Skip to content

Spike: Proof of Concept for Security Policy Audit Events Implementation

Spike: Proof of Concept for Security Policy Audit Events Implementation

Current security policy management lacks comprehensive audit event tracking, making it difficult for security and compliance teams to monitor policy changes, enforcement failures, and violations. Based on the Security Policy Audit Events Epic, we need to explore how to implement a robust audit event system for security policy related events.

Objective

Create a proof of concept (PoC) for implementing audit events for security policy related activities, focusing on consolidating events at appropriate levels and providing meaningful context for security/compliance professionals.

Tasks (Time-boxed to 5 days)

  1. Analyze current audit event architecture and identify integration points for security policy events
  2. Design a schema for security policy audit events that includes:
    • Event type categorization (policy change, enforcement failure, violation detection)
    • Contextual metadata (policy type, affected resources, violation details)
    • User attribution information
  3. Implement prototype audit events for at least 3 key use cases:
    • Policy change events (creation, modification, deletion)
    • Policy enforcement failure events
    • Policy violation detection events
  4. Develop a solution for consolidating audit events at the policy project level rather than generating duplicate events across all affected projects
  5. Create a feature flag implementation plan for controlled rollout

Technical Considerations

  • Ensure compatibility with existing audit event infrastructure
  • Consider performance impact of additional audit event generation
  • Evaluate storage requirements for new audit event types
  • Design events to be filterable and searchable in the audit log UI
  • Consider how to handle cross-project/group policy relationships in audit events

Success Criteria

  • The PoC successfully demonstrates audit event generation for the selected use cases
  • Events provide sufficient context for security/compliance professionals to understand what happened
  • The implementation addresses the "noisy events" problem by consolidating events at appropriate levels
  • The approach is scalable to support all identified use cases in the Epic
  • Performance impact is minimal and within acceptable thresholds

Use Cases to Prototype (Select 3-5)

From the Epic's use cases:

  1. Generate consolidated audit events for policies created/managed at the group/sub-group level
  2. Generate specific audit events when policies are changed, indicating which policy was modified
  3. Generate audit events when policy violations are detected from MR approval policies
  4. Generate audit events when MR is merged with violations
  5. Generate audit events when a policy.yml becomes invalidated

Expected Deliverables

  • Working prototype code implementing the selected audit events
  • Documentation of the audit event schema and integration approach
  • Performance analysis of the implemented solution
  • Recommendations for full implementation approach
  • Identification of any technical challenges or limitations discovered
Edited by Alan (Maciej) Paruszewski