From d63e42ebebe43f759529d8fb245349f2868207b4 Mon Sep 17 00:00:00 2001 From: Ron Stone Date: Mon, 25 Apr 2022 15:05:14 -0400 Subject: [PATCH] Security Audit Logging Continuation of changes made under https://review.opendev.org/c/starlingx/docs/+/832841 (abandoned) Add conditional text about log access via controllers. Patchset 3 review updates. Add conditionalization. Story: 2009824 Task: 45043 Signed-off-by: Ron Stone Change-Id: I4e9a1a9e0940ffc15a71cea954062d7c42a88e81 --- .../_includes/operator-command-logging.rest | 3 + ...operator-login-authentication-logging.rest | 5 + .../kubernetes/operator-command-logging.rst | 108 ++++++++++++------ .../operator-login-authentication-logging.rst | 21 ++-- 4 files changed, 91 insertions(+), 46 deletions(-) create mode 100644 doc/source/_includes/operator-command-logging.rest create mode 100644 doc/source/_includes/operator-login-authentication-logging.rest diff --git a/doc/source/_includes/operator-command-logging.rest b/doc/source/_includes/operator-command-logging.rest new file mode 100644 index 000000000..1043aff4f --- /dev/null +++ b/doc/source/_includes/operator-command-logging.rest @@ -0,0 +1,3 @@ +.. begin-remote-log-server-options + +.. end-remote-log-server-options diff --git a/doc/source/_includes/operator-login-authentication-logging.rest b/doc/source/_includes/operator-login-authentication-logging.rest new file mode 100644 index 000000000..f386dac22 --- /dev/null +++ b/doc/source/_includes/operator-login-authentication-logging.rest @@ -0,0 +1,5 @@ +.. begin-remote-log-server-options + +.. end-remote-log-server-options + + diff --git a/doc/source/security/kubernetes/operator-command-logging.rst b/doc/source/security/kubernetes/operator-command-logging.rst index d10ba9439..35b59508f 100644 --- a/doc/source/security/kubernetes/operator-command-logging.rst +++ b/doc/source/security/kubernetes/operator-command-logging.rst @@ -6,59 +6,97 @@ Operator Command Logging ======================== -|prod| logs all REST API operator commands and SNMP commands. +|prod| logs all StarlingX REST API operator commands, except commands that use +only GET requests. |prod| also logs all |SNMP| commands, including ``GET`` +requests. + + + +------------------------------------------- +StarlingX REST API Operator Command Logging +------------------------------------------- The logs include the timestamp, tenant name \(if applicable\), user name, command executed, and command status \(success or failure\). -The files are located under the /var/log directory, and are named using the -convention \*-api.log. Each component that generates its own API log files -\(for example, Keystone, Barbican, and so forth\) and each |prod| / -StarlingX -specific component, updating \(patching\) system, and SNMP agent -follows, this convention. - -You can examine the log files locally on the controllers, or using a remote -log server if the remote logging feature is configured. The one exception is -patching-api.log. For updating robustness, the |prod| updating system uses -minimal system facilities and does not use **syslog**. Therefore its logs -are not available on a remote log server. +The files are located under the ``/var/log`` directory and are named using the +convention ``*api.log``. The list of log files is presented below. -.. _operator-command-logging-section-N10047-N10023-N10001: +- ``/var/log/sysinv-api.log`` -------- -Remarks -------- +- ``/var/log/fm-api.log`` + +- ``/var/log/dcmanager/dcmanager-api.log`` + +- ``/var/log/nfv-vim-api.log`` + +- ``/var/log/patching-api.log`` + +- ``/var/log/mtcAgent_api.log`` + +- ``/var/log/hwmond_api.log`` + +- ``/var/log/barbican/barbican-api.log`` + +.. only:: starlingx + + You can examine the log files locally on the controllers. + +.. only:: partner + + .. include:: /_includes/operator-command-logging.rest + :start-after: begin-remote-log-server-options + :end-before: end-remote-log-server-options -.. _operator-command-logging-ul-plj-htv-1z: +For example, if the following command is issued: -- For the |prod| :command:`system` command, whenever a REST API call is - made that is either a POST, PATCH, PUT, or DELETE, |prod| logs these events - into a new log file called /var/log/sysinv-api.log +``system modify --description="TEST01 DESCRIPTION"`` + +The following log is generated in ``/var/log/sysinv-api.log``: + +``sysinv 2022-03-09 11:03:46.238 108478 INFO sysinv.api.hooks.auditor [req-be0eb23d-c815-4bb7-938a-bfb8adba496b 76752e1b78b54f7b8409e2c54a6b6082 1ba4a349b9f941e0a5bd658df4e4d4f7] 192.168.204.2 "PATCH /v1/isystems/7b64c984-8b6e-42da-88e5-d9ee17c5178e HTTP/1.0" status: 200 len: 1151 time: 0.0395379066467 POST: [{u'path': u'/description', u'value': u'TEST01 DESCRIPTION', u'op': u'replace'}] host:192.168.204.1:6385 agent:Python-httplib2/0.9.2 (gzip) user: admin tenant: admin domain: Default`` + +REST API request methods that will be logged include: + +``PATCH`` + The resource is being partially updated. + +``POST`` + The resource is being created or fully updated. + +``DELETE`` + The resource is being deleted. + +``PUT`` + Similar to ``POST`` with the difference that ``PUT`` requests are + idempotent, that is, multiple ``PUT`` calls produce the same result. - - POST - means creating something +-------------------- +SNMP Request Logging +-------------------- - - PATCH - means partially updating \(modifying\) something +As the |SNMP| application is containerized, the logs of its commands are found +inside the container at file ``/var/log/snmpd.log``. Only basic information is +present in this log file, like command type, |SNMP| version and request status. +All |SNMP| requests are logged, including ``GET`` requests. - - PUT - means fully updating \(modifying\) something +For example, if the following command is issued: - - DELETE - means deleting something +``SNMP GET OID .iso.3.6.1.2.1.1.1.0`` +It will return the value: - :command:`system modify --description="A TEST"` is logged to sysinv-api.log because it issues a REST POST call +``iso.3.6.1.2.1.1.1.0 = STRING: "22.02 5.10.74-200.1807.tis.el7.x86_64"`` - :command:`system snmp-comm-delete "TEST_COMMUNITY1"` - is logged to sysinv-api.log because it issues a REST DELETE call +And the following log is generated in ``/var/log/snmpd.log`` inside the |SNMP| +container: -- If the :command:`sysinv` command only issues a REST GET call, it is not logged. - - - - :command:`fm event-list` is not logged because this performs a sysinv REST GET call - - - :command:`fm event-show` is not logged because this performs a sysinv REST GET call - - -- All SNMP Commands are logged, including GET, GETNEXT, GETBULK and SET commands. SNMP TRAPs are not logged. +.. code-block:: none + snmp-auditor transport:udp remote:10.20.3.3 reqid:1367258771 msg-type:GET version:v3 + snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0 + snmp-auditor reqid:1367258771 oid:SNMPv2-MIB::sysDescr.0 status:pass diff --git a/doc/source/security/kubernetes/operator-login-authentication-logging.rst b/doc/source/security/kubernetes/operator-login-authentication-logging.rst index 0aff5badd..087e312f6 100644 --- a/doc/source/security/kubernetes/operator-login-authentication-logging.rst +++ b/doc/source/security/kubernetes/operator-login-authentication-logging.rst @@ -9,14 +9,9 @@ Operator Login/Authentication Logging |prod| logs all operator login and authentication attempts. For security purposes, all login attempts \(success and failure\) are -logged. This includes the Horizon Web interface and SSH logins as well as -internal local LDAP login attempts and internal database login attempts. +logged. This includes the Horizon Web Interface logins, SSH logins, Local +Console Logins and internal database login attempts. -SNMP authentication requests \(success and failure\) are logged with -operator commands \(see :ref:`Operator Command Logging -`\). Authentication failures are logged -explicitly, whereas successful authentications are logged when the request -is logged. The logs include the timestamp, user name, remote IP Address, and number of failed login attempts \(if applicable\). They are located under the /var/log @@ -33,15 +28,19 @@ directory, and include the following: - /var/log/hostwd.log -- /var/log/snmp-api.log - - /var/log/sysinv.log - /var/log/user.log - /var/log/ima.log +.. only:: partner -You can examine the log files locally on the controllers, or using a remote -log server if the remote logging feature is configured. + .. include:: /_includes/operator-login-authentication-logging.rest + :start-after: begin-remote-log-server-options + :end-before: end-remote-log-server-options + +.. only:: starlingx + + You can examine the log files locally on the controllers.