Security Audit Logging
Continuation of changes made under https://review.opendev.org/c/starlingx/docs/+/832841 (abandoned) Add conditional text about log access via controllers. Patchset 3 review updates. Add conditionalization. Story: 2009824 Task: 45043 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I4e9a1a9e0940ffc15a71cea954062d7c42a88e81
This commit is contained in:
parent
ff4caea8ec
commit
d63e42ebeb
3
doc/source/_includes/operator-command-logging.rest
Normal file
3
doc/source/_includes/operator-command-logging.rest
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
.. begin-remote-log-server-options
|
||||||
|
|
||||||
|
.. end-remote-log-server-options
|
@ -0,0 +1,5 @@
|
|||||||
|
.. begin-remote-log-server-options
|
||||||
|
|
||||||
|
.. end-remote-log-server-options
|
||||||
|
|
||||||
|
|
@ -6,59 +6,97 @@
|
|||||||
Operator Command Logging
|
Operator Command Logging
|
||||||
========================
|
========================
|
||||||
|
|
||||||
|prod| logs all REST API operator commands and SNMP commands.
|
|prod| logs all StarlingX REST API operator commands, except commands that use
|
||||||
|
only GET requests. |prod| also logs all |SNMP| commands, including ``GET``
|
||||||
|
requests.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
-------------------------------------------
|
||||||
|
StarlingX REST API Operator Command Logging
|
||||||
|
-------------------------------------------
|
||||||
|
|
||||||
The logs include the timestamp, tenant name \(if applicable\), user name,
|
The logs include the timestamp, tenant name \(if applicable\), user name,
|
||||||
command executed, and command status \(success or failure\).
|
command executed, and command status \(success or failure\).
|
||||||
|
|
||||||
The files are located under the /var/log directory, and are named using the
|
The files are located under the ``/var/log`` directory and are named using the
|
||||||
convention \*-api.log. Each component that generates its own API log files
|
convention ``*api.log``. The list of log files is presented below.
|
||||||
\(for example, Keystone, Barbican, and so forth\) and each |prod| /
|
|
||||||
StarlingX -specific component, updating \(patching\) system, and SNMP agent
|
|
||||||
follows, this convention.
|
|
||||||
|
|
||||||
You can examine the log files locally on the controllers, or using a remote
|
|
||||||
log server if the remote logging feature is configured. The one exception is
|
|
||||||
patching-api.log. For updating robustness, the |prod| updating system uses
|
|
||||||
minimal system facilities and does not use **syslog**. Therefore its logs
|
|
||||||
are not available on a remote log server.
|
|
||||||
|
|
||||||
|
|
||||||
.. _operator-command-logging-section-N10047-N10023-N10001:
|
- ``/var/log/sysinv-api.log``
|
||||||
|
|
||||||
-------
|
- ``/var/log/fm-api.log``
|
||||||
Remarks
|
|
||||||
-------
|
- ``/var/log/dcmanager/dcmanager-api.log``
|
||||||
|
|
||||||
|
- ``/var/log/nfv-vim-api.log``
|
||||||
|
|
||||||
|
- ``/var/log/patching-api.log``
|
||||||
|
|
||||||
|
- ``/var/log/mtcAgent_api.log``
|
||||||
|
|
||||||
|
- ``/var/log/hwmond_api.log``
|
||||||
|
|
||||||
|
- ``/var/log/barbican/barbican-api.log``
|
||||||
|
|
||||||
|
.. only:: starlingx
|
||||||
|
|
||||||
|
You can examine the log files locally on the controllers.
|
||||||
|
|
||||||
|
.. only:: partner
|
||||||
|
|
||||||
|
.. include:: /_includes/operator-command-logging.rest
|
||||||
|
:start-after: begin-remote-log-server-options
|
||||||
|
:end-before: end-remote-log-server-options
|
||||||
|
|
||||||
|
|
||||||
.. _operator-command-logging-ul-plj-htv-1z:
|
For example, if the following command is issued:
|
||||||
|
|
||||||
- For the |prod| :command:`system` command, whenever a REST API call is
|
``system modify --description="TEST01 DESCRIPTION"``
|
||||||
made that is either a POST, PATCH, PUT, or DELETE, |prod| logs these events
|
|
||||||
into a new log file called /var/log/sysinv-api.log
|
The following log is generated in ``/var/log/sysinv-api.log``:
|
||||||
|
|
||||||
|
``sysinv 2022-03-09 11:03:46.238 108478 INFO sysinv.api.hooks.auditor [req-be0eb23d-c815-4bb7-938a-bfb8adba496b 76752e1b78b54f7b8409e2c54a6b6082 1ba4a349b9f941e0a5bd658df4e4d4f7] 192.168.204.2 "PATCH /v1/isystems/7b64c984-8b6e-42da-88e5-d9ee17c5178e HTTP/1.0" status: 200 len: 1151 time: 0.0395379066467 POST: [{u'path': u'/description', u'value': u'TEST01 DESCRIPTION', u'op': u'replace'}] host:192.168.204.1:6385 agent:Python-httplib2/0.9.2 (gzip) user: admin tenant: admin domain: Default``
|
||||||
|
|
||||||
|
REST API request methods that will be logged include:
|
||||||
|
|
||||||
|
``PATCH``
|
||||||
|
The resource is being partially updated.
|
||||||
|
|
||||||
|
``POST``
|
||||||
|
The resource is being created or fully updated.
|
||||||
|
|
||||||
|
``DELETE``
|
||||||
|
The resource is being deleted.
|
||||||
|
|
||||||
|
``PUT``
|
||||||
|
Similar to ``POST`` with the difference that ``PUT`` requests are
|
||||||
|
idempotent, that is, multiple ``PUT`` calls produce the same result.
|
||||||
|
|
||||||
|
|
||||||
- POST - means creating something
|
--------------------
|
||||||
|
SNMP Request Logging
|
||||||
|
--------------------
|
||||||
|
|
||||||
- PATCH - means partially updating \(modifying\) something
|
As the |SNMP| application is containerized, the logs of its commands are found
|
||||||
|
inside the container at file ``/var/log/snmpd.log``. Only basic information is
|
||||||
|
present in this log file, like command type, |SNMP| version and request status.
|
||||||
|
All |SNMP| requests are logged, including ``GET`` requests.
|
||||||
|
|
||||||
- PUT - means fully updating \(modifying\) something
|
For example, if the following command is issued:
|
||||||
|
|
||||||
- DELETE - means deleting something
|
``SNMP GET OID .iso.3.6.1.2.1.1.1.0``
|
||||||
|
|
||||||
|
It will return the value:
|
||||||
|
|
||||||
:command:`system modify --description="A TEST"` is logged to sysinv-api.log because it issues a REST POST call
|
``iso.3.6.1.2.1.1.1.0 = STRING: "22.02 5.10.74-200.1807.tis.el7.x86_64"``
|
||||||
|
|
||||||
:command:`system snmp-comm-delete "TEST_COMMUNITY1"` - is logged to sysinv-api.log because it issues a REST DELETE call
|
And the following log is generated in ``/var/log/snmpd.log`` inside the |SNMP|
|
||||||
|
container:
|
||||||
|
|
||||||
- If the :command:`sysinv` command only issues a REST GET call, it is not logged.
|
.. code-block:: none
|
||||||
|
|
||||||
|
|
||||||
- :command:`fm event-list` is not logged because this performs a sysinv REST GET call
|
|
||||||
|
|
||||||
- :command:`fm event-show<xx>` is not logged because this performs a sysinv REST GET call
|
|
||||||
|
|
||||||
|
|
||||||
- All SNMP Commands are logged, including GET, GETNEXT, GETBULK and SET commands. SNMP TRAPs are not logged.
|
|
||||||
|
|
||||||
|
snmp-auditor transport:udp remote:10.20.3.3 reqid:1367258771 msg-type:GET version:v3
|
||||||
|
snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0
|
||||||
|
snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0 status:pass
|
||||||
|
|
||||||
|
@ -9,14 +9,9 @@ Operator Login/Authentication Logging
|
|||||||
|prod| logs all operator login and authentication attempts.
|
|prod| logs all operator login and authentication attempts.
|
||||||
|
|
||||||
For security purposes, all login attempts \(success and failure\) are
|
For security purposes, all login attempts \(success and failure\) are
|
||||||
logged. This includes the Horizon Web interface and SSH logins as well as
|
logged. This includes the Horizon Web Interface logins, SSH logins, Local
|
||||||
internal local LDAP login attempts and internal database login attempts.
|
Console Logins and internal database login attempts.
|
||||||
|
|
||||||
SNMP authentication requests \(success and failure\) are logged with
|
|
||||||
operator commands \(see :ref:`Operator Command Logging
|
|
||||||
<operator-command-logging>`\). Authentication failures are logged
|
|
||||||
explicitly, whereas successful authentications are logged when the request
|
|
||||||
is logged.
|
|
||||||
|
|
||||||
The logs include the timestamp, user name, remote IP Address, and number of
|
The logs include the timestamp, user name, remote IP Address, and number of
|
||||||
failed login attempts \(if applicable\). They are located under the /var/log
|
failed login attempts \(if applicable\). They are located under the /var/log
|
||||||
@ -33,15 +28,19 @@ directory, and include the following:
|
|||||||
|
|
||||||
- /var/log/hostwd.log
|
- /var/log/hostwd.log
|
||||||
|
|
||||||
- /var/log/snmp-api.log
|
|
||||||
|
|
||||||
- /var/log/sysinv.log
|
- /var/log/sysinv.log
|
||||||
|
|
||||||
- /var/log/user.log
|
- /var/log/user.log
|
||||||
|
|
||||||
- /var/log/ima.log
|
- /var/log/ima.log
|
||||||
|
|
||||||
|
.. only:: partner
|
||||||
|
|
||||||
You can examine the log files locally on the controllers, or using a remote
|
.. include:: /_includes/operator-login-authentication-logging.rest
|
||||||
log server if the remote logging feature is configured.
|
:start-after: begin-remote-log-server-options
|
||||||
|
:end-before: end-remote-log-server-options
|
||||||
|
|
||||||
|
.. only:: starlingx
|
||||||
|
|
||||||
|
You can examine the log files locally on the controllers.
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user