Detailed Admin Mode & Impersonations Audit Event Streaming
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
In this release, we have improved GitLab's ability to stream audit event data associated with Admin Mode as well as when a user is impersonated by an administrator. Prior to this release, GitLab enabled audit event streaming for each time a user elevated their access to admin and when they ended the admin session. Now, GitLab can stream audit events associated with each action that was taken by the user after they elevated to their administrative privileges. We have also improved the ability to correlate actions of a user that has elevated to admin mode over time.
Problem to solve
Having information on what someone is doing while in admin mode is crucial: what exactly is a user doing while using admin mode? This information is unfortunately limited to seeing that a user has elevated to admin. Improving the detail of the logging activity would go a long way in identifying malicious or erroneous behavior by a user that is leveraging admin mode. Including context like project name, action taken, etc would go a long way in meeting NIST SP 800-53 standards including AU-6 and AU-7. This same concept should also apply to actions undertaken during user impersonations.
The other limitation of the current logging of admin mode activity is associated with the correlation ID. When initial admin escalation occurs, the correlation ID must stay static with all of the admin activity and provide details as to what is happening.
Keeping a consistent correlation ID would make it possible to correlate activity for a specific user under admin mode across time. This greatly improves the ability for security and/or compliance staff to understand actions taken over time by a specific user.
Intended users
- Cameron (Compliance Manager)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Feature Usage Metrics
Having the ability to track if Audit Event Streaming associated with Admin Mode and Impersonations would be very helpful.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.