Enabling the Audit Function
In the container security list, you can see whether the audit function is enabled. If the font of open the audit in the operation column is gray, it indicates that the audit function is unavailable, and you need to enable this function first. If the font is red, it indicates that the audit function is available.
Enabling the Audit Function for Clusters
1. Log in to the CSG Console.
2. On the left navigation bar, select Installation configuration > Component installation to go to the
Component installation page.
3. Click "Cluster component configuration" in the Cluster List operation column to go to the Cluster global settings page.
4. Turn the turn on container auditing to ON and click "save".
Enabling the Audit Function for Containers
1. Log in to the CSG Console.
2. On the left navigation bar, select Container security > Real-time monitoring to go to the Real-time monitoring page.
3. Click "Open the audit" in the Container List operation column, or check multiple containers and click "Open the audit" at the top right of the list to enable the audit function for containers in batches.
Configuring Container Audit
Configure Container Survey Audit Information Retention Time and Container Survey Audit Information Retention Capacity. For details, see Container Settings.
Viewing Audit Information
The container audit function provides statistics of normal and abnormal container events, including container process events, file events, and network events.
Prerequisites
You have enabled the audit function for the container cluster.
Procedure
1. Log in to the CSG Console.
2. Select Container security > Real-time monitoring on the left navigation bar to go to the Real-time monitoring page.
3. Click the container name in the container list to go to the Container Details page.
4. Select the Container audit tab to go to the Audit Details page. You can view the line chart of the number of normal events and abnormal events of the container changing over time (the events in the last 15 minutes are counted by default). Furthermore, the numbers of process events, file events, and network events of the container are counted by category. You can select the time or drag the progress bar below to view the event information of the container in different periods.
5. View the event list. Below the statistic chart lists the event information that occurred in the container. Click a row in the list to unfold the list and see the details of the corresponding event.
Description of Container Audit Event Parameters:
Parameter | Description |
Process Name | The name of the process. |
User | The executing user. |
Path | The path where the command was executed. |
Process Command Line | The specific command line for execution. |
Event Type | The container event type, divided into process events, file events, and network events.
|
Security Status | The security status is divided into Normal and Abnormal. |
Time | The time when the event occurred, which is shown in reverse chronological order in the event list. |