[New Audit Event] Audit events for streaming audit event filtering changes
Audit need
Changing the filtering settings on streaming audit events is a potentially disruptive operation. It should be recorded as an audit event for later review and auditing.
Proposal
Create a new audit event whenever changes are made to the events being filtered for streaming audit events.
Implementation Plan
For the create action
audit event:
- log audit event inside https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/audit_events/streaming/event_type_filters/create_service.rb using the Auditor module.
- Write Specs
For the delete action
audit event:
- log audit event inside https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/audit_events/streaming/event_type_filters/destroy_service.rb
- Write Specs.
Verification Process
- create event type filters https://docs.gitlab.com/ee/administration/audit_event_streaming.html#event-type-filters
mutation createEventTypeFilter {
auditEventsStreamingDestinationEventsAdd(input: {
destinationId: "GID",
eventTypeFilters: ["filter_1", "filter_2"]
}){
errors
eventTypeFilters
}
}
- remove the created event type filters
mutation removeEventTypeFilter {
auditEventsStreamingDestinationEventsRemove(input: {
destinationId: "GID",
eventTypeFilters: ["filter_1", "filter_2"]
}){
errors
}
}
-
Check
gdk_host/admin/audit_logs
for audit events created. -
verify audit event and streamed with correct attributes.
Sample audit events
{
:id => 564377,
:author_id => 1,
:entity_id => 31,
:entity_type => "Group",
:details => {
:author_name => "Administrator",
:author_class => "User",
:target_id => 1,
:target_type => "AuditEvents::ExternalAuditEventDestination",
:target_details => "https://hsandhu.requestcatcher.com/",
:custom_message => "Created audit event type filter(s): filter1 and filter2",
:ip_address => "127.0.0.1",
:entity_path => "flightjs"
},
:ip_address => "127.0.0.1",
:author_name => "Administrator",
:entity_path => "flightjs",
:target_details => "https://hsandhu.requestcatcher.com/",
:created_at => Tue, 28 Feb 2023 12:31:24.985605000 UTC +00:00,
:target_type => "AuditEvents::ExternalAuditEventDestination",
:target_id => 1
}
{
:id => 564388,
:author_id => 1,
:entity_id => 31,
:entity_type => "Group",
:details => {
:author_name => "Administrator",
:author_class => "User",
:target_id => 1,
:target_type => "AuditEvents::ExternalAuditEventDestination",
:target_details => "https://hsandhu.requestcatcher.com/",
:custom_message => "Deleted audit event type filter(s): repository_download_operation",
:ip_address => "127.0.0.1",
:entity_path => "flightjs"
},
:ip_address => "127.0.0.1",
:author_name => "Administrator",
:entity_path => "flightjs",
:target_details => "https://hsandhu.requestcatcher.com/",
:created_at => Mon, 06 Mar 2023 13:47:49.393773000 UTC +00:00,
:target_type => "AuditEvents::ExternalAuditEventDestination",
:target_id => 1
}
Edited by Harsimar Sandhu