Kubernetes API Audit Logs

Location

Description

Kubernetes API audit records capturing requests made to the API server for pods, secrets, configmaps, RBAC objects, exec sessions, and other cluster resources. Logging only occurs when an audit policy and backend are configured.

Forensic Value

API audit logs are the definitive source for proving who performed administrative actions in a cluster. They expose secret access, pod exec activity, RBAC changes, ephemeral workload creation, and API-based tampering that may leave only limited traces on individual nodes.

Tools Required

Collection Commands

cp /var/log/kubernetes/audit.log /forensics/output/kubernetes_audit.log 2>/dev/null

grep -E ""verb":"(create|patch|delete|update)"" /var/log/kubernetes/audit.log > /forensics/output/kubernetes_audit_mutations.json 2>/dev/null

kubectl get events --all-namespaces --sort-by=.metadata.creationTimestamp > /forensics/output/kubernetes_events.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
• •API audit evidence exists only when an audit policy and backend were configured before the incident.
• •Cluster-level audit logs explain API actions, but investigators still need node or workload telemetry for post-execution behavior.

MITRE ATT&CK Techniques

References