Audit event logging for DAST config changes

Problem to solve

As the person responsible for the security scanning of my websites, I want to know when changes have been made to the DAST scan and site configs, so that I can know who made what changes.

Intended users

• Cameron (Compliance Manager)
• Parker (Product Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)
• Rachel (Release Manager)

User experience goal

The user should be able to go to the "Security & Compliance" => "Audit Events" section of their project and see anything that has been logged there, specifically, any changes to the DAST config profiles.

Proposal

The events that should be logged are:

• Creation of a new Scanner or Site profile
  • The "Action" should state that a new [Scanner/Site] profile was created
  • The "Target" should state the name of the new profile
• Deletion of a Scanner or Site profile
  • The "Action" should state that a [Scanner/Site] profile was deleted
  • The "Target" should state the name of the deleted profile
• Editing of a Scanner or Site profile
  • The "Action" should state that a [Scanner/Site] profile was edited
    • (Stretch) The Action should state what fields were changed and what the new selected options are
  • The "Target" should state the name of the edited profile
• Creation of a saved on-demand DAST test
  • The "Action" should state that a new on-demand DAST test was created
  • The "Target" should state the name of the new test
• Deletion of a saved on-demand DAST test
  • The "Action" should state that an on-demand DAST test was deleted
  • The "Target" should state the name of the deleted test
• Editing of a saved on-demand DAST test
  • The "Action" should state that an on-demand DAST test was edited
    • (Stretch) The Action should state what was changed (profile/branch/name) and what the new value is
  • The "Target" should state the name of the on-demand DAST test

Further details

Maintainer and owner roles should have access to see the audit events.

Documentation

• Update of the DAST docs to notify that all changes to the config profiles will be logged to the project Audit Event log.
• Update of docs describing the Audit event log to include the new changes that will be logged there.

Execution

Use AuditEventService#security_event to persist events for the DastSiteProfile, DastScannerProfile, and Dast::Profile models. This will involve adding a method for each of the objects to AuditEventService that can handle :create, :update, and :destroy events. The AuditEventService#for_member method can serve as a guide on how to structure the new methods.

AuditEventService#for_changes might be worth using for the Stretch goal of including details on the changes made during :update events.

• Use AuditEventService to log uses of DastScannerProfiles::CreateService, DastScannerProfiles::UpdateService, and DastScannerProfiles::DestroyService using the parameters defined in the Proposal
• Use AuditEventService to log uses of DastSiteProfiles::CreateService, DastSiteProfiles::UpdateService, and DastSiteProfiles::DestroyService using the parameters defined in the Proposal
• Use AuditEventService to log uses of Dast::Profiles::CreateService, Dast::Profiles::UpdateService, and Dast::Profiles::DestroyService using the parameters defined in the Proposal
• Update the documentation as mentioned in Documentation
• Stretch create one audit event for each field changed on the object, and specify the details using AuditEventService#for_changes so that users can see exactly what changed
• Stretch ~"technical debt" if possible, move the changed DAST services into the AppSec::Dast namespace