Audit Logging Configuration for NextGen Gateway

The NextGen Gateway supports audit logging using auditd to track system‑level activity and Kubernetes‑related configuration changes. Audit logging helps meet compliance and security requirements in regulated environments.

Audit logging is included but disabled by default.

Audited Events

When audit logging is enabled on the NextGen Gateway, the following events are captured:

Authentication activity

  /var/log/secure

  /var/log/auth.log

Kubernetes and gateway configuration changes
Execution of privileged commands

Configure Audit Rules on NextGen Gateway

1. Monitor Configuration File Modifications

Open the audit rules file for editing:

sudo vi /etc/audit/rules.d/audit.rules

Add rules to audit specific configuration directories:

-w /var/log/rancher -p xa -k rancherlogs
-w /etc/rancher/k3s -p xa -k rancherk3sconf
-w /etc/netplan -p wxa -k netplanconf
-w /etc/ -p wa -k etcfiles

Rule definitions:

-w: watches a file or directory
-p: permission flags
w: write
x: execute
a: attribute changes (ownership, permissions)
-k: key used to search audit logs

Note

The rule -w /etc/ -p wa -k etcfiles audits file creation, modification, deletion, and attribute changes across /etc.

2. Reload Audit Rules

Apply the new rules by restarting auditd:

sudo systemctl restart auditd

3. Audit Execution of Privileged Commands

Open or create a dedicated audit rules file:

sudo vi /etc/audit/rules.d/priv-cmds.rules

Add auditing for key privileged binaries (verify paths with <cmd>):

-w /usr/bin/sudo -p x -k privexec
-w /bin/su -p x -k privexec
-w /bin/chown -p x -k privexec
-w /bin/chmod -p x -k privexec
-w /usr/bin/vi -p x -k privexec
-w /usr/bin/rm -p x -k privexec
-w /usr/bin/cp -p x -k privexec
-w /usr/bin/nano -p x -k privexec
-w /usr/bin/mv -p x -k privexec
-w /usr/bin/mkdir -p x -k privexec
-w /usr/bin/touch -p x -k privexec
-w /usr/bin/service -p x -k privexec
-w /usr/bin/systemctl -p x -k privexec
-w /usr/bin/netplan -p x -k privexec
-w /usr/bin/kill -p x -k privexec
-w /usr/bin/curl -p x -k privexec
-w /usr/bin/wget -p x -k privexec
-w /usr/bin/cat -p x -k privexec
-w /usr/bin/tar -p x -k privexec
-w /usr/bin/iptables -p x -k privexec
-w /usr/bin/ufw -p x -k privexec
-w /usr/bin/useradd -p x -k privexec
-w /usr/bin/passwd -p x -k privexec
-w /usr/bin/dpkg -p x -k privexec
-w /usr/bin/apt -p x -k privexec

-p x: audit command execution (exec)
-k privexec: use this key to easily search for all executions of these privileged commands

4. Reload the Audit Rules Again

To ensure all changes take effect:

sudo systemctl restart auditd

5. Review Audit Logs

To search for audited events by key:

sudo ausearch -k rancherlogs
sudo ausearch -k rancherk3sconf
sudo ausearch -k netplanconf
sudo ausearch -k etcfiles
sudo ausearch -k privexec

Add log rotation to the configuration:

vi /etc/logrotate.d/audit

Configuration:

/var/log/audit/audit.log {
    daily
    rotate 10       # Like --audit-log-maxbackup=10
    maxage 30       # Like --audit-log-maxage=30
    size 10M        # Like --audit-log-maxsize=100
    missingok
    notifempty
    compress
    delaycompress
    postrotate
    /etc/init.d/auditd reload > /dev/null 2>&1 || true
    endscript
}