Fortanix DSM Backup for Audit Log

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) audit log backup procedure. By default, audit logs are backed-up as part of the protected Cassandra backup. But many audit logs could increase the time taken to backup and might require large space for each backup.

2.0 Backing Up the Audit Log

Perform the following steps to create the storage accounts and containers for backing up the cluster data to configure the audit log backup:

1. You can create a separate audit log only backup job that can run on its own schedule and backup destination. Update the following parameters in the config.yaml file:

   • For Fortanix DSM version 3.27 and above:

     backup:
       cron_schedule: 10 * * * *
       backup_mode: snapshot
       exclude_auditlog: true
       scp:
         server_ip: xx.xxx.xxx.xxx
         username: administrator
         password: ********
         path: /home/administrator/backup
     auditBackup:
       cron_schedule: 0 * * * *
       backup_mode: snapshot
       scp:
         server_ip: xx.xxx.xxx.xxx
         username: administrator
         password: ********
         path: /home/administrator/backup

   • For Fortanix DSM version 4.6 and above, add the authmode: password/private key parameter:

      backup:
       cron_schedule: 10 * * * *
       backup_mode: snapshot
       exclude_auditlog: true
       scp:
         server_ip: xx.xxx.xxx.xxx
         authmode: password
         username: administrator
         password: ********
         path: /home/administrator/backup
     auditBackup:
       cron_schedule: 0 * * * *
       backup_mode: snapshot
       scp:
         server_ip: xx.xxx.xxx.xxx
         authmode: password
         username: administrator
         password: ********
         path: /home/administrator/backup

     NOTE

     The value for authmode parameter can be either password or privatekey. However, it is recommended to set the value as privatekey.

2.1 Setting or Patching a Kuberenetes Secret

The following steps explain the method to set a Kubernetes secret:

1. In the ssh-secret-patch.yaml created in Section 2.1 under Data Security Manager Backup and Restore Guide for Passwordless Based Using SCP, update the value of name parameter under metadata to secret-ssh-audit-auth.

   backup:
   apiVersion: v1
   data:
     ssh-privatekey: "PRIVATEKEY"
   kind: Secret
   metadata:  
     name: secret-ssh-audit-auth
     namespace: default
   type: kubernetes.io/ssh-auth

2. Run the following command to patch the Kubernetes secret object:

   kubectl patch secret secret-ssh-audit-auth --patch "$(cat ssh-secret-patch.yaml)"

   NOTE

   To schedule the audit log and normal backups at different times to avoid contention, update the cron_schedule.

   For example: 

   cron_schedule: "0 4 0 * * *" # Run once a week at 2am

3. From the Fortanix DSM version 4.16 and above, run the following command to configure audit log based backup and paste the private key when requested:

   sdkms-cluster secret set secret-ssh-audit-auth