution that automates the deployment and scaling of containers, as well as manages the container lifecycle. Organize containers into logical units to simplify management and discovery. Kubernetes expands the way containerized applications can be scaled to enable the use of truly persistent infrastructure.
You can use Kubernetes to build cloud-native applications based on microservices. Enthusiasts see Kubernetes as the foundation for application modernization. This enables containerization of current applications and allows developers to create applications quickly.
The complexity of a running program increases when the program is spread across multiple servers and containers. To address this complexity, Kubernetes provides open source APIs to manage where and how these containers run. Kubernetes has built-in load balancing, service discovery control, resource allocation tracking, and scaling based on compute usage. In addition, it evaluates the state of each resource and allows programs to self-correct by cloning containers or automatically restarting containers.
Kubernetes Audit
There are several policies that organizations must comply with depending on the jurisdiction and sector in which they operate. Some of these policies enhance the cyber resilience of your IT infrastructure (such as PCI DSS and GDPR). Kubernetes clusters are part of their IT infrastructure, so organizations need to ensure they comply with policies and security best practices.
One of the requirements listed in most IT policy documents is a log retention policy. A log retention policy determines how long logs are stored. These logs can be used to identify threats during active monitoring and incident investigation.
Administrators interact with Kubernetes clusters through the Kubernetes API, and the cluster can log all API requests and responses. Detect unusual or unwanted API calls from Kubernetes audit logs. More specifically, you can get alerts on events such as authentication failures, container creation, modification, and deletion. The Kubernetes audit logging feature is disabled by default. So you have to do some necessary steps to enable it.
Monitor and archive Kubernetes audit logs with Wazuh
Audit logs must be monitored to detect security threats and anomalies. Additionally, logs must be indexed to find relevant information during incident investigations. Wazuh monitors, stores and indexes Kubernetes audit logs. Wazuh is an open source platform that integrates XDR and SIEM. It’s free for commercial use and has been downloaded over 10 million times a year.
The Wazuh development team has a detailed guide on auditing Kubernetes with Wazuh. This guide details the steps to:
- Configure your Wazuh server to receive and process Kubernetes audit logs.
- Enable audit logs in your Kubernetes cluster and forward them to your Wazuh server.
You can create custom rules that trigger alerts when Wazuh detects specific events in your Kubernetes audit logs. For example, you can create rules that trigger alerts when resources are created or deleted in your Kubernetes cluster.
 |
| Figure 1: Alerts triggered from Kubernetes audit logs in Wazuh dashboard |
You can configure Wazuh to display all archived logs in your dashboard. These are logs of Kubernetes events that did not trigger alerts.
 |
| Figure 2: Kubernetes audit log archive in Wazuh dashboard |
Wazuh Indexer is a highly scalable full-text search and analytics engine. Indexers index and store Kubernetes audit logs, providing real-time data search and analysis capabilities. The Wazuh indexer makes incident investigations more efficient when you need to retrieve relevant data from audit logs.
overview
Kubernetes is widely used for deploying, scaling, and managing applications. For security and compliance purposes, you should maintain Kubernetes audit logs. Audit logs contain data that may indicate unusual or undesirable activity. Wazuh is his open source XDR and SIEM solution that monitors, archives, and queries Kubernetes audit logs to identify security threats and other anomalies. Wazuh also protects other components of your IT infrastructure, such as endpoints and cloud workloads.
Wazuh has a large community of users who support each other and help improve the product. Join the Wazuh community to contribute to the product or request support if you run into any issues.
