Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit events do not consistently include the port number in "origin.address" #86694

Closed
tlrx opened this issue May 11, 2022 · 2 comments · Fixed by #86732
Closed

Audit events do not consistently include the port number in "origin.address" #86694

tlrx opened this issue May 11, 2022 · 2 comments · Fixed by #86732
Assignees
@slobodanadamovic
Labels
>bug :Security/Audit X-Pack Audit logging Team:Security Meta label for security team v7.17.1 v8.3.0

Comments

@tlrx
Copy link
Member

tlrx commented May 11, 2022

Some types of audit event samples from our documentation include the port number in "origin.address", like access_denied:

{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":
"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
"access_denied", "authentication.type":"REALM", "user.name":"user1",
"user.realm":"default_native", "user.roles":["test_role"], "origin.type":
"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw",
"action":"indices:admin/auto_create", "request.name":"CreateIndexRequest",
"indices":["<index-{now/d+1d}>"]}

but other types like connection_denied from this issue does not include the port:

{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":
"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":
"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20",
"transport.profile":".http", "rule":"deny 10.10.0.0/16"}

I think we should be consistent here and always include the port number in the "origin.address" field.
@tlrx tlrx added >bug :Security/Audit X-Pack Audit logging v7.17.1 labels May 11, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label May 11, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@albertzaharovits
Copy link
Contributor

Nice catch! I agree this is a bug.
Internally the connectionGranted and connectionDenied events serialize, in the audit log, the peer's InetAddress which doesn't contain the remote port. Instead they should serialize the InetSocketAddress.

@ywangd ywangd removed the good first issue low hanging fruit label May 11, 2022
@slobodanadamovic slobodanadamovic self-assigned this May 12, 2022
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this issue May 12, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.address
e6a3f7d 
This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes elastic#86694
@slobodanadamovic slobodanadamovic mentioned this issue May 12, 2022
Merged
slobodanadamovic added a commit that referenced this issue May 20, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.addre…
954d288 
…ss (#86732)

This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes #86694
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this issue May 20, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.addre…
a4ddcbc 
…ss (elastic#86732)

This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes elastic#86694
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this issue May 20, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.addre…
8b375a3 
…ss (elastic#86732)

This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes elastic#86694

(cherry picked from commit 954d288)

# Conflicts:
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
elasticsearchmachine pushed a commit that referenced this issue May 20, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.addre…
8f7daf3 
…ss (#86732) (#86968)

This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes #86694
elasticsearchmachine pushed a commit that referenced this issue May 20, 2022
@slobodanadamovic
Fix audit logging to consistently include port number in origin.addre…
b7a6b02 
…ss (#86732) (#86969)

This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.

Closes #86694

(cherry picked from commit 954d288)

# Conflicts:
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slobodanadamovic slobodanadamovic

Labels
>bug :Security/Audit X-Pack Audit logging Team:Security Meta label for security team v7.17.1 v8.3.0
Projects
None yet
Milestone
No milestone
5 participants
@tlrx @ywangd @slobodanadamovic @albertzaharovits @elasticmachine