Add UnauthenticatedSecurityEventAuditor for failed login events
What does this MR do and why?
- Remove method
for_failed_login
fromAuditEventService
as it's not being used anymore. Also removed the corresponding RSpecs. - Create
UnauthenticatedSecurityEventAuditor
to log unauthenticated login audit events usingGitlab::Audit::Auditor
and enable streaming for these. They were not streamed earlier because we were usingAuditEventService
which is deprecated method of logging audit events. - There is not any difference on the UI for audit logs apart from the fact that for incorrect email/password we are logging the scope as the GitLab Instance now.
Difference in database
Failed login due to incorrect email or password
Before
-[ RECORD 1 ]--+--------------------------------
id | 739
author_id | -1
entity_id | -1
entity_type | User
details | --- +
| :failed_login: STANDARD +
| :author_name: victim@bar.com +
| :target_details: victim@bar.com+
| :ip_address: 127.0.0.1 +
| :entity_path: +
|
ip_address | 127.0.0.1
author_name | victim@bar.com
entity_path |
target_details | victim@bar.com
created_at | 2023-08-17 11:37:03.246864
target_type |
target_id |
After
id | 731
author_id | -1
entity_id | 1
entity_type | Gitlab::Audit::InstanceScope
details | --- +
| :failed_login: STANDARD +
| :author_name: victim@bar.com +
| :author_class: Gitlab::Audit::UnauthenticatedAuthor +
| :target_id: -1 +
| :target_type: Gitlab::Audit::UnauthenticatedAuthor +
| :target_details: victim@bar.com +
| :custom_message: Failed to login with STANDARD authentication+
| :ip_address: 127.0.0.1 +
| :entity_path: gitlab_instance +
|
ip_address | 127.0.0.1
author_name | victim@bar.com
entity_path | gitlab_instance
target_details | victim@bar.com
created_at | 2023-08-17 11:25:52.549725
target_type | Gitlab::Audit::UnauthenticatedAuthor
target_id | -1
Failed login due to incorrect OTP
Before
-[ RECORD 1 ]--+--------------------------------
id | 713
author_id | 10
entity_id | 10
entity_type | User
details | --- +
| :failed_login: OTP +
| :author_name: Torie Cummings +
| :target_details: Torie Cummings+
| :ip_address: 127.0.0.1 +
| :entity_path: terrance +
|
ip_address | 127.0.0.1
author_name | Torie Cummings
entity_path | terrance
target_details | Torie Cummings
created_at | 2023-08-11 11:09:05.004076
target_type |
target_id |
After
-[ RECORD 1 ]--+---------------------------------------------------------
id | 714
author_id | 10
entity_id | 10
entity_type | User
details | --- +
| :failed_login: OTP +
| :author_name: Torie Cummings +
| :author_class: User +
| :target_id: 10 +
| :target_type: User +
| :target_details: Torie Cummings +
| :custom_message: Failed to login with OTP authentication+
| :ip_address: 127.0.0.1 +
| :entity_path: terrance +
|
ip_address | 127.0.0.1
author_name | Torie Cummings
entity_path | terrance
target_details | Torie Cummings
created_at | 2023-08-11 11:09:05.015269
target_type | User
target_id | 10
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After | Diff |
---|---|---|
Scope changed from "(removed)" to "gitlab_instance" | ||
No diff on UI |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Ensure you have GitLab Ultimate license on your GDK.
- Add a streaming destination (eg: pipedream) as an instance level streaming destination. Follow the steps in the doc.
- Log out of GDK and try to login with incorrect password.
- Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
- Login with the user and then setup 2FA authentication (OTP based using 2FA apps like Authy, Google Authenticator etc)
- Log out the user and then try to login with correct email and password but input incorrect OTP.
- Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
- From your shell run the following command and input incorrect OTP.
ssh ssh://git@gdk.test:2222 2fa_verify
- Ensure that a streaming event with correct payload sent to the streaming destination added earlier.
- Visit the admin audit event logs and verify that all these events are available on the UI.
<YOUR_GDK_HOST>/admin/audit_logs?tab=log
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Resolves #377758
Edited by Huzaifa Iftikhar