[Discuss] [Kibana platform security] Session tracking and audit logging

[arisonl]

We have a number of user requests around session tracking:

• "Customer would like to know when user logs in, logs out or when its session expires"
• "Customer would like the ability to audit a user's Kibana session and know when they have logged in or out of Kibana"
• "The application must display the time and date of the users last successful logon. The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions"

Can we build this functionality based on the first iteration of Kibana audit logging and server-side sessions that we have delivered?

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Can we build this functionality based on the first iteration of Kibana audit logging and server-side sessions that we have delivered?

I'll defer the auditing part to @thomheymann and comment only on the session part:

• 🟢 AFAIK we already generate an audit log event when user logs in
• 🟢 I believe we already clearly indicate that session has been terminated either with the message on the Login Selector/Login Form or via dedidated Logged Out page if Selector isn't enabled
• 🟠 Generating event for the logout initiated by the user or IdP (in case user still has active Kibana session) should not be complex to add today
• 🟠 Generating event for the logout because of expired session that was triggered by the user/Kibana request should also not be complex to add today
• 🔴 We currently don't have a way to generate such events for the expired/invalid sessions that we remove in a bulk during a regular session cleanup job. That may not be easy or feasibly to implement at all.
• 🔴 We currently don't have a way to figure out user's last login time/date, but once we get support for user profiles we can store this information there. We'll implement this eventually for sure.

[jportner]

It's been a while since we've updated this issue. Here's the current reality:

• 🟢 AFAIK we already generate an audit log event when user logs in
  • 🟠 Yep but we recently discovered these events are missing the session_id: "user_login" audit events do not contain "session_id" field #123724
    • 🟢 Update 2022-02-17, this is fixed!
  • 🟠 We also recently discovered that some audit log events can be missing in certain scenarios: Audit events for user_login can be missing when using PKI or Kerberos authentication #124694
• 🟢 I believe we already clearly indicate that session has been terminated either with the message on the Login Selector/Login Form or via dedidated Logged Out page if Selector isn't enabled
  • Note: we updated/clarified the "logged out" messages in Better message for unanticipated authorisation errors #113460
• 🟠 Generating event for the logout initiated by the user or IdP (in case user still has active Kibana session) should not be complex to add today
  • 🟢 Added in Capture user logout events in audit log #121455
• 🟠 Generating event for the logout because of expired session that was triggered by the user/Kibana request should also not be complex to add today
  • 🟢 Added in Capture user logout events in audit log #121455
• 🔴 We currently don't have a way to generate such events for the expired/invalid sessions that we remove in a bulk during a regular session cleanup job. That may not be easy or feasibly to implement at all.
  • 🟢 Added in Add session cleanup audit logging #122419
• 🔴 We currently don't have a way to figure out user's last login time/date, but once we get support for user profiles we can store this information there. We'll implement this eventually for sure.
  • This is still the case