Fortanix DSM Backup for Audit Log

1.0 Introduction

This article describes the Fortanix Data Security Manager (DSM) audit log backup procedure. By default, audit logs are backed-up as part of the protected Cassandra backup. But many audit logs could increase the time taken to backup and might require large space for each backup.

2.0 Backing Up the Audit Log

Perform the following steps to create the storage accounts and containers for backing up the cluster data to configure the audit log backup:

NOTE
By default, all the CRON jobs schedules are in the UTC time zone.
  1. From Fortanix DSM release 3.27, it was optional to exclude audit logs from backup by adding exclude_auditlog: true parameter in the configuration:
    backup:
       cron_schedule: "1 1 * * *"
     exclude_auditlog: true
    NOTE
    Ensure that updating the value of exclude_auditlog parameter as true in the configuration, will discard the audit log backups from normal backups.
  2. You can create a separate audit log only backup job that can run on its own schedule and backup destination. Update the following parameters in the config.yaml file:

    • For Fortanix DSM version 3.27 and above:
      backup:
          cron_schedule: "1 1 * * *"
          exclude_auditlog: true
      backup:
        cron_schedule: 10 * * * *
        backup_mode: snapshot
        exclude_auditlog: true
        scp:
          server_ip: 10.197.192.171
          username: administrator
         password: ********
          path: /home/administrator/backup
      auditBackup:
        cron_schedule: 0 * * * *
        backup_mode: snapshot
        scp:
          server_ip: 10.197.192.171
          username: administrator
         password: ********
          path: /home/administrator/backup
    • For Fortanix DSM version 4.6 and above, add the authmode: password/private key parameter:
       backup:
        cron_schedule: 10 * * * *
        backup_mode: snapshot
       exclude_auditlog: true
        scp:
          server_ip: 10.197.192.171
          authmode: password
          username: administrator
         password: ********
          path: /home/administrator/backup
      auditBackup:
        cron_schedule: 0 * * * *
        backup_mode: snapshot
        scp:
          server_ip: 10.197.192.171
          authmode: password
          username: administrator
        password: ********
         path: /home/administrator/backup
      NOTE
      The value for authmode parameter can be either password or privatekey. However, it is recommended to set the value as privatekey.

2.1 Setting or Patching a Kuberenetes Secret

The following steps explain the method to set a Kubernetes secret:

  1. In the ssh-secret-patch.yaml created in Section 2.1 under Data Security Manager Backup and Restore Guide for Passwordless Based Using SCP, update the value of name parameter under metadata to secret-ssh-audit-auth.
    backup:
    apiVersion: v1
    data:
    ssh-privatekey: "PRIVATEKEY"
    kind: Secret
    metadata: 
    name: secret-ssh-audit-auth
      namespace: default
    type: kubernetes.io/ssh-auth
  2. Run the following command to patch the Kubernetes secret object:
    kubectl patch secret secret-ssh-audit-auth --patch "$(cat ssh-secret-patch.yaml)"
    NOTE
    To schedule the audit log and normal backups at different times to avoid contention, update the cron_schedule.

    For example: 

    cron_schedule: "0 4 0 * * *" # Run once a week at 2am
  3. From the Fortanix DSM version 4.16 and above, run the following command to configure audit log based backup and paste the private key when requested:
    sdkms-cluster secret set secret-ssh-audit-auth

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful