From e83d37a88f78af00208bc4fa25482cce250e0f8b Mon Sep 17 00:00:00 2001 From: Stephen Fox Jr Date: Thu, 17 Aug 2023 09:37:19 -0400 Subject: [PATCH 1/2] readme: Recommend using rsyslog w/ our config. --- README.md | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c078d43..b17856e 100644 --- a/README.md +++ b/README.md @@ -124,34 +124,43 @@ Example: audito-maldito can be run as a standalone application (such as a systemd unit) or as a Kubernetes Daemonset. At Equinix Metal, we deploy the -application in kubernetes using a Helm chart. The chart relies on rsyslog, +application in Kubernetes using a Helm chart. The chart relies on rsyslog, which is responsible for passing OpenSSH daemon logs and Linux audit logs to audito-maldito using named pipes. audito-maldito reads from these named pipes and then writes its audit events to another named pipe. The following subsections discuss several installation and deployment methods. -#### From source +#### Standalone (from source or as a container) -If you would like to build from source, you can use `go build` if you have -a copy of the source code on hand: +If you would like to run audito-maldito as a standalone application (i.e., +outside of Kubernetes), you can build it from source or use a pre-built +container image. + +While not required, we recommend using `rsyslog` to pass OpenSSH logs and +Linux audit logs into audito-maldito. An example rsyslog container image +and rsyslog configuration can be found under: + +- [contrib/rsyslog](contrib/rsyslog) + +To build audito-maldito from source, execute the following command at the root +of the repository: ```sh go build ``` +Pre-built container images for both audito-maldito and rsyslog can be found +in GitHub's container registry: + +- https://github.com/metal-toolbox/audito-maldito/pkgs/container/audito-maldito%2Faudito-maldito + #### Kubernetes A Helm chart can be found in the equinixmetal-helm GitHub organization: - https://github.com/equinixmetal-helm/audito-maldito -#### Container image - -A pre-built container image can be found in GitHub's container registry: - -- https://github.com/metal-toolbox/audito-maldito/pkgs/container/audito-maldito%2Faudito-maldito - ## Configuration The following subsections discuss audito-maldito's configuration. From d3062303e8c3f1a2796d323105db5ddfb217b0af Mon Sep 17 00:00:00 2001 From: Stephen Fox Jr Date: Thu, 17 Aug 2023 09:50:45 -0400 Subject: [PATCH 2/2] readme: Clarify arguments and file types. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b17856e..930369b 100644 --- a/README.md +++ b/README.md @@ -127,7 +127,7 @@ unit) or as a Kubernetes Daemonset. At Equinix Metal, we deploy the application in Kubernetes using a Helm chart. The chart relies on rsyslog, which is responsible for passing OpenSSH daemon logs and Linux audit logs to audito-maldito using named pipes. audito-maldito reads from these named -pipes and then writes its audit events to another named pipe. +pipes and then writes its audit events to a named pipe or file. The following subsections discuss several installation and deployment methods. @@ -186,9 +186,9 @@ The following files are required by audito-maldito to run: #### Output data -Audit events produced by audito-maldito are written to `/app-audit/audit.log` -by default (this can be a regular file or a named pipe). This file path can -be customized using the `-app-events-output` argument. +Audit events produced by audito-maldito are written to the file path +specified by the `-app-events-output` argument. This file path can be +a regular file or a named pipe. ## Development