Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add user profile ID to audit log events #125932

Closed
jportner opened this issue Feb 17, 2022 · 1 comment · Fixed by #141092
Closed

Add user profile ID to audit log events #125932

jportner opened this issue Feb 17, 2022 · 1 comment · Fixed by #141092
Assignees
Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Feb 17, 2022

In #124552, we started activating a user profile upon login. That profile includes a system-generated ID which is intended to uniquely identify individuals. You will be to configure security domains to span multiple authentication providers, meaning that one user profile could be used for two "users" from two different auth providers.

Framed another way: only tracking the username can be problematic because you could have duplicate usernames from different auth providers, and it's possible that it could be two different individuals.

We should start including the user profile ID in audit events to uniquely identify individuals, in addition to the human-readable username.

We'll likely need to make changes in two different places -- once in the Authenticator for the initial login events:

auditLogger.log(
userLoginEvent({
// We must explicitly specify the sessionId for login events because we just created the session, so
// it won't automatically get included in the audit event from the request context.
sessionId: sessionUpdateResult?.value?.sid,
authenticationResult,
authenticationProvider: providerName,
authenticationType: provider.type,
})
);

And once in the AuditService for all scoped audit events after login:

const asScoped = (request: KibanaRequest): AuditLogger => ({
log: async (event) => {
if (!event) {
return;
}
const spaceId = getSpaceId(request);
const user = getCurrentUser(request);
const sessionId = await getSID(request);
log({
...event,
user:
(user && {
name: user.username,
roles: user.roles as string[],
}) ||
event.user,
kibana: {
space_id: spaceId,
session_id: sessionId,
...event.kibana,
},
trace: { id: request.id },
});
},
enabled,
});

@jportner jportner added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature labels Feb 17, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants