Skip to content

Add UnauthenticatedSecurityEventAuditor for failed login events

Huzaifa Iftikhar requested to merge 377758_instance_level_audit_events_for_failed_login_events into master

What does this MR do and why?

  1. Remove method for_failed_login from AuditEventService as it's not being used anymore. Also removed the corresponding RSpecs.
  2. Create UnauthenticatedSecurityEventAuditor to log unauthenticated login audit events using Gitlab::Audit::Auditor and enable streaming for these. They were not streamed earlier because we were using AuditEventService which is deprecated method of logging audit events.
  3. There is not any difference on the UI for audit logs apart from the fact that for incorrect email/password we are logging the scope as the GitLab Instance now.

Difference in database

Failed login due to incorrect email or password

Before 
-[ RECORD 1 ]--+--------------------------------
id             | 739
author_id      | -1
entity_id      | -1
entity_type    | User
details        | ---                            +
               | :failed_login: STANDARD        +
               | :author_name: victim@bar.com   +
               | :target_details: victim@bar.com+
               | :ip_address: 127.0.0.1         +
               | :entity_path:                  +
               |
ip_address     | 127.0.0.1
author_name    | victim@bar.com
entity_path    |
target_details | victim@bar.com
created_at     | 2023-08-17 11:37:03.246864
target_type    |
target_id      |
After 
id             | 731
author_id      | -1
entity_id      | 1
entity_type    | Gitlab::Audit::InstanceScope
details        | ---                                                          +
               | :failed_login: STANDARD                                      +
               | :author_name: victim@bar.com                                 +
               | :author_class: Gitlab::Audit::UnauthenticatedAuthor          +
               | :target_id: -1                                               +
               | :target_type: Gitlab::Audit::UnauthenticatedAuthor           +
               | :target_details: victim@bar.com                              +
               | :custom_message: Failed to login with STANDARD authentication+
               | :ip_address: 127.0.0.1                                       +
               | :entity_path: gitlab_instance                                +
               |
ip_address     | 127.0.0.1
author_name    | victim@bar.com
entity_path    | gitlab_instance
target_details | victim@bar.com
created_at     | 2023-08-17 11:25:52.549725
target_type    | Gitlab::Audit::UnauthenticatedAuthor
target_id      | -1

Failed login due to incorrect OTP

Before 
-[ RECORD 1 ]--+--------------------------------
id             | 713
author_id      | 10
entity_id      | 10
entity_type    | User
details        | ---                            +
               | :failed_login: OTP             +
               | :author_name: Torie Cummings   +
               | :target_details: Torie Cummings+
               | :ip_address: 127.0.0.1         +
               | :entity_path: terrance         +
               |
ip_address     | 127.0.0.1
author_name    | Torie Cummings
entity_path    | terrance
target_details | Torie Cummings
created_at     | 2023-08-11 11:09:05.004076
target_type    |
target_id      |
After 
-[ RECORD 1 ]--+---------------------------------------------------------
id             | 714
author_id      | 10
entity_id      | 10
entity_type    | User
details        | ---                                                     +
               | :failed_login: OTP                                      +
               | :author_name: Torie Cummings                            +
               | :author_class: User                                     +
               | :target_id: 10                                          +
               | :target_type: User                                      +
               | :target_details: Torie Cummings                         +
               | :custom_message: Failed to login with OTP authentication+
               | :ip_address: 127.0.0.1                                  +
               | :entity_path: terrance                                  +
               |
ip_address     | 127.0.0.1
author_name    | Torie Cummings
entity_path    | terrance
target_details | Torie Cummings
created_at     | 2023-08-11 11:09:05.015269
target_type    | User
target_id      | 10

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After Diff
image image Scope changed from "(removed)" to "gitlab_instance"
image image No diff on UI

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Ensure you have GitLab Ultimate license on your GDK.
  2. Add a streaming destination (eg: pipedream) as an instance level streaming destination. Follow the steps in the doc.
  3. Log out of GDK and try to login with incorrect password.
  4. Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
  5. Login with the user and then setup 2FA authentication (OTP based using 2FA apps like Authy, Google Authenticator etc)
  6. Log out the user and then try to login with correct email and password but input incorrect OTP.
  7. Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
  8. From your shell run the following command and input incorrect OTP.
ssh ssh://git@gdk.test:2222 2fa_verify
  1. Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
  2. Visit the admin audit event logs and verify that all these events are available on the UI. <YOUR_GDK_HOST>/admin/audit_logs?tab=log

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Resolves #377758

Edited by Huzaifa Iftikhar

Merge request reports