Log Git push actions
Problem to solve
As a GitLab administrator, I need to who and when Git data is being modified so that I can respond to security incidents effectively and pro-actively identify suspicious activity. At the moment I have no easy way of doing this.
GitLab should include Git push actions in the audit logs.
Intended users
Administrator of the GitLab instance and/or Security and Compliance officers.
Further details
It should be possible a user of GitLab to have an central auditable trail of all write actions to a Git repository for analysis and investigation.
Proposal
| Mockup |
|---|
 |
Extending audit events already supported by GitLab, when ever a Git push occurs, via the web interface, API or directly, we should log:
- user who initiated the push
- if was a force push (bool)
- the ref (branch or tag) pushed to
- the SHA hashes from before and after the operation
-
the protocol used to push (HTTP, SSH)https://gitlab.com/gitlab-org/gitlab-ee/issues/11811 -
the originating IP addresshttps://gitlab.com/gitlab-org/gitlab-ee/issues/11809 -
the Git client used to push (agent from the transfer protocol I think https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols)https://gitlab.com/gitlab-org/gitlab-ee/issues/11810
Permissions and Security
Access should be consistent with existing Audit Events permissions.
Documentation
Update https://docs.gitlab.com/ee/administration/audit_events.html docs to add push events
Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Customers interested in this feature:
- https://gitlab.my.salesforce.com/0066100000I5lf8
- https://gitlab.my.salesforce.com/0016100000Nm6pY
- https://gitlab.my.salesforce.com/00161000004zrG3
- https://gitlab.my.salesforce.com/0016100001F4xm6
- https://gitlab.my.salesforce.com/0016100001VxkQk
- https://gitlab.my.salesforce.com/0016100000fdr2y
- https://gitlab.my.salesforce.com/00161000004yxj9
- https://gitlab.my.salesforce.com/0016100001ebwgd