Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1447774

Summary: Allow Install to enable audit logging configuration.
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, erich, gpei, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
The example inventory files have been amended to illustrate all available audit logging configuration options.
 Story Points: ---
Clone Of:
: 1465299 (view as bug list) Environment:
Last Closed: 2017-08-10 05:21:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1465299    

Description Eric Rich 2017-05-03 19:03:19 UTC 
Description of problem:

We provide an option openshift_master_audit_config 

> https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.4.71-1/inventory/byo/hosts.ose.example#L638-L639

To enable audit logging, but don't document it: https://bugzilla.redhat.com/show_bug.cgi?id=1447773 That said, we need to provide a way at install time to enable the following configuration: https://docs.openshift.com/container-platform/3.5/install_config/master_node_configuration.html#master-node-config-audit-config
Comment 1 Eric Rich 2017-05-03 19:05:56 UTC 
This should be addressed, because if oc adm diagnostics (run as root|system:admin) run after a cluster install will report:

>[Note] Running diagnostic: MasterConfigCheck
>       Description: Check the master config file

>WARN:  [DH0005 from diagnostic MasterConfigCheck@openshift/origin/pkg/diagnostics/host/check_master_config.go:52]
>       Validation of master config file '/etc/origin/master/master-config.yaml' warned:
> ...
>       auditConfig.auditFilePath: Required value: audit can now be logged to a separate file
Comment 2 Scott Dodson 2017-06-09 04:46:57 UTC 
The full configurability of audit logging has always been possible, you just need to convert the full key value into json.

Only action for cluster lifecycle here is to update the example inventories with an example that uses all the options in the docs link from comment 0.
Comment 3 Scott Dodson 2017-06-15 20:31:23 UTC 
https://github.com/openshift/openshift-ansible/pull/4458 community contribution
Comment 6 Gaoyun Pei 2017-06-20 03:18:21 UTC 
verify this with openshift-ansible-3.6.116-1.git.0.e2840e8.el7.noarch

In /usr/share/doc/openshift-ansible-docs-3.6.116/docs/example-inventories/hosts.ose.example we have more options added.

[root@gpei-test-ansible ]# grep openshift_master_audit_config /usr/share/doc/openshift-ansible-docs-3.6.116/docs/example-inventories/hosts.ose.example
#openshift_master_audit_config={"enabled": true}
#openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/openpaas-oscp-audit/openpaas-oscp-audit.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5}}
Comment 14 errata-xmlrpc 2017-08-10 05:21:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716