Chapter 12: Auditing using Falco and EFK
Each of the preceding statements has one thing in common: when any one of them occurs, you need to find out what happened.
Too often, auditing is considered only when we think of some form of attack. While we certainly require auditing to find "bad people", we also need to audit everyday standard system interactions.
Kubernetes includes logs for most of the important system events that you will need to audit, but it doesn't include everything. As we discussed in previous chapters, all API interactions will be logged by the system, which includes the majority of events you need to audit. However, there are tasks that users execute that will not go through the API server and may go undetected if you are relying on API logs for all of your auditing.
There are tools to address the gaps in the native logging functionality. Open source projects...