Real-time monitoring of current git clone/pull activity
PM note: We will likely serve this type of content with webhook-based audit events. This content will not appear in our current audit logs, due to the high-volume of activity it would generate. We wrote a little more about this in our direction page
Background
A customer prospect supports an instance of GitHub and Jenkins where users often hammer their GitHub systems with repeated git clones/pulls. The admins of this instance want to be able to monitor which users are doing this activity in real-time. Currently they use netstat
to get an idea of where all these connections are coming from.
Job to be done (draft)
When Sam (Security Analyst) is trying to anticipate a potential threat, they want to be able to proactively identify users that are impacting their repositories, so that they can investigate the data from them.
Proposal
This relates a bit to the audit logging in https://gitlab.com/gitlab-org/gitlab-ee/issues/579, but not completely.
Right now some people monitor their gitlab-shell logs and track git clone activity that way. For example, someone wrote this tool, which requires modification of GitLab: https://github.com/kfei/gitlab-auditor. We should perhaps consider building this into the product.