Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Omni audit logs #37

Closed
6 tasks done
steverfrancis opened this issue May 12, 2023 · 2 comments · Fixed by #534
Closed
6 tasks done

Omni audit logs #37

steverfrancis opened this issue May 12, 2023 · 2 comments · Fixed by #534
Assignees
@DmitriyMV

Comments

@steverfrancis
Copy link
Contributor

steverfrancis commented May 12, 2023
edited by DmitriyMV
Loading

Omni needs to have an audit log accessible in the UI for any action that changes configurations, whether by omnictl or the UI.

I'd suggest different labels for actions affecting Omni (user additions/deletions/role changes etc), Clusters and Machines.
For machines, things like user initiated reboots, or deletions, as well as changes to patches and machine configs, need to be logged.

Update 2024-08-12 Implementation status and tasks

Remaining steps
Preview Give feedback
  1. Implement audit log core functionality. #545
    DmitriyMV
  2. Add support for audit log files rotation #546
    DmitriyMV
  3. Add support for getting concatenated logs from audit log #578
    DmitriyMV
  4. Add audit log to UI (stream RPC) #586
    DmitriyMV
  5. Add documentation about "how to deploy audit log" #593
@smira
Copy link
Member

smira commented Sep 6, 2023
edited
Loading

Audit log retention: start with 30 days.

User access: downloading all logs concatenated together.

Events logged:

  • User CRUD (including service accounts)
  • PublicKey confirmation (what was the proof accepted)
  • AccessPolicy CRUD
  • Machine - registration, removal
  • Cluster, MachineSet, MachineSetNode, ConfigPatch CRUD
  • Talos API access
  • Kubernetes API access

Fields:

  • timestamp
  • actor: user/Omni
  • public key ID (if actor is user)
  • client ID, user-agent
  • IP address (?)
  • action (create, update, teardown (?), destroy)
  • resource type
  • resource ID
  • contents (depending on the resource type, Cluster could be full, ConfigPatch might just contain labels/name), diff for updates
  • comment

Format: JSON

Implementation ideas:

  • COSI state middleware to intercept all modify operations
  • Enhance Go context with details needed for the audit log
  • Store them as a set of text log files per today, rotating them out when they go out of retention.
  • For the SaaS, store in the mounted volume (Ceph-backed).

@smira smira transferred this issue from another repository Mar 4, 2024
@smira smira transferred this issue from siderolabs/omni-issue-mover Mar 4, 2024
@steverfrancis steverfrancis mentioned this issue Apr 5, 2024
Closed
@DmitriyMV DmitriyMV self-assigned this Jun 24, 2024
@DmitriyMV DmitriyMV removed their assignment Jul 1, 2024
@DmitriyMV DmitriyMV self-assigned this Jul 15, 2024
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
a5446ec 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV mentioned this issue Jul 15, 2024
Merged
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
66e1aff 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
192bcee 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
37b604e 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
8c5cd76 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 15, 2024
@DmitriyMV
chore: rework auth.* keys, add ctxstore package
4cfc0e6 
Using so-called phantom types we can use the types themselves as keys directly without loosing performance.
You no longer need to remember which type was attached to the thing you passed in context and can look up
all fields access directly.

Part of siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 22, 2024
@DmitriyMV
chore: add rotating log for audit data
73a7251 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV mentioned this issue Jul 22, 2024
Merged
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 22, 2024
@DmitriyMV
chore: add rotating log for audit data
f21cd5b 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 22, 2024
@DmitriyMV
chore: add rotating log for audit data
8bf9715 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 22, 2024
@DmitriyMV
chore: add rotating log for audit data
cc63bb0 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 22, 2024
@DmitriyMV
chore: add rotating log for audit data
b7ee728 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 25, 2024
@DmitriyMV
chore: add rotating log for audit data
c3ac02a 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 25, 2024
@DmitriyMV
chore: add rotating log for audit data
4ccd19e 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Jul 25, 2024
@DmitriyMV
chore: add rotating log for audit data
5dd5259 
Adds rotating audit log writer. Also minor improvements.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 1, 2024
@DmitriyMV
feat: implement audit log
61cfb30 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV mentioned this issue Aug 1, 2024
Merged
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 1, 2024
@DmitriyMV
feat: implement audit log
c11bd68 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 2, 2024
@DmitriyMV
feat: implement audit log
a8ad65d 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 2, 2024
@DmitriyMV
feat: implement audit log
e2f4854 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 2, 2024
@DmitriyMV
feat: implement audit log
342ef2c 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 2, 2024
@DmitriyMV
feat: implement audit log
d194d59 
This PR implements audit logs. To enable it you have to set the `--audit-log-dir` flag
to a directory where the audit logs will be stored. The audit logs are stored in a JSON format.

Example:
```json
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1722537710182,"event_data":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"a19a7a38-1793-4262-a9ef-97bc00c7a155","role":"Admin","email":"[email protected]","confirmation_type":"auth0","fingerprint":"15acb974f769bdccd38a4b28f282b78736b80bc7","public_key_expiration":1722565909}}
```

Keep in mind that `event_ts` are in milliseconds instead of seconds.
Field `event_data` contains all relevant information about the event.

To enabled it in the development environment you will have to add the
`--audit-log-dir /tmp/omni-data/audit-logs` line to `docker-compose.override.yml`
or run `generate-certs` again.

For siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV pinned this issue Aug 3, 2024
DmitriyMV added a commit to DmitriyMV/omni that referenced this issue Aug 12, 2024
@DmitriyMV
chore: implement audit log for several types
8576fbe 
This commit implements session tracking and log audit for those types:
- [x] auth.PublicKey
- [x] auth.AccessPolicy
- [x] auth.User
- [x] auth.Identity
- [x] omni.Machine
- [x] omni.MachineLabels
- [x] omni.Cluster
- [x] omni.MachineSet (only empty owners for update, log create and delete in all cases)
- [x] omni.MachineSetNode (only empty owners for update, log create and delete in all cases)
- [x] omni.ConfigPatch
- [x] Talos API Access
- [x] Kubernetes API access

Output example:

```
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771180,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771180,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771181,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"create","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137787549,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137787553,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811532,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811610,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811611,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"destroy","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811621,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"create","resource_type":"Users.omni.sidero.dev","event_ts":1723141793888,"event_data":{"new_user":{"role":"Admin","id":"7903a72c-87af-43b8-94dc-82bd961ab768"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"}}}
{"event_type":"create","resource_type":"Identities.omni.sidero.dev","event_ts":1723141793981,"event_data":{"new_user":{"id":"7903a72c-87af-43b8-94dc-82bd961ab768","email":"[email protected]"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"}}}
```

Closes siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV linked a pull request Aug 12, 2024 that will close this issue
chore: implement audit log for several types #534
Merged
12 tasks
@DmitriyMV DmitriyMV reopened this Aug 12, 2024
@DmitriyMV
Copy link
Member

Finally closed in https://github.com/siderolabs/omni-controller/pull/144

@DmitriyMV DmitriyMV mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyMV DmitriyMV

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: implement audit log for several types DmitriyMV/omni
3 participants
@smira @DmitriyMV @steverfrancis