From f5e2afc8b252bd4d0ec9875179530ea899585d38 Mon Sep 17 00:00:00 2001 From: jazzl0ver Date: Tue, 3 Sep 2024 11:13:53 +0300 Subject: [PATCH 1/5] user accounts manipulation audit example Signed-off-by: jazzl0ver --- _security/audit-logs/index.md | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index becb001ec0..f8d7c24cf1 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -224,3 +224,56 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000 To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards. +## Audit user account manipulation + +By default, audit of user account creation/removal is off (`AUTHENTICATED` audit events disabled). To enable it, issue a similar request: +``` +PUT /_opendistro/_security/api/audit/config +{ + "compliance": { + "enabled": true, + "write_log_diffs": false, + "read_watched_fields": {}, + "read_ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "write_watched_indices": [], + "write_ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "read_metadata_only": true, + "write_metadata_only": true, + "external_config": false, + "internal_config": true + }, + "enabled": true, + "audit": { + "ignore_users": [ + "elastiflow", + "filebeats", + "kibanaserver", + "nagios" + ], + "ignore_requests": [], + "disabled_rest_categories": [ + "GRANTED_PRIVILEGES" + ], + "disabled_transport_categories": [ + "GRANTED_PRIVILEGES" + ], + "log_request_body": true, + "resolve_indices": true, + "resolve_bulk_requests": false, + "exclude_sensitive_headers": true, + "enable_transport": true, + "enable_rest": true + } +} +``` +The provided request enables all `AUTHENTICATED` events for all users besides the ones specified in the `*ignore_users` blocks From c44b9dc0d9a80ce9f051b71e795190708845c859 Mon Sep 17 00:00:00 2001 From: jazzl0ver Date: Thu, 5 Sep 2024 11:18:23 +0300 Subject: [PATCH 2/5] user accounts manipulation audit example Signed-off-by: jazzl0ver --- _security/audit-logs/index.md | 53 +++-------------------------------- 1 file changed, 4 insertions(+), 49 deletions(-) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index f8d7c24cf1..336f8ec812 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -226,54 +226,9 @@ To disable audit logs after they've been enabled, remove the `plugins.security.a ## Audit user account manipulation -By default, audit of user account creation/removal is off (`AUTHENTICATED` audit events disabled). To enable it, issue a similar request: +To enable user account creation/removal audit make sure the following audit compliance settings are set: ``` -PUT /_opendistro/_security/api/audit/config -{ - "compliance": { - "enabled": true, - "write_log_diffs": false, - "read_watched_fields": {}, - "read_ignore_users": [ - "elastiflow", - "filebeats", - "kibanaserver", - "nagios" - ], - "write_watched_indices": [], - "write_ignore_users": [ - "elastiflow", - "filebeats", - "kibanaserver", - "nagios" - ], - "read_metadata_only": true, - "write_metadata_only": true, - "external_config": false, - "internal_config": true - }, - "enabled": true, - "audit": { - "ignore_users": [ - "elastiflow", - "filebeats", - "kibanaserver", - "nagios" - ], - "ignore_requests": [], - "disabled_rest_categories": [ - "GRANTED_PRIVILEGES" - ], - "disabled_transport_categories": [ - "GRANTED_PRIVILEGES" - ], - "log_request_body": true, - "resolve_indices": true, - "resolve_bulk_requests": false, - "exclude_sensitive_headers": true, - "enable_transport": true, - "enable_rest": true - } -} +write_metadata_only: false +write_log_diffs: true +write_watched_indices: [".opendistro_security"] ``` -The provided request enables all `AUTHENTICATED` events for all users besides the ones specified in the `*ignore_users` blocks From dab9b55a8722469bc3cb6ecd968ee003964e62a8 Mon Sep 17 00:00:00 2001 From: jazzl0ver Date: Thu, 5 Sep 2024 19:25:29 +0300 Subject: [PATCH 3/5] user accounts manipulation audit example Signed-off-by: jazzl0ver --- _security/audit-logs/index.md | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index 336f8ec812..7d8b60718c 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -226,9 +226,33 @@ To disable audit logs after they've been enabled, remove the `plugins.security.a ## Audit user account manipulation -To enable user account creation/removal audit make sure the following audit compliance settings are set: +To enable user account creation/removal audit use similar `audit.yml`: ``` -write_metadata_only: false -write_log_diffs: true -write_watched_indices: [".opendistro_security"] +_meta: + type: "audit" + config_version: 2 + +config: + # enable/disable audit logging + enabled: true + + ... + + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log only metadata of the document for write events + write_metadata_only: false + + # Log only diffs for document updates + write_log_diffs: true + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [".opendistro_security"] ``` From 058810df73898f9dbb48776f454166187c48c069 Mon Sep 17 00:00:00 2001 From: jazzl0ver Date: Fri, 6 Sep 2024 09:52:21 +0300 Subject: [PATCH 4/5] Update _security/audit-logs/index.md Co-authored-by: Craig Perkins Signed-off-by: jazzl0ver --- _security/audit-logs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index 7d8b60718c..19f0cc8e9a 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -226,7 +226,7 @@ To disable audit logs after they've been enabled, remove the `plugins.security.a ## Audit user account manipulation -To enable user account creation/removal audit use similar `audit.yml`: +To enable audit logging on changes to the security index (i.e. changes to roles mappings, creation/deletion of roles, etc.), use the following settings in the `compliance:` portion of the audit log configuration. ``` _meta: type: "audit" From ad3bfa6c0025cabb5e61249ff3356c03a454a937 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Date: Fri, 6 Sep 2024 14:16:29 -0500 Subject: [PATCH 5/5] Update _security/audit-logs/index.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/audit-logs/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md index 19f0cc8e9a..8eeea33447 100644 --- a/_security/audit-logs/index.md +++ b/_security/audit-logs/index.md @@ -226,7 +226,8 @@ To disable audit logs after they've been enabled, remove the `plugins.security.a ## Audit user account manipulation -To enable audit logging on changes to the security index (i.e. changes to roles mappings, creation/deletion of roles, etc.), use the following settings in the `compliance:` portion of the audit log configuration. +To enable audit logging on changes to a security index, such as changes to roles mappings and role creation or deletion, use the following settings in the `compliance:` portion of the audit log configuration, as shown in the following example: + ``` _meta: type: "audit"