starlingx/docs
Code Issues Proposed changes

Security Audit Logging

Browse Source 
Continuation of changes made under https://review.opendev.org/c/starlingx/docs/+/832841
(abandoned)
Add conditional text about log access via controllers.
Patchset 3 review updates.
Add conditionalization.

Story: 2009824
Task: 45043

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: I4e9a1a9e0940ffc15a71cea954062d7c42a88e81
This commit is contained in:
Ron Stone 2022-04-25 15:05:14 -04:00
parent ff4caea8ec
commit d63e42ebeb
4 changed files with 91 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/_includes/operator-command-logging.rest Normal file
View File

@ -0,0 +1,3 @@
.. begin-remote-log-server-options
.. end-remote-log-server-options

5
doc/source/_includes/operator-login-authentication-logging.rest Normal file
View File

@ -0,0 +1,5 @@
.. begin-remote-log-server-options
.. end-remote-log-server-options

108
doc/source/security/kubernetes/operator-command-logging.rst
View File

@ -6,59 +6,97 @@
Operator Command Logging Operator Command Logging
======================== ========================
|prod| logs all REST API operator commands and SNMP commands. |prod| logs all StarlingX REST API operator commands, except commands that use
only GET requests. |prod| also logs all |SNMP| commands, including ``GET``
requests.
-------------------------------------------
StarlingX REST API Operator Command Logging
-------------------------------------------
The logs include the timestamp, tenant name \(if applicable\), user name, The logs include the timestamp, tenant name \(if applicable\), user name,
command executed, and command status \(success or failure\). command executed, and command status \(success or failure\).
The files are located under the /var/log directory, and are named using the The files are located under the ``/var/log`` directory and are named using the
convention \*-api.log. Each component that generates its own API log files convention ``*api.log``. The list of log files is presented below.
\(for example, Keystone, Barbican, and so forth\) and each |prod| /
StarlingX -specific component, updating \(patching\) system, and SNMP agent
follows, this convention.
You can examine the log files locally on the controllers, or using a remote
log server if the remote logging feature is configured. The one exception is
patching-api.log. For updating robustness, the |prod| updating system uses
minimal system facilities and does not use **syslog**. Therefore its logs
are not available on a remote log server.
.. _operator-command-logging-section-N10047-N10023-N10001: - ``/var/log/sysinv-api.log``
------- - ``/var/log/fm-api.log``
Remarks
------- - ``/var/log/dcmanager/dcmanager-api.log``
- ``/var/log/nfv-vim-api.log``
- ``/var/log/patching-api.log``
- ``/var/log/mtcAgent_api.log``
- ``/var/log/hwmond_api.log``
- ``/var/log/barbican/barbican-api.log``
.. only:: starlingx
You can examine the log files locally on the controllers.
.. only:: partner
.. include:: /_includes/operator-command-logging.rest
:start-after: begin-remote-log-server-options
:end-before: end-remote-log-server-options
.. _operator-command-logging-ul-plj-htv-1z: For example, if the following command is issued:
- For the |prod| :command:`system` command, whenever a REST API call is ``system modify --description="TEST01 DESCRIPTION"``
made that is either a POST, PATCH, PUT, or DELETE, |prod| logs these events
into a new log file called /var/log/sysinv-api.log The following log is generated in ``/var/log/sysinv-api.log``:
``sysinv 2022-03-09 11:03:46.238 108478 INFO sysinv.api.hooks.auditor [req-be0eb23d-c815-4bb7-938a-bfb8adba496b 76752e1b78b54f7b8409e2c54a6b6082 1ba4a349b9f941e0a5bd658df4e4d4f7] 192.168.204.2 "PATCH /v1/isystems/7b64c984-8b6e-42da-88e5-d9ee17c5178e HTTP/1.0" status: 200 len: 1151 time: 0.0395379066467 POST: [{u'path': u'/description', u'value': u'TEST01 DESCRIPTION', u'op': u'replace'}] host:192.168.204.1:6385 agent:Python-httplib2/0.9.2 (gzip) user: admin tenant: admin domain: Default``
REST API request methods that will be logged include:
``PATCH``
The resource is being partially updated.
``POST``
The resource is being created or fully updated.
``DELETE``
The resource is being deleted.
``PUT``
Similar to ``POST`` with the difference that ``PUT`` requests are
idempotent, that is, multiple ``PUT`` calls produce the same result.
- POST - means creating something --------------------
SNMP Request Logging
--------------------
- PATCH - means partially updating \(modifying\) something As the |SNMP| application is containerized, the logs of its commands are found
inside the container at file ``/var/log/snmpd.log``. Only basic information is
present in this log file, like command type, |SNMP| version and request status.
All |SNMP| requests are logged, including ``GET`` requests.
- PUT - means fully updating \(modifying\) something For example, if the following command is issued:
- DELETE - means deleting something ``SNMP GET OID .iso.3.6.1.2.1.1.1.0``
It will return the value:
:command:`system modify --description="A TEST"` is logged to sysinv-api.log because it issues a REST POST call ``iso.3.6.1.2.1.1.1.0 = STRING: "22.02 5.10.74-200.1807.tis.el7.x86_64"``
:command:`system snmp-comm-delete "TEST_COMMUNITY1"` - is logged to sysinv-api.log because it issues a REST DELETE call And the following log is generated in ``/var/log/snmpd.log`` inside the |SNMP|
container:
- If the :command:`sysinv` command only issues a REST GET call, it is not logged. .. code-block:: none
- :command:`fm event-list` is not logged because this performs a sysinv REST GET call
- :command:`fm event-show<xx>` is not logged because this performs a sysinv REST GET call
- All SNMP Commands are logged, including GET, GETNEXT, GETBULK and SET commands. SNMP TRAPs are not logged.
snmp-auditor transport:udp remote:10.20.3.3 reqid:1367258771 msg-type:GET version:v3
snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0
snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0 status:pass

21
doc/source/security/kubernetes/operator-login-authentication-logging.rst
View File

@ -9,14 +9,9 @@ Operator Login/Authentication Logging
|prod| logs all operator login and authentication attempts. |prod| logs all operator login and authentication attempts.
For security purposes, all login attempts \(success and failure\) are For security purposes, all login attempts \(success and failure\) are
logged. This includes the Horizon Web interface and SSH logins as well as logged. This includes the Horizon Web Interface logins, SSH logins, Local
internal local LDAP login attempts and internal database login attempts. Console Logins and internal database login attempts.
SNMP authentication requests \(success and failure\) are logged with
operator commands \(see :ref:`Operator Command Logging
<operator-command-logging>`\). Authentication failures are logged
explicitly, whereas successful authentications are logged when the request
is logged.
The logs include the timestamp, user name, remote IP Address, and number of The logs include the timestamp, user name, remote IP Address, and number of
failed login attempts \(if applicable\). They are located under the /var/log failed login attempts \(if applicable\). They are located under the /var/log
@ -33,15 +28,19 @@ directory, and include the following:
- /var/log/hostwd.log - /var/log/hostwd.log
- /var/log/snmp-api.log
- /var/log/sysinv.log - /var/log/sysinv.log
- /var/log/user.log - /var/log/user.log
- /var/log/ima.log - /var/log/ima.log
.. only:: partner
You can examine the log files locally on the controllers, or using a remote .. include:: /_includes/operator-login-authentication-logging.rest
log server if the remote logging feature is configured. :start-after: begin-remote-log-server-options
:end-before: end-remote-log-server-options
.. only:: starlingx
You can examine the log files locally on the controllers.