Skip to content

GitLab Next

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,115
    • Issues 43,115
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,375
    • Merge requests 1,375
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #217872
Closed
Open
Created May 14, 2020 by Derek Ferguson@derekfergusonDeveloper2 of 6 tasks completed2/6 tasks

Audit event logging for DAST config changes

Problem to solve

As the person responsible for the security scanning of my websites, I want to know when changes have been made to the DAST scan and site configs, so that I can know who made what changes.

Intended users

  • Cameron (Compliance Manager)
  • Parker (Product Manager)
  • Delaney (Development Team Lead)
  • Sasha (Software Developer)
  • Devon (DevOps Engineer)
  • Sidney (Systems Administrator)
  • Sam (Security Analyst)
  • Rachel (Release Manager)

User experience goal

The user should be able to go to the "Security & Compliance" => "Audit Events" section of their project and see anything that has been logged there, specifically, any changes to the DAST config profiles.

Proposal

The events that should be logged are:

  • Creation of a new Scanner or Site profile
    • The "Action" should state that a new [Scanner/Site] profile was created
    • The "Target" should state the name of the new profile
  • Deletion of a Scanner or Site profile
    • The "Action" should state that a [Scanner/Site] profile was deleted
    • The "Target" should state the name of the deleted profile
  • Editing of a Scanner or Site profile
    • The "Action" should state that a [Scanner/Site] profile was edited
      • (Stretch) The Action should state what fields were changed and what the new selected options are
    • The "Target" should state the name of the edited profile
  • Creation of a saved on-demand DAST test
    • The "Action" should state that a new on-demand DAST test was created
    • The "Target" should state the name of the new test
  • Deletion of a saved on-demand DAST test
    • The "Action" should state that an on-demand DAST test was deleted
    • The "Target" should state the name of the deleted test
  • Editing of a saved on-demand DAST test
    • The "Action" should state that an on-demand DAST test was edited
      • (Stretch) The Action should state what was changed (profile/branch/name) and what the new value is
    • The "Target" should state the name of the on-demand DAST test

Further details

Maintainer and owner roles should have access to see the audit events.

Documentation

  • Update of the DAST docs to notify that all changes to the config profiles will be logged to the project Audit Event log.
  • Update of docs describing the Audit event log to include the new changes that will be logged there.

Execution

Use AuditEventService#security_event to persist events for the DastSiteProfile, DastScannerProfile, and Dast::Profile models. This will involve adding a method for each of the objects to AuditEventService that can handle :create, :update, and :destroy events. The AuditEventService#for_member method can serve as a guide on how to structure the new methods.

AuditEventService#for_changes might be worth using for the Stretch goal of including details on the changes made during :update events.

  • Use AuditEventService to log uses of DastScannerProfiles::CreateService, DastScannerProfiles::UpdateService, and DastScannerProfiles::DestroyService using the parameters defined in the Proposal
  • Use AuditEventService to log uses of DastSiteProfiles::CreateService, DastSiteProfiles::UpdateService, and DastSiteProfiles::DestroyService using the parameters defined in the Proposal
  • Use AuditEventService to log uses of Dast::Profiles::CreateService, Dast::Profiles::UpdateService, and Dast::Profiles::DestroyService using the parameters defined in the Proposal
  • Update the documentation as mentioned in Documentation
  • Stretch create one audit event for each field changed on the object, and specify the details using AuditEventService#for_changes so that users can see exactly what changed
  • Stretch ~"technical debt" if possible, move the changed DAST services into the AppSec::Dast namespace
Edited May 22, 2021 by Avielle Wolfe
Assignee
Assign to
Time tracking