user accounts manipulation audit example #8158
Conversation
Signed-off-by: jazzl0ver <[email protected]>
jazzl0ver
requested review from
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable,
stephen-crawford and
epugh
as code owners
|
Thank you for submitting your PR. The PR states are In progress (or Draft) -> Tech review -> Doc review -> Editorial review -> Merged. Before you submit your PR for doc review, make sure the content is technically accurate. If you need help finding a tech reviewer, tag a maintainer. When you're ready for doc review, tag the assignee of this PR. The doc reviewer may push edits to the PR directly or leave comments and editorial suggestions for you to address (let us know in a comment if you have a preference). The doc reviewer will arrange for an editorial review. |
|
@stephen-crawford or @cwperks: Could you make sure that this PR is technically accurate? |
_security/audit-logs/index.md
Outdated
| @@ -224,3 +224,56 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000 | |||
|
|
|||
| To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards. | |||
|
|
|||
| ## Audit user account manipulation | |||
|
|
|||
| By default, audit of user account creation/removal is off (`AUTHENTICATED` audit events disabled). To enable it, issue a similar request: | |||
There was a problem hiding this comment.
I don't think AUTHENTICATED is the right event here. An AUTHENTICATED event is audit logged every time a request is sent with valid credentials.
To monitor changes to the security index, I think you would use the compliance: section of the audit log config. Specifically, the write_watched_indices: [] here.
The security index is .opendistro_security. If you add it into this list, you should be able to track changes to internalusers, roles, roles_mappings, etc.
There was a problem hiding this comment.
Thanks, Craig. I've just tried to put AUTHENTICATED event back to the list of the disabled categories and added the .opendistro_security index to the write_watched_indices list. And it didn't seem to be enough to get the details like the created or deleted user account name. To get that details, I had to disable write_metadata_only and enable write_log_diffs options as well.
Please, confirm this is the right way to go and I'll update my PR
There was a problem hiding this comment.
Yes, that's correct. Does the section below look correct to you? Is there anything else that needs to be added?
_meta:
type: "audit"
config_version: 2
config:
# enable/disable audit logging
enabled: true
...
compliance:
# enable/disable compliance
enabled: true
# Log updates to internal security changes
internal_config: true
# Log only metadata of the document for write events
write_metadata_only: false
# Log only diffs for document updates
write_log_diffs: true
# List of indices to watch for write events. Wildcard patterns are supported
# write_watched_indices: ["twitter", "logs-*"]
write_watched_indices: [".opendistro_security"]
There was a problem hiding this comment.
yes, looks just fine, thank you! i'd just add a comment regarding the specified .opendistro_security index to make people aware why it's added by default
would you like me to update my PR? or i can simply delete it if you're going to update the docs by yourself
There was a problem hiding this comment.
Yes please update this PR. Thank you @jazzl0ver ! This will be a great addition to the documentation.
There was a problem hiding this comment.
wdyt including the entire section from the above comment?
In general, the audit logs documentation on the documentation website looks like it could be updated to describe all potential settings in the audit.yml file in a table and the compliance portion of the audit log needs to be expanded upon.
For this PR, I think including the blurb from above would be an improvement on the existing docs.
Signed-off-by: jazzl0ver <[email protected]>
Signed-off-by: jazzl0ver <[email protected]>
|
Thanks @jazzl0ver ! I made one small suggestion, but this looks good to me from tech perspective. @Naarcha-AWS Can you review too? |
Naarcha-AWS
added
4 - Doc review
Co-authored-by: Craig Perkins <[email protected]> Signed-off-by: jazzl0ver <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
* user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * Update _security/audit-logs/index.md Co-authored-by: Craig Perkins <[email protected]> Signed-off-by: jazzl0ver <[email protected]> * Update _security/audit-logs/index.md Signed-off-by: Naarcha-AWS <[email protected]> --------- Signed-off-by: jazzl0ver <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]> Co-authored-by: Craig Perkins <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> (cherry picked from commit 62a4c18) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * user accounts manipulation audit example Signed-off-by: jazzl0ver <[email protected]> * Update _security/audit-logs/index.md Co-authored-by: Craig Perkins <[email protected]> Signed-off-by: jazzl0ver <[email protected]> * Update _security/audit-logs/index.md Signed-off-by: Naarcha-AWS <[email protected]> --------- Signed-off-by: jazzl0ver <[email protected]> Signed-off-by: Naarcha-AWS <[email protected]> Co-authored-by: Craig Perkins <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: Eric Pugh <[email protected]>
Description
Describe what this change achieves.
Issues Resolved
List any issues this PR will resolve, e.g. Closes [...].
Version
List the OpenSearch version to which this PR applies, e.g. 2.14, 2.12--2.14, or all.
Frontend features
If you're submitting documentation for an OpenSearch Dashboards feature, add a video that shows how a user will interact with the UI step by step. A voiceover is optional.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.