From f5e2afc8b252bd4d0ec9875179530ea899585d38 Mon Sep 17 00:00:00 2001 From: jazzl0ver Date: Tue, 3 Sep 2024 11:13:53 +0300 Subject: [PATCH] user accounts manipulation audit example Signed-off-by: jazzl0ver --- _security/audit-logs/index.md | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index becb001ec0..f8d7c24cf1 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -224,3 +224,56 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000 To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards. +## Audit user account manipulation + +By default, audit of user account creation/removal is off (`AUTHENTICATED` audit events disabled). To enable it, issue a similar request: +``` +PUT /_opendistro/_security/api/audit/config +{ + "compliance": { + "enabled": true, + "write_log_diffs": false, + "read_watched_fields": {}, + "read_ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "write_watched_indices": [], + "write_ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "read_metadata_only": true, + "write_metadata_only": true, + "external_config": false, + "internal_config": true + }, + "enabled": true, + "audit": { + "ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "ignore_requests": [], + "disabled_rest_categories": [ + "GRANTED_PRIVILEGES" + ], + "disabled_transport_categories": [ + "GRANTED_PRIVILEGES" + ], + "log_request_body": true, + "resolve_indices": true, + "resolve_bulk_requests": false, + "exclude_sensitive_headers": true, + "enable_transport": true, + "enable_rest": true + } +} +``` +The provided request enables all `AUTHENTICATED` events for all users besides the ones specified in the `*ignore_users` blocks