[New Audit Event] Audit events for streaming audit event filtering changes

Audit need

Changing the filtering settings on streaming audit events is a potentially disruptive operation. It should be recorded as an audit event for later review and auditing.

Proposal

Create a new audit event whenever changes are made to the events being filtered for streaming audit events.

Implementation Plan

For the create action audit event:

log audit event inside https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/audit_events/streaming/event_type_filters/create_service.rb using the Auditor module.
Write Specs

For the delete action audit event:

log audit event inside https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/audit_events/streaming/event_type_filters/destroy_service.rb
Write Specs.

Verification Process

create event type filters https://docs.gitlab.com/ee/administration/audit_event_streaming.html#event-type-filters

mutation createEventTypeFilter {
  auditEventsStreamingDestinationEventsAdd(input: {
    destinationId: "GID",
    eventTypeFilters: ["filter_1", "filter_2"]
  }){
    errors
    eventTypeFilters
  }
}

remove the created event type filters

mutation removeEventTypeFilter {
  auditEventsStreamingDestinationEventsRemove(input: {
    destinationId: "GID",
    eventTypeFilters: ["filter_1", "filter_2"]
  }){
    errors
  }
}

Check gdk_host/admin/audit_logs for audit events created.
verify audit event and streamed with correct attributes.

Sample audit events

{
                    :id => 564377,
             :author_id => 1,
             :entity_id => 31,
           :entity_type => "Group",
               :details => {
               :author_name => "Administrator",
              :author_class => "User",
                 :target_id => 1,
               :target_type => "AuditEvents::ExternalAuditEventDestination",
            :target_details => "https://hsandhu.requestcatcher.com/",
            :custom_message => "Created audit event type filter(s): filter1 and filter2",
                :ip_address => "127.0.0.1",
               :entity_path => "flightjs"
        },
            :ip_address => "127.0.0.1",
           :author_name => "Administrator",
           :entity_path => "flightjs",
        :target_details => "https://hsandhu.requestcatcher.com/",
            :created_at => Tue, 28 Feb 2023 12:31:24.985605000 UTC +00:00,
           :target_type => "AuditEvents::ExternalAuditEventDestination",
             :target_id => 1
    }

{
                :id => 564388,
         :author_id => 1,
         :entity_id => 31,
       :entity_type => "Group",
           :details => {
           :author_name => "Administrator",
          :author_class => "User",
             :target_id => 1,
           :target_type => "AuditEvents::ExternalAuditEventDestination",
        :target_details => "https://hsandhu.requestcatcher.com/",
        :custom_message => "Deleted audit event type filter(s): repository_download_operation",
            :ip_address => "127.0.0.1",
           :entity_path => "flightjs"
    },
        :ip_address => "127.0.0.1",
       :author_name => "Administrator",
       :entity_path => "flightjs",
    :target_details => "https://hsandhu.requestcatcher.com/",
        :created_at => Mon, 06 Mar 2023 13:47:49.393773000 UTC +00:00,
       :target_type => "AuditEvents::ExternalAuditEventDestination",
         :target_id => 1
}

Edited Mar 09, 2023 by Harsimar Sandhu