Capture instance configuration changes as an audit event
Problem to solve
We're adding the ability to prohibit admin impersonation in https://gitlab.com/gitlab-org/gitlab-ce/issues/40385. Changes to such a configuration setting are significant events, and currently changes to gitlab.rb
and config/gitlab.yml
are only tracked in git.
When important changes are made to an instance's configuration settings, we should consider capturing these as an audit event (https://docs.gitlab.com/ee/administration/audit_events.html). This would mean that these changes would get surfaced in the audit_events
table and in the structured audit_json.log
, making monitoring for these important changes elsewhere like Elasticsearch much easier.
Proposal
- Save state of
gitlab.rb
andconfig/gitlab.yml
. - On boot, compare new state of the above to saved state. Log changes.
- No need to log everything if there's no saved state.