OCP API server auditing is enabled by default and can't be disabled which is great. But at the same time, the audit profiles can't be configured, the user can just select one of the three built-in profiles. At the moment it is not clear to me if the information that is audited is enough to cover the controls.

Things that I'm wondering are:

• AU-3(1) asks for“The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].” and further on: " Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]"

• AU-2 has a bunch of requirements for what needs to be audited (see CMP-155), most of them are covered except "process tracking": does this mean we need some audit logs from the container runtime? Or is this covered by auditd tracking the processes on the nodes?

I've reached out to gsleeman@redhat.com and kramraja to get their opinion and learn what they did in OSD.