Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user profile ID to audit log events #125932

Closed
jportner opened this issue Feb 17, 2022 · 1 comment · Fixed by #141092
Closed

Add user profile ID to audit log events #125932

jportner opened this issue Feb 17, 2022 · 1 comment · Fixed by #141092
Assignees
@thomheymann
Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Feb 17, 2022
edited by exalate-issue-sync bot
Loading

In #124552, we started activating a user profile upon login. That profile includes a system-generated ID which is intended to uniquely identify individuals. You will be to configure security domains to span multiple authentication providers, meaning that one user profile could be used for two "users" from two different auth providers.

Framed another way: only tracking the username can be problematic because you could have duplicate usernames from different auth providers, and it's possible that it could be two different individuals.

We should start including the user profile ID in audit events to uniquely identify individuals, in addition to the human-readable username.

We'll likely need to make changes in two different places -- once in the Authenticator for the initial login events:

kibana/x-pack/plugins/security/server/authentication/authenticator.ts

Lines 336 to 345 in ddc3000

auditLogger.log(
userLoginEvent({
// We must explicitly specify the sessionId for login events because we just created the session, so
// it won't automatically get included in the audit event from the request context.
sessionId: sessionUpdateResult?.value?.sid,
authenticationResult,
authenticationProvider: providerName,
authenticationType: provider.type,
})
);

And once in the AuditService for all scoped audit events after login:

kibana/x-pack/plugins/security/server/audit/audit_service.ts

Lines 157 to 182 in b94ef10

const asScoped = (request: KibanaRequest): AuditLogger => ({
log: async (event) => {
if (!event) {
return;
}
const spaceId = getSpaceId(request);
const user = getCurrentUser(request);
const sessionId = await getSID(request);
log({
...event,
user:
(user && {
name: user.username,
roles: user.roles as string[],
}) ||
event.user,
kibana: {
space_id: spaceId,
session_id: sessionId,
...event.kibana,
},
trace: { id: request.id },
});
},
enabled,
});

@jportner jportner added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature labels Feb 17, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jportner jportner mentioned this issue Mar 10, 2022
Closed
12 tasks
@thomheymann thomheymann self-assigned this Sep 6, 2022
@thomheymann thomheymann mentioned this issue Sep 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomheymann thomheymann

Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add user profile ID to audit log events thomheymann/kibana
3 participants
@thomheymann @jportner @elasticmachine