From f462dc4c356fc234489bfc31242c938796c3c8be Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 01:30:56 +0200 Subject: [PATCH 01/63] WIP --- .../settings/audit-settings.asciidoc | 13 ++++++-- .../en/security/auditing/event-types.asciidoc | 30 ++++++++++--------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 72241f683e392..e61064afba5a6 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -8,7 +8,11 @@ [[auditing-settings-description]] You can use <> to record security-related events, such as authentication failures, refused connections, and data-access -events. +events. In addition, changes via the APIs to the security configuration, such +as creating, updating and removing <> and +<> users, <>, +<> and +<> are also recorded. If configured, auditing settings must be set on every node in the cluster. Static settings, such as `xpack.security.audit.enabled`, must be configured in @@ -42,7 +46,8 @@ by using the following settings: (<>) Specifies which events to include in the auditing output. The default value is: `access_denied, access_granted, anonymous_access_denied, authentication_failed, -connection_denied, tampered_request, run_as_denied, run_as_granted`. +connection_denied, tampered_request, run_as_denied, run_as_granted, +security_config_change`. // end::xpack-sa-lf-events-include-tag[] [[xpack-sa-lf-events-exclude]] @@ -114,7 +119,9 @@ These settings affect the <> that enable fine-grained control over which audit events are printed to the log file. All of the settings with the same policy name combine to form a single policy. If an event matches all of the conditions for a specific policy, it is ignored -and not printed. +and not printed. All events of any type are subject to the ignore policies, with the +sole exception of `security_config_change` events, which if not +<> altogether, are never filtered out. [[xpack-sa-lf-events-ignore-users]] // tag::xpack-sa-lf-events-ignore-users-tag[] diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 92fc08819c74d..63f2bcbf4dc29 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -45,20 +45,22 @@ The following is a list of the events that can be generated: [[audit-event-attributes]] === Audit event attributes -In 6.5.0, there is a new <> format. -This format also brings in a few changes for audit event attributes. - -The new format is output to the `_audit.json` file. -The audit entries are formatted as flat JSON documents (that is to say, no -nested objects), one per line. Hence, the attribute names are JSON keys and they -follow a dotted name syntax. Any attributes that lack a value (`null`) are not -output. - -The following list shows attributes that are common to all audit events. -Their names and values are analogous to those in the deprecated `logfile` or -`index` output formats. However, it is expected that the formats will evolve -independently during the 6.x releases, so it is advisable to follow the attribute -descriptions for the format that you are using. +The audit events are formatted as JSON documents, and each event is printed on a separate +line in the audit log (the entries themselves do not contain the end-of-line delimiter). +The audit event JSON format is somewhat particular, as *most* fields follow a dotted +name syntax, are ordered, and contain non-null string values. This format creates a +structured columnar aspect, similar to a CSV, that can be more easily inspected visually +(compared to an equivalent nested JSON document). +There are however a few attributes that are exceptions to the above format. The `put`, +`delete`, `change`, `create` and `invalidate` attributes, which are only present for +events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* +representation of the security change taking effect. The contents of security config change +are hence not splayed as top-level dot-named fields in the audit event document. That's because +the fields are specific to the particular kind of the security change and do not show up in +any other audit events, and so the columnar format benefits are much more limited; the +space-saving benefits of the nested structure is the favoured trade-off in this case. + +The following list shows attributes that are common to all audit event types: `@timestamp` :: The time, in ISO9601 format, when the event occurred. `node.name` :: The name of the node. This can be changed From 7bfff61e83896d8780b5226665c15540083d48c0 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 11:19:39 +0200 Subject: [PATCH 02/63] WIP still --- .../docs/en/security/auditing/event-types.asciidoc | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 63f2bcbf4dc29..7a08eda2d64b7 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -51,13 +51,14 @@ The audit event JSON format is somewhat particular, as *most* fields follow a do name syntax, are ordered, and contain non-null string values. This format creates a structured columnar aspect, similar to a CSV, that can be more easily inspected visually (compared to an equivalent nested JSON document). + There are however a few attributes that are exceptions to the above format. The `put`, `delete`, `change`, `create` and `invalidate` attributes, which are only present for events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* representation of the security change taking effect. The contents of security config change are hence not splayed as top-level dot-named fields in the audit event document. That's because the fields are specific to the particular kind of the security change and do not show up in -any other audit events, and so the columnar format benefits are much more limited; the +any other audit events, and so the benefits of a columnar format are much more limited; the space-saving benefits of the nested structure is the favoured trade-off in this case. The following list shows attributes that are common to all audit event types: @@ -82,7 +83,7 @@ The following list shows attributes that are common to all audit event types: `transport` (request was received on the transport channel), or `local_node` (the local node issued the request). `event.type` :: The internal processing layer that generated the event: - `rest`, `transport` or `ip_filter`. + `rest`, `transport`, `ip_filter` or `security_config_change`. This is different from `origin.type` because a request originating from the REST API is translated to a number of transport messages, generating audit events with @@ -91,7 +92,13 @@ The following list shows attributes that are common to all audit event types: `authentication_failed`, `authentication_success`, `realm_authentication_failed`, `access_denied`, `access_granted`, `connection_denied`, `connection_granted`, `tampered_request`, - `run_as_denied`, or `run_as_granted`. + `run_as_denied`, or `run_as_granted`. In addition, if + `event.type` equals `security_config_change`, the + `event.action` attribute takes one of the following values: + `put_user`, `change_password`, `put_role`, `put_role_mapping`, + `change_enable_user`, `change_disable_user`, `put_privileges`, + `create_apikey`, `delete_user`, `delete_role`, + `delete_role_mapping`, `invalidate_apikeys` or `delete_privileges`. `opaque_id` :: The value of the `X-Opaque-Id` HTTP header (if present) of the request associated with this event. This header can be used freely by the client to mark API calls, as it has From 7a908ecc647974931f8fd6a87c04c6a711153dfd Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 14:31:04 +0200 Subject: [PATCH 03/63] More polishing of audit-settings --- docs/reference/settings/audit-settings.asciidoc | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index e61064afba5a6..18cf7ac312791 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -44,7 +44,8 @@ by using the following settings: // tag::xpack-sa-lf-events-include-tag[] `xpack.security.audit.logfile.events.include`:: (<>) -Specifies which events to include in the auditing output. The default value is: +Specifies the kind of events to print in the auditing output. The default list value +contains: `access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted, security_config_change`. @@ -54,16 +55,22 @@ security_config_change`. // tag::xpack-sa-lf-events-exclude-tag[] `xpack.security.audit.logfile.events.exclude`:: (<>) -Excludes the specified events from the output. By default, no events are -excluded. +Excludes the specified kind of events from the include list. The default is the empty list. // end::xpack-sa-lf-events-exclude-tag[] [[xpack-sa-lf-events-emit-request]] // tag::xpack-sa-lf-events-emit-request-tag[] `xpack.security.audit.logfile.events.emit_request_body`:: (<>) -Specifies whether to include the request body from REST requests on certain -event types such as `authentication_failed`. The default value is `false`. +Specifies whether to include the full request body from REST requests as an +attribute of certain kinds of audit events. The request body is printed as an +escaped JSON string value to the `request.body` attribute. +These events that contain the `request.body` attribute are `authentication_success`, +`authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, +and `anonymous_access_denied` that are printed on the coordinating node only +(the node that handles the REST request). + +The default value is `false` so request bodies are not printed. + -- IMPORTANT: No filtering is performed when auditing, so sensitive data may be From 9ea7c657384ff53d8e30797f0b73c87ecaffa866 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 15:12:21 +0200 Subject: [PATCH 04/63] Maybe audit settings is complete --- docs/reference/settings/audit-settings.asciidoc | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 18cf7ac312791..ca73eddffb38b 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -69,8 +69,8 @@ These events that contain the `request.body` attribute are `authentication_succe `authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, and `anonymous_access_denied` that are printed on the coordinating node only (the node that handles the REST request). - -The default value is `false` so request bodies are not printed. ++ +The default value is `false`, so request bodies are not printed. + -- IMPORTANT: No filtering is performed when auditing, so sensitive data may be @@ -111,8 +111,6 @@ The default value is `false`. `xpack.security.audit.logfile.emit_node_id`:: (<>) Specifies whether to include the node id as a field in each audit event. -This is available for the new format only. That is to say, this information -does not exist in the `_access.log` file. Unlike <>, whose value might change if the administrator changes the setting in the config file, the node id will persist across cluster restarts and the administrator cannot change it. @@ -122,13 +120,13 @@ The default value is `true`. [[audit-event-ignore-policies]] ==== Audit Logfile Event Ignore Policies -These settings affect the <> +The following settings affect the <> that enable fine-grained control over which audit events are printed to the log file. All of the settings with the same policy name combine to form a single policy. -If an event matches all of the conditions for a specific policy, it is ignored -and not printed. All events of any type are subject to the ignore policies, with the -sole exception of `security_config_change` events, which if not -<> altogether, are never filtered out. +If an event matches all the conditions of any policy, it is ignored and not printed. +Most audit events are subject to the ignore policies. The sole exception are +events of the `security_config_change` type, which cannot be filtered out, unless +<> altogether. [[xpack-sa-lf-events-ignore-users]] // tag::xpack-sa-lf-events-ignore-users-tag[] From ec09fb5ea792c738f09dbb663246dc5801ff449f Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 17:50:12 +0200 Subject: [PATCH 05/63] meah --- .../docs/en/security/auditing/enable-audit-logging.asciidoc | 5 +++++ x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 4764612d65f9f..ad90dbea81646 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -10,6 +10,11 @@ Audit logging also provides forensic evidence in the event of an attack. ============================================================================ Audit logs are **disabled** by default. You must explicitly enable audit logging. ============================================================================ ++ +-- +TIP: Audit logs are only available on certain subscription levels. +For more information, see https://www.elastic.co/subscriptions. +-- To enable enable audit logging: diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 7a08eda2d64b7..15a602ec3226e 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -2,7 +2,7 @@ [[audit-event-types]] === Audit event types -When you are <>, each request can generate +When you are <>, each client request can generate multiple audit events. The following is a list of the events that can be generated: From e83ba2d52ecd0956b3b7da058f8cac4f5f3665fd Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 18:13:51 +0200 Subject: [PATCH 06/63] Enable audit logging Done --- .../en/security/auditing/enable-audit-logging.asciidoc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index ad90dbea81646..7d898bb922858 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -3,7 +3,9 @@ == Enabling audit logging You can log security-related events such as authentication failures and refused connections -to monitor your cluster for suspicious activity. +to monitor your cluster for suspicious activity (including data access and user +security configuration changes). + Audit logging also provides forensic evidence in the event of an attack. [IMPORTANT] @@ -22,7 +24,11 @@ To enable enable audit logging: . Restart {es}. When audit logging is enabled, <> are persisted to -a dedicated `_audit.json` file on the host's file system (on each node). +a dedicated `_audit.json` file on the host's file system, on every cluster node. +The file is rotated and arhivated daily and upon reaching the 1GB file size limit. +For more details, check out the +https://github.com/elastic/elasticsearch/blob/{branch}/x-pack/plugin/core/src/main/config/log4j2.properties[log4j2.properties] +for the security audit logger. You can configure additional options to control what events are logged and what information is included in the audit log. From aa178e197bf1fb7a577d923471cc3f88f91f7859 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 18:41:36 +0200 Subject: [PATCH 07/63] Audit settings done-done --- docs/reference/settings/audit-settings.asciidoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index ca73eddffb38b..36b4e4e3a81e8 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -73,8 +73,9 @@ and `anonymous_access_denied` that are printed on the coordinating node only The default value is `false`, so request bodies are not printed. + -- -IMPORTANT: No filtering is performed when auditing, so sensitive data may be -audited in plain text when including the request body in audit events. +IMPORTANT: Be advised that sensitive data may be audited in plain text when including +the request body in audit events, even though all the security APIs, such as those that +change the user's password, have the credentials filtered out when audited. -- // end::xpack-sa-lf-events-emit-request-tag[] From 16effe33463826d4c13029cb3c89217b1fb811aa Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 22:24:02 +0200 Subject: [PATCH 08/63] put user event type --- .../auditing/enable-audit-logging.asciidoc | 2 +- .../en/security/auditing/event-types.asciidoc | 349 +----------------- 2 files changed, 20 insertions(+), 331 deletions(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 7d898bb922858..65d883c9f7ea7 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -25,7 +25,7 @@ To enable enable audit logging: When audit logging is enabled, <> are persisted to a dedicated `_audit.json` file on the host's file system, on every cluster node. -The file is rotated and arhivated daily and upon reaching the 1GB file size limit. +The file is rotated and archived daily or upon reaching the 1GB file size limit. For more details, check out the https://github.com/elastic/elasticsearch/blob/{branch}/x-pack/plugin/core/src/main/config/log4j2.properties[log4j2.properties] for the security audit logger. diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 15a602ec3226e..cdc64f7d4a8e7 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -2,43 +2,48 @@ [[audit-event-types]] === Audit event types -When you are <>, each client request can generate -multiple audit events. +When you are <>, a single client request +might generate multiple audit events, across multiple cluster nodes. The common +`request.id` attribute can be used to correlate the associated events. -The following is a list of the events that can be generated: + +The following is an exhaustive list of the events that can be generated: |====== -| `anonymous_access_denied` | | | Logged when a request is denied due to a missing +| `anonymous_access_denied` | | | Logged when a request is denied due to a missing | | | example authentication token. -| `authentication_success` | | | Logged when a user successfully authenticates. -| `authentication_failed` | | | Logged when the authentication token cannot be +| `authentication_success` | | | Logged when a user successfully authenticates. | | | example2 +| `authentication_failed` | | | Logged when the authentication token cannot be | | | example 3 matched to a known user. -| `realm_authentication_failed` | | | Logged for every realm that fails to present a valid +| `realm_authentication_failed` | | | Logged for every realm that fails to present a valid | | | example 4 authentication token. `` represents the realm type. -| `access_denied` | | | Logged when an authenticated user attempts to execute +| `access_denied` | | | Logged when an authenticated user attempts to execute | | | example 5 an action they do not have the necessary <> to perform. -| `access_granted` | | | Logged when an authenticated user attempts to execute +| `access_granted` | | | Logged when an authenticated user attempts to execute | | | example6 an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does not log system actions to avoid cluttering the logs. -| `run_as_granted` | | | Logged when an authenticated user attempts to <> +| `run_as_granted` | | | Logged when an authenticated user attempts to <> | | | example7 another user that they have the necessary privileges to do. -| `run_as_denied` | | | Logged when an authenticated user attempts to <> +| `run_as_denied` | | | Logged when an authenticated user attempts to <> | | | example8 another user action they do not have the necessary <> to do so. -| `tampered_request` | | | Logged when the {security-features} detect that the request has +| `tampered_request` | | | Logged when the {security-features} detect that the request has | | | example9 been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been tampered with. -| `connection_granted` | | | Logged when an incoming TCP connection passes the +| `connection_granted` | | | Logged when an incoming TCP connection passes the | | | example10 <> for a specific profile. -| `connection_denied` | | | Logged when an incoming TCP connection does not pass the +| `connection_denied` | | | Logged when an incoming TCP connection does not pass the | | | example11 <> for a specific profile. +| `put_user` | | | Logged when the put user API has been used to create or | | | example12 + update a user (including changing the password) in the native realm, + as well as chaning any of the built-in users. |====== [discrete] @@ -243,319 +248,3 @@ that have been previously described: `api_key.name` :: API key name provided in the <> request. This attribute is only provided for authentication using an API key. - -[discrete] -[[audit-event-attributes-deprecated-formats]] -=== Audit event attributes for the deprecated formats - -The following table shows the common attributes that can be associated with -every event, when it is output to the `_access.log` file. - -.Common attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `@timestamp` | When the event occurred. -| `node_name` | The name of the node. -| `node_host_name` | The hostname of the node. -| `node_host_address` | The IP address of the node. -| `layer` | The layer from which this event originated: `rest`, `transport` or `ip_filter` -| `event_type` | The type of event that occurred: `anonymous_access_denied`, - `authentication_failed`, `authentication_success`, - `realm_authentication_failed`, `access_denied`, `access_granted`, - `connection_denied`, `connection_granted`, `tampered_request`, - `run_as_denied`, `run_as_granted`. -|====== - -These are positional attributes, which are printed at the beginning of each log line and -are not adjoined by the attribute name. - -The attribute `origin_address` is also common to every audit event. It is always -named, that is, it is not positional. It denotes the source IP address of the -request associated with this event. This might be the address of the client, the -address of another cluster node, or the local node's bound address (if the request -originated locally). Unless the client connects directly to the cluster, the -_client address_ is the address of the first OSI layer 3 proxy in front of the -cluster. - -In addition, every event might have the `opaque_id` attribute, with the value as -it has been passed in by the `X-Opaque-Id` HTTP request header. This header can -be used freely by the client to mark API calls, as it has no semantics in -Elasticsearch. Every audit event, generated as part of handling a request thus -marked, contains the `opaque_id` attribute. - -The following tables show the attributes that can are associated with each type -of event, in addition to the common ones previously described: - -.REST anonymous_access_denied attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `uri` | The REST endpoint URI. -| `request_body` | The body of the request, if enabled. -|====== - -.REST authentication_success attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `principal` | The _effective_ (impersonated) username. Usually this is - the same as the _authenticated_ username. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ user is the same as the - _authenticated_ one, which is indicated by the `principal` - attribute. -| `realm` | The realm that authenticated the user. -| `uri` | The REST endpoint URI. -| `params` | The REST URI query parameters. -| `request_body` | The body of the request, if enabled. -|====== - -.REST authentication_failed attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `principal` | The principal (username) that failed authentication. - If the request's authentication token is invalid, this - information might be missing. -| `uri` | The REST endpoint URI. -| `request_body` | The body of the request, if enabled. -|====== - -.REST realm_authentication_failed attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `realm` | The realm that failed to authenticate the user. - **A separate entry is logged for each consulted realm.** -| `principal` | The principal (username) that failed authentication. -| `uri` | The REST endpoint URI. -| `request_body` | The body of the request, if enabled. -|====== - -.REST tampered_request attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `uri` | The REST endpoint URI. -| `request_body` | The body of the request, if enabled. -|====== - -.Transport anonymous_access_denied attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport authentication_success attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _effective_ (impersonated) username. Usually this is - the same as the _authenticated_ username. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ and the _authenticated_ - users are equivalent and are indicated by the - `principal` attribute. -| `realm` | The realm that authenticated the user. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport authentication_failed attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _effective_ (impersonated) username. Usually this is - the same as the _authenticated_ username. If the - request's authentication token is invalid, this - information might be missing. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ and the _authenticated_ - users are equivalent and are indicated by the - `principal` attribute. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport realm_authentication_failed attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `realm` | The realm that failed to authenticate the user. - **A separate entry is logged for each consulted realm.** -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The principal (username) that failed authentication. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport access_granted attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _effective_ (impersonated) username for which - authorization succeeded. Unless the request is using - the <>, - the _effective_ and _authenticated_ usernames are equivalent. -| `realm` | The realm name that `principal` belongs to. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ and the _authenticated_ - usernames are equivalent and are indicated by the - `principal` attribute. -| `run_by_realm` | The realm name that `run_by_principal` belongs to - (when applicable). -| `roles` | The set of roles granting permissions. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport access_denied attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _effective_ (impersonated) username for which - authorization failed. Unless the request is using - the <>, - the _effective_ and the _authenticated_ usernames are - equivalent. -| `realm` | The realm name that `principal` belongs to. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ and the _authenticated_ - usernames are equivalent and are indicated by the - `principal` attribute. -| `run_by_realm` | The realm name that `run_by_principal` belongs to - (when applicable). -| `roles` | The set of roles granting permissions. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - relates to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport run_as_granted attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _authenticated_ (_impersonator_) username for which - the impersonation operation was granted. -| `realm` | The realm name that the _authenticated_ user belongs to. -| `run_as_principal` | The _impersonated_ username. -| `run_as_realm` | The realm name that the _impersonated_ username belongs to. -| `roles` | The set of roles granting permissions. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - relates to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport run_as_denied attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _authenticated_ (_impersonator_) username for which - the impersonation operation was denied. -| `realm` | The realm name that the _authenticated_ user belongs to. -| `run_as_principal` | The _impersonated_ username. -| `run_as_realm` | The realm name that the _impersonated_ username belongs to. -| `roles` | The set of roles granting permissions. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - relates to (when applicable). -| `request` | The type of request that was executed. -|====== - -.Transport tampered_request attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `origin_type` | Where the request originated: `rest` (request - originated from a REST API request), `transport` - (request was received on the transport channel), or - `local_node` (the local node issued the request). -| `principal` | The _effective_ (impersonated) username. Unless the request - is using the <>, - the _effective_ and the _authenticated_ usernames are - equivalent. If the requests's authentication token is - invalid, this information might be missing. -| `run_by_principal` | The _authenticated_ (impersonator) username. - This attribute is present only if the request is - using the <>. - Otherwise, the _effective_ and the _authenticated_ usernames - are equivalent and are indicated by the `principal` attribute. -| `action` | The name of the action that was executed. -| `indices` | A comma-separated list of indices this request - pertains to (when applicable). -| `request` | The type of request that was executed. -|====== - -.IP filter connection_granted attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `transport_profile` | The transport profile the request targeted. -| `rule` | The <> rule that granted - the request. -|====== - -.IP filter connection_denied attributes -[cols="2,7",options="header"] -|====== -| Attribute | Description -| `transport_profile` | The transport profile the request targeted. -| `rule` | The <> rule that denied - the request. -|====== From 125c21bb15015c1217d5dd4d76936e667c91ed75 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 22:46:49 +0200 Subject: [PATCH 09/63] Put role --- x-pack/docs/en/security/auditing/event-types.asciidoc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index cdc64f7d4a8e7..a9b4cce39ea76 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -41,9 +41,13 @@ The following is an exhaustive list of the events that can be generated: | `connection_denied` | | | Logged when an incoming TCP connection does not pass the | | | example11 <> for a specific profile. -| `put_user` | | | Logged when the put user API has been used to create or | | | example12 - update a user (including changing the password) in the native realm, - as well as chaning any of the built-in users. +| `put_user` | | | Logged when the put user API has been invoked to create or | | | example12 + update a native or built-in user. Note that updates can + also change the password. +| `change_password` | | | Logged when the change password API has been used to | | | example13 + change the password of native or built-in users. +| `put_role` | | | Logged when the put role API has been invoked to create | | | example14 + or update a role. |====== [discrete] From 31426a24539b0860a6f29bd448034913e46d8e53 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 22:47:56 +0200 Subject: [PATCH 10/63] Extraneous formatting --- x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 65d883c9f7ea7..98b978a5be7fd 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -12,7 +12,6 @@ Audit logging also provides forensic evidence in the event of an attack. ============================================================================ Audit logs are **disabled** by default. You must explicitly enable audit logging. ============================================================================ -+ -- TIP: Audit logs are only available on certain subscription levels. For more information, see https://www.elastic.co/subscriptions. From 6391f295dbe786d22606907ae52ea7b5a18f570e Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 23:09:02 +0200 Subject: [PATCH 11/63] More event types --- .../en/security/auditing/event-types.asciidoc | 82 ++++++++++--------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index a9b4cce39ea76..aeb210e171602 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -10,44 +10,50 @@ might generate multiple audit events, across multiple cluster nodes. The common The following is an exhaustive list of the events that can be generated: |====== -| `anonymous_access_denied` | | | Logged when a request is denied due to a missing | | | example - authentication token. -| `authentication_success` | | | Logged when a user successfully authenticates. | | | example2 -| `authentication_failed` | | | Logged when the authentication token cannot be | | | example 3 - matched to a known user. -| `realm_authentication_failed` | | | Logged for every realm that fails to present a valid | | | example 4 - authentication token. `` represents the - realm type. -| `access_denied` | | | Logged when an authenticated user attempts to execute | | | example 5 - an action they do not have the necessary - <> to perform. -| `access_granted` | | | Logged when an authenticated user attempts to execute | | | example6 - an action they have the necessary privilege to perform. - When the `system_access_granted` event is included, all system - (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. -| `run_as_granted` | | | Logged when an authenticated user attempts to <> | | | example7 - another user that they have the necessary privileges to do. -| `run_as_denied` | | | Logged when an authenticated user attempts to <> | | | example8 - another user action they do not have the necessary - <> to do so. -| `tampered_request` | | | Logged when the {security-features} detect that the request has | | | example9 - been tampered with. Typically relates to `search/scroll` - requests when the scroll ID is believed to have been - tampered with. -| `connection_granted` | | | Logged when an incoming TCP connection passes the | | | example10 - <> for a specific - profile. -| `connection_denied` | | | Logged when an incoming TCP connection does not pass the | | | example11 - <> for a specific - profile. -| `put_user` | | | Logged when the put user API has been invoked to create or | | | example12 - update a native or built-in user. Note that updates can - also change the password. -| `change_password` | | | Logged when the change password API has been used to | | | example13 - change the password of native or built-in users. -| `put_role` | | | Logged when the put role API has been invoked to create | | | example14 - or update a role. +| `anonymous_access_denied` | | Logged when a request is denied due to a missing | | example + authentication token. +| `authentication_success` | | Logged when a user successfully authenticates. | | example2 +| `authentication_failed` | | Logged when the authentication token cannot be | | example 3 + matched to a known user. +| `realm_authentication_failed` | | Logged for every realm that fails to present a valid | | example 4 + authentication token. `` represents the + realm type. +| `access_denied` | | Logged when an authenticated user attempts to execute | | example 5 + an action they do not have the necessary + <> to perform. +| `access_granted` | | Logged when an authenticated user attempts to execute | | example6 + an action they have the necessary privilege to perform. + When the `system_access_granted` event is included, all system + (internal) actions are also logged. The default setting does + not log system actions to avoid cluttering the logs. +| `run_as_granted` | | Logged when an authenticated user attempts to | | example7 + <> another user that they have + the necessary privileges to do. +| `run_as_denied` | | Logged when an authenticated user attempts to | | example8 + <> + another user action they do not have the necessary + <> to do so. +| `tampered_request` | | Logged when the {security-features} detect that the request has | | example9 + been tampered with. Typically relates to `search/scroll` + requests when the scroll ID is believed to have been + tampered with. +| `connection_granted` | | Logged when an incoming TCP connection passes the | | example10 + <> for a specific + profile. +| `connection_denied` | | Logged when an incoming TCP connection does not pass the | | example11 + <> for a specific + profile. +| `put_user` | | Logged when the put user API has been invoked to create or | | example12 + update a native or built-in user. Note that updates can + also change the password. +| `change_password` | | Logged when the change password API has been used to | | example13 + change the password of native or built-in users. +| `put_role` | | Logged when the put role API has been invoked to create | | example14 + or update a role. +| `put_role_mapping` | | Logged when the put role mapping API has been invoked to + create or update a role mapping. | | example14 +| `put_privileges` | | Logged when the <> | | example15 + has been invoked to add or update application privileges. |====== [discrete] From ed921f45f2fe83af8ed103f949d686de38373338 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 29 Dec 2020 23:44:11 +0200 Subject: [PATCH 12/63] Partial fix for the example column --- .../en/security/auditing/event-types.asciidoc | 38 ++++++++++++------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index aeb210e171602..fa8b8d1095223 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -10,29 +10,29 @@ might generate multiple audit events, across multiple cluster nodes. The common The following is an exhaustive list of the events that can be generated: |====== -| `anonymous_access_denied` | | Logged when a request is denied due to a missing | | example - authentication token. +| `anonymous_access_denied` | | Logged when a request is denied due to a missing + authentication token. | | example1 | `authentication_success` | | Logged when a user successfully authenticates. | | example2 -| `authentication_failed` | | Logged when the authentication token cannot be | | example 3 - matched to a known user. -| `realm_authentication_failed` | | Logged for every realm that fails to present a valid | | example 4 +| `authentication_failed` | | Logged when the authentication token cannot be + matched to a known user. | | example3 +| `realm_authentication_failed` | | Logged for every realm that fails to present a valid authentication token. `` represents the - realm type. -| `access_denied` | | Logged when an authenticated user attempts to execute | | example 5 + realm type. | | example4 +| `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. -| `access_granted` | | Logged when an authenticated user attempts to execute | | example6 + <> to perform. | | example5 +| `access_granted` | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. -| `run_as_granted` | | Logged when an authenticated user attempts to | | example7 + not log system actions to avoid cluttering the logs. | | example6 +| `run_as_granted` | | Logged when an authenticated user attempts to <> another user that they have - the necessary privileges to do. -| `run_as_denied` | | Logged when an authenticated user attempts to | | example8 + the necessary privileges to do. | | example7 +| `run_as_denied` | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. + <> to do so. | | example8 | `tampered_request` | | Logged when the {security-features} detect that the request has | | example9 been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been @@ -54,6 +54,16 @@ The following is an exhaustive list of the events that can be generated: create or update a role mapping. | | example14 | `put_privileges` | | Logged when the <> | | example15 has been invoked to add or update application privileges. +| `create_apikey` | | Logged when the <> | | example16 + or the <> APIs have + been invoked to create a new API key. +| `delete_user` | | Logged when the <> | | example17 + has been invoked to delete a specific native user. +| `delete_role` | | Logged when the <> | | example18 + has been invoked to delete a role. +| `delete_role_mapping` | | Logged when the | | example19 + <> + has been invoked to delete a role mapping. |====== [discrete] From e96e8080d77cd6235bba9ddf4c31c2eaa123c86e Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 10:58:47 +0200 Subject: [PATCH 13/63] Complete list without examples --- .../en/security/auditing/event-types.asciidoc | 63 +++++++++++-------- 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index fa8b8d1095223..81437f4e81407 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -33,37 +33,48 @@ The following is an exhaustive list of the events that can be generated: <> another user action they do not have the necessary <> to do so. | | example8 -| `tampered_request` | | Logged when the {security-features} detect that the request has | | example9 +| `tampered_request` | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been - tampered with. -| `connection_granted` | | Logged when an incoming TCP connection passes the | | example10 + tampered with. | | example9 +| `connection_granted` | | Logged when an incoming TCP connection passes the <> for a specific - profile. -| `connection_denied` | | Logged when an incoming TCP connection does not pass the | | example11 + profile. | | example10 +| `connection_denied` | | Logged when an incoming TCP connection does not pass the <> for a specific - profile. -| `put_user` | | Logged when the put user API has been invoked to create or | | example12 - update a native or built-in user. Note that updates can - also change the password. -| `change_password` | | Logged when the change password API has been used to | | example13 - change the password of native or built-in users. -| `put_role` | | Logged when the put role API has been invoked to create | | example14 - or update a role. -| `put_role_mapping` | | Logged when the put role mapping API has been invoked to - create or update a role mapping. | | example14 -| `put_privileges` | | Logged when the <> | | example15 - has been invoked to add or update application privileges. -| `create_apikey` | | Logged when the <> | | example16 - or the <> APIs have - been invoked to create a new API key. -| `delete_user` | | Logged when the <> | | example17 - has been invoked to delete a specific native user. -| `delete_role` | | Logged when the <> | | example18 - has been invoked to delete a role. -| `delete_role_mapping` | | Logged when the | | example19 + profile. | | example11 +| `put_user` | | Logged when the <> + has been invoked to create or + update a native or built-in user. Note that user updates can + also change the password. | | example12 +| `delete_user` | | Logged when the <> + has been invoked to delete a specific native user. | | example17 +| `change_password` | | Logged when the <> + has been invoked to change the password of a native or built-in user. | | example13 +| `change_enable_user` | | Logged when the <> + has been invoked to enable a native or a built-in user. | | example13bis +| `change_disable_user` | | Logged when the <> + has been invoked to disable a native or a built-in user. | | example13bis2 +| `put_role` | | Logged when the <> + has been invoked to create or update a role. | | example14 +| `delete_role` | | Logged when the <> + has been invoked to delete a role. | | example18 +| `put_role_mapping` | | Logged when the <> + has been invoked to create or update a role mapping. | | example15 +| `delete_role_mapping` | | Logged when the <> - has been invoked to delete a role mapping. + has been invoked to delete a role mapping. | | example19 +| `create_apikey` | | Logged when the <> + or the <> APIs have + been invoked to create a new API key. | | example16 +| `invalidate_apikeys` | | Logged when the + <> has been + invoked to invalidate one or more API Keys. | | example20 +| `put_privileges` | | Logged when the <> + has been invoked to add or update one or more application privileges. | | example15 +| `delete_privileges` | | Logged when the + <> + has been invoked to remove one or more application privileges. | | example21 |====== [discrete] From 4e39d88641fce5cf379ca6ef8c9e6f603a2f0e7f Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 12:42:27 +0200 Subject: [PATCH 14/63] Before detailing security change event contents --- .../en/security/auditing/event-types.asciidoc | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 81437f4e81407..038af95e2176c 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -107,17 +107,6 @@ The following list shows attributes that are common to all audit event types: `host.ip` :: The bound IP address of the node, with which the node can be communicated with. `host.name` :: The unresolved node's hostname. -`origin.address` :: The source IP address of the request associated with - this event. This could be the address of the remote client, - the address of another cluster node, or the local node's - bound address, if the request originated locally. Unless - the remote client connects directly to the cluster, the - _client address_ will actually be the address of the first - OSI layer 3 proxy in front of the cluster. -`origin.type` :: The origin type of the request associated with this event: - `rest` (request originated from a REST API request), - `transport` (request was received on the transport channel), - or `local_node` (the local node issued the request). `event.type` :: The internal processing layer that generated the event: `rest`, `transport`, `ip_filter` or `security_config_change`. This is different from `origin.type` because a request @@ -135,6 +124,24 @@ The following list shows attributes that are common to all audit event types: `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys` or `delete_privileges`. +`request.id` :: A synthetic identifier that can be used to correlate the events + associated with a particular REST request. + +In addition, all the events with types `rest`, `transport` and `ip_filter` (but not +`security_config_change`) contain the following extra attributes, which +show details on the requesting client: + +`origin.address` :: The source IP address of the request associated with + this event. This could be the address of the remote client, + the address of another cluster node, or the local node's + bound address, if the request originated locally. Unless + the remote client connects directly to the cluster, the + _client address_ will actually be the address of the first + OSI layer 3 proxy in front of the cluster. +`origin.type` :: The origin type of the request associated with this event: + `rest` (request originated from a REST API request), + `transport` (request was received on the transport channel), + or `local_node` (the local node issued the request). `opaque_id` :: The value of the `X-Opaque-Id` HTTP header (if present) of the request associated with this event. This header can be used freely by the client to mark API calls, as it has From 2cbccd30fc05d1e307514048ef11df372b4c4fd4 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 13:35:51 +0200 Subject: [PATCH 15/63] Audit event attributes for security config change --- .../en/security/auditing/event-types.asciidoc | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 038af95e2176c..45229731be16c 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -203,6 +203,33 @@ ones): `rule` :: The <> rule that denied the request. +==== Audit event attributes of the security_config_change event type + +The events with `event.type` equal to `security_config_change` have one of the following +`event.action` attribute values: `put_user`, `change_password`, `put_role`, `put_role_mapping`, +`change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, +`delete_role`, `delete_role_mapping`, `invalidate_apikeys`, or `delete_privileges`. +These event types also have *one* of the following extra attributes (in addition to the common +ones). The attributes' value is a nested JSON object, formatted depending on the target +configuration type (i.e. the format is different for `user` than for `role`): + +`put` :: The representation of the security config object that + is being created, or the overwrite of an existing config. + It can either be the config for a `user`, `role`, `role_mapping`, or + `privileges`. +`delete` :: The representation of the security config object that + is being deleted. It can either be the config for a `user`, `role`, + `role_mapping` or `privileges`. +`change` :: The representation of the security config change that + is being changed. It can either be `password`, `enable` or `disable`, + config of native or built-in users. +`create` :: The representation of the new security config that is being + created. It can either be `apikey` or `grant`, for API keys created + using the <> or + <> APIs, respectively. +`invalidate` :: The representation of the security configuration that is being invalidated. + The only config currently supporting invalidation is `apikeys`. + ==== Extra audit event attributes for specific events There are a few events that have some more attributes in addition to those From 61ae9a4fdbebaddf554c3ede20684ea4bb12a356 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 20:02:54 +0200 Subject: [PATCH 16/63] Some security configuration schema --- .../auditing/enable-audit-logging.asciidoc | 2 +- .../en/security/auditing/event-types.asciidoc | 98 +++++++++++-------- 2 files changed, 59 insertions(+), 41 deletions(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 98b978a5be7fd..44a27a4de97d5 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -3,7 +3,7 @@ == Enabling audit logging You can log security-related events such as authentication failures and refused connections -to monitor your cluster for suspicious activity (including data access and user +to monitor your cluster for suspicious activity (including data access authorization and user security configuration changes). Audit logging also provides forensic evidence in the event of an attack. diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 45229731be16c..82a9cc0f14d4f 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -6,7 +6,6 @@ When you are <>, a single client might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. - The following is an exhaustive list of the events that can be generated: |====== @@ -44,37 +43,37 @@ The following is an exhaustive list of the events that can be generated: <> for a specific profile. | | example11 | `put_user` | | Logged when the <> - has been invoked to create or + is being invoked to create or update a native or built-in user. Note that user updates can - also change the password. | | example12 + also change the user's password. | | example12 | `delete_user` | | Logged when the <> - has been invoked to delete a specific native user. | | example17 + is being invoked to delete a specific native user. | | example17 | `change_password` | | Logged when the <> - has been invoked to change the password of a native or built-in user. | | example13 + is being invoked to change the password of a native or built-in user. | | example13 | `change_enable_user` | | Logged when the <> - has been invoked to enable a native or a built-in user. | | example13bis + is being invoked to enable a native or a built-in user. | | example13bis | `change_disable_user` | | Logged when the <> - has been invoked to disable a native or a built-in user. | | example13bis2 + is being invoked to disable a native or a built-in user. | | example13bis2 | `put_role` | | Logged when the <> - has been invoked to create or update a role. | | example14 + is being invoked to create or update a role. | | example14 | `delete_role` | | Logged when the <> - has been invoked to delete a role. | | example18 + is being invoked to delete a role. | | example18 | `put_role_mapping` | | Logged when the <> - has been invoked to create or update a role mapping. | | example15 + is being invoked to create or update a role mapping. | | example15 | `delete_role_mapping` | | Logged when the <> - has been invoked to delete a role mapping. | | example19 + is being invoked to delete a role mapping. | | example19 | `create_apikey` | | Logged when the <> - or the <> APIs have - been invoked to create a new API key. | | example16 + or the <> APIs are + being invoked to create a new API key. | | example16 | `invalidate_apikeys` | | Logged when the - <> has been - invoked to invalidate one or more API Keys. | | example20 + <> + is being invoked to invalidate one or more API Keys. | | example20 | `put_privileges` | | Logged when the <> - has been invoked to add or update one or more application privileges. | | example15 + is being invoked to add or update one or more application privileges. | | example15 | `delete_privileges` | | Logged when the <> - has been invoked to remove one or more application privileges. | | example21 + is being invoked to remove one or more application privileges. | | example21 |====== [discrete] @@ -91,7 +90,7 @@ structured columnar aspect, similar to a CSV, that can be more easily inspected There are however a few attributes that are exceptions to the above format. The `put`, `delete`, `change`, `create` and `invalidate` attributes, which are only present for events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* -representation of the security change taking effect. The contents of security config change +representation of the security change taking effect. The contents of the security config change are hence not splayed as top-level dot-named fields in the audit event document. That's because the fields are specific to the particular kind of the security change and do not show up in any other audit events, and so the benefits of a columnar format are much more limited; the @@ -127,9 +126,9 @@ The following list shows attributes that are common to all audit event types: `request.id` :: A synthetic identifier that can be used to correlate the events associated with a particular REST request. -In addition, all the events with types `rest`, `transport` and `ip_filter` (but not -`security_config_change`) contain the following extra attributes, which -show details on the requesting client: +In addition, all the events of types `rest`, `transport` and `ip_filter` (but not +`security_config_change`) have the following extra attributes, which +show more details on the requesting client: `origin.address` :: The source IP address of the request associated with this event. This could be the address of the remote client, @@ -162,7 +161,7 @@ show details on the requesting client: The events with `event.type` equal to `rest` have one of the following `event.action` attribute values: `authentication_success`, `anonymous_access_denied`, `authentication_failed`, `realm_authentication_failed`, `tampered_request` or `run_as_denied`. -These event types also have the following extra attributes (in addition to the +These events also have the following extra attributes (in addition to the common ones): `url.path` :: The path part of the URL (between the port and the query @@ -183,7 +182,7 @@ The events with `event.type` equal to `transport` have one of the following `eve attribute values: `authentication_success`, `anonymous_access_denied`, `authentication_failed`, `realm_authentication_failed`, `access_granted`, `access_denied`, `run_as_granted`, `run_as_denied`, or `tampered_request`. -These event types also have the following extra attributes (in addition to the common +These events also have the following extra attributes (in addition to the common ones): `action` :: The name of the transport action that was executed. @@ -196,7 +195,7 @@ ones): The events with `event.type` equal to `ip_filter` have one of the following `event.action` attribute values: `connection_granted` or `connection_denied`. -These event types also have the following extra attributes (in addition to the common +These events also have the following extra attributes (in addition to the common ones): `transport_profile` :: The transport profile the request targeted. @@ -205,30 +204,49 @@ ones): ==== Audit event attributes of the security_config_change event type -The events with `event.type` equal to `security_config_change` have one of the following +The events with the `event.type` attribute equal to `security_config_change` have one of the following `event.action` attribute values: `put_user`, `change_password`, `put_role`, `put_role_mapping`, `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys`, or `delete_privileges`. -These event types also have *one* of the following extra attributes (in addition to the common -ones). The attributes' value is a nested JSON object, formatted depending on the target -configuration type (i.e. the format is different for `user` than for `role`): +These events also have *one* of the following extra attributes (in addition to the common +ones); the attributes' value is a nested JSON object (that is not escaped): -`put` :: The representation of the security config object that +`put` :: The object representation of the security config that is being created, or the overwrite of an existing config. - It can either be the config for a `user`, `role`, `role_mapping`, or - `privileges`. -`delete` :: The representation of the security config object that + It contains the config for a `user`, `role`, `role_mapping`, or + for application `privileges`. +`delete` :: The object representation of the security config that is being deleted. It can either be the config for a `user`, `role`, - `role_mapping` or `privileges`. -`change` :: The representation of the security config change that - is being changed. It can either be `password`, `enable` or `disable`, - config of native or built-in users. -`create` :: The representation of the new security config that is being - created. It can either be `apikey` or `grant`, for API keys created + `role_mapping` or for application `privileges`. +`change` :: The object representation of the security config that + is being changed. It can either be the `password`, `enable` or `disable`, + config object for native or built-in users. +`create` :: The object representation of the new security config that is being + created. It can either be the `apikey` or `grant` config for API keys created using the <> or <> APIs, respectively. -`invalidate` :: The representation of the security configuration that is being invalidated. - The only config currently supporting invalidation is `apikeys`. +`invalidate` :: The object representation of the security configuration that is being invalidated. + The only config currently supporting invalidation is of `apikeys`, through + the <>. + +The schemas of the security config objects mentioned above are: + +`user` :: `{"name": , "enabled": , "roles": , + "full_name": , "email": , "has_password": , + "metadata": }` + The `full_name`, `email` and `metadata` fields are omitted if empty. +`role` :: `{"name": , "role_descriptor": {"cluster": , "global": + {"application":{"manage":{:}}}, "indices": [ + {"names": , "privileges": , "field_security": + {"grant": , "except": }, "query": , + "allow_restricted_indices": }], "applications":[{"application": , + "privileges": , "resources": }], "run_as": , + "metadata": }}` + The `global`, `field_security`, `except`, `query`, `allow_restricted_indices` and + `metadata` fields are omitted if empty. +`role_mapping` :: `{"name": , "roles": , "role_templates": [{"template": , + "format": }], "rules": , "enabled": , "metadata": }` + The ==== Extra audit event attributes for specific events From a041940473f949f80c86f710a145b0aa17f3a657 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 20:46:49 +0200 Subject: [PATCH 17/63] Formatting --- .../en/security/auditing/event-types.asciidoc | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 82a9cc0f14d4f..53ce4b266a1b9 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -231,22 +231,29 @@ ones); the attributes' value is a nested JSON object (that is not escaped): The schemas of the security config objects mentioned above are: -`user` :: `{"name": , "enabled": , "roles": , +`user` :: An object like `{"name": , "enabled": , "roles": , "full_name": , "email": , "has_password": , - "metadata": }` + "metadata": }`. + The `full_name`, `email` and `metadata` fields are omitted if empty. -`role` :: `{"name": , "role_descriptor": {"cluster": , "global": +`role` :: An object like `{"name": , "role_descriptor": {"cluster": , "global": {"application":{"manage":{:}}}, "indices": [ {"names": , "privileges": , "field_security": {"grant": , "except": }, "query": , "allow_restricted_indices": }], "applications":[{"application": , "privileges": , "resources": }], "run_as": , - "metadata": }}` + "metadata": }}`. + The `global`, `field_security`, `except`, `query`, `allow_restricted_indices` and `metadata` fields are omitted if empty. -`role_mapping` :: `{"name": , "roles": , "role_templates": [{"template": , +`role_mapping` :: An object like `{"name": , "roles": , "role_templates": [{"template": , "format": }], "rules": , "enabled": , "metadata": }` - The + + The `roles` and `role_templates` fields are omitted if empty. + The `rules` object has a recursively nested schema, identical to what is passed in + the <>. +`privileges` :: An array of objects like `{"application": , "name": , "actions": , + "metadata": }`. ==== Extra audit event attributes for specific events From dc50fb498f0301ec6f84903db27111b9057f69a8 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 21:14:54 +0200 Subject: [PATCH 18/63] Schema is done, let's see how it renders --- .../en/security/auditing/event-types.asciidoc | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 53ce4b266a1b9..9b82bf4c66d34 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -222,39 +222,51 @@ ones); the attributes' value is a nested JSON object (that is not escaped): is being changed. It can either be the `password`, `enable` or `disable`, config object for native or built-in users. `create` :: The object representation of the new security config that is being - created. It can either be the `apikey` or `grant` config for API keys created - using the <> or - <> APIs, respectively. + created. It contains the `apikey` config object, if the API key is + created using the <>, + and, in addition, if the API key is created using the + <>, it also contains + a `grant` config object. `invalidate` :: The object representation of the security configuration that is being invalidated. The only config currently supporting invalidation is of `apikeys`, through the <>. -The schemas of the security config objects mentioned above are: +The schemas of the security config objects mentioned above are as follows. They are very similar to the +request bodies of the corresponding security APIs. `user` :: An object like `{"name": , "enabled": , "roles": , "full_name": , "email": , "has_password": , - "metadata": }`. + "metadata": }`. The `full_name`, `email` and `metadata` fields are omitted if empty. - The `full_name`, `email` and `metadata` fields are omitted if empty. `role` :: An object like `{"name": , "role_descriptor": {"cluster": , "global": {"application":{"manage":{:}}}, "indices": [ {"names": , "privileges": , "field_security": {"grant": , "except": }, "query": , "allow_restricted_indices": }], "applications":[{"application": , "privileges": , "resources": }], "run_as": , - "metadata": }}`. + "metadata": }}`. The `global`, `field_security`, `except`, `query`, + `allow_restricted_indices` and `metadata` fields are omitted if empty. - The `global`, `field_security`, `except`, `query`, `allow_restricted_indices` and - `metadata` fields are omitted if empty. `role_mapping` :: An object like `{"name": , "roles": , "role_templates": [{"template": , - "format": }], "rules": , "enabled": , "metadata": }` - + "format": }], "rules": , "enabled": , "metadata": }`. The `roles` and `role_templates` fields are omitted if empty. The `rules` object has a recursively nested schema, identical to what is passed in the <>. + `privileges` :: An array of objects like `{"application": , "name": , "actions": , "metadata": }`. +`password` :: A simple object like `{"user":{"name": }}`. +`enable` :: A simple object like `{"user":{"name": }}`. +`disable` :: A simple object like `{"user":{"name": }}`. +`apikey` :: An object like `{"name": , "expiration": , "role_descriptors" []}`. + The `role_descriptors` objects have the same schema as the `role_descriptor` object that + is part of the `role` config object, from the above. +`grant` :: An object like `{"type": , "user": {"name": , "has_password": }, + "has_access_token": }` +`apikeys` :: An object like `{"ids": , "name": , "owned_by_authenticated_user": + , "user":{"name": , "realm": }}`. + ==== Extra audit event attributes for specific events There are a few events that have some more attributes in addition to those From bda3344bddbd98e384ca434f88ba1649f98c2d05 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 22:02:32 +0200 Subject: [PATCH 19/63] First example --- docs/reference/settings/audit-settings.asciidoc | 3 ++- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 36b4e4e3a81e8..5f8bf8796b2fe 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -55,7 +55,8 @@ security_config_change`. // tag::xpack-sa-lf-events-exclude-tag[] `xpack.security.audit.logfile.events.exclude`:: (<>) -Excludes the specified kind of events from the include list. The default is the empty list. +Excludes the specified kind of events from the include list. Useful in the case where +the `events.include` setting contains the special value `_all`. The default is the empty list. // end::xpack-sa-lf-events-exclude-tag[] [[xpack-sa-lf-events-emit-request]] diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 9b82bf4c66d34..26d6d35b96fa7 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -10,7 +10,7 @@ The following is an exhaustive list of the events that can be generated: |====== | `anonymous_access_denied` | | Logged when a request is denied due to a missing - authentication token. | | example1 + authentication token. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `authentication_success` | | Logged when a user successfully authenticates. | | example2 | `authentication_failed` | | Logged when the authentication token cannot be matched to a known user. | | example3 From 2adea1ee3bf436da15c1fb09e7b4a1f94d2d80f2 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 22:13:41 +0200 Subject: [PATCH 20/63] More examples --- x-pack/docs/en/security/auditing/event-types.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 26d6d35b96fa7..76cbc092d63b5 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -11,13 +11,13 @@ The following is an exhaustive list of the events that can be generated: |====== | `anonymous_access_denied` | | Logged when a request is denied due to a missing authentication token. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -| `authentication_success` | | Logged when a user successfully authenticates. | | example2 +| `authentication_success` | | Logged when a user successfully authenticates. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` | `authentication_failed` | | Logged when the authentication token cannot be - matched to a known user. | | example3 + matched to a known user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `realm_authentication_failed` | | Logged for every realm that fails to present a valid authentication token. `` represents the - realm type. | | example4 -| `access_denied` | | Logged when an authenticated user attempts to execute + realm type. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"reserved", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary <> to perform. | | example5 | `access_granted` | | Logged when an authenticated user attempts to execute From bbdf2b24ee0abbdaca7f295946044d7c51b18731 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 30 Dec 2020 22:36:25 +0200 Subject: [PATCH 21/63] Better formatted examples --- x-pack/docs/en/security/auditing/event-types.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 76cbc092d63b5..9be62516ae486 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -17,14 +17,14 @@ The following is an exhaustive list of the events that can be generated: | `realm_authentication_failed` | | Logged for every realm that fails to present a valid authentication token. `` represents the realm type. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"reserved", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` - `access_denied` | | Logged when an authenticated user attempts to execute +| `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. | | example5 + <> to perform. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` | `access_granted` | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. | | example6 + not log system actions to avoid cluttering the logs. | | Example: `` | `run_as_granted` | | Logged when an authenticated user attempts to <> another user that they have the necessary privileges to do. | | example7 @@ -45,9 +45,9 @@ The following is an exhaustive list of the events that can be generated: | `put_user` | | Logged when the <> is being invoked to create or update a native or built-in user. Note that user updates can - also change the user's password. | | example12 + also change the user's password. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` | `delete_user` | | Logged when the <> - is being invoked to delete a specific native user. | | example17 + is being invoked to delete a specific native user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` | `change_password` | | Logged when the <> is being invoked to change the password of a native or built-in user. | | example13 | `change_enable_user` | | Logged when the <> From 16520627a145e7ae4f3843e8b565d405a3e617ea Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 00:02:42 +0200 Subject: [PATCH 22/63] Almost all examples --- .../en/security/auditing/event-types.asciidoc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 9be62516ae486..a094de246cb8e 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -24,24 +24,23 @@ The following is an exhaustive list of the events that can be generated: an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. | | Example: `` + not log system actions to avoid cluttering the logs. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` | `run_as_granted` | | Logged when an authenticated user attempts to <> another user that they have - the necessary privileges to do. | | example7 + the necessary privileges to do. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `run_as_denied` | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. | | example8 + <> to do so. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `tampered_request` | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been - tampered with. | | example9 + tampered with. | | Example: `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `connection_granted` | | Logged when an incoming TCP connection passes the <> for a specific - profile. | | example10 + profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` | `connection_denied` | | Logged when an incoming TCP connection does not pass the - <> for a specific - profile. | | example11 + <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` | `put_user` | | Logged when the <> is being invoked to create or update a native or built-in user. Note that user updates can @@ -51,11 +50,11 @@ The following is an exhaustive list of the events that can be generated: | `change_password` | | Logged when the <> is being invoked to change the password of a native or built-in user. | | example13 | `change_enable_user` | | Logged when the <> - is being invoked to enable a native or a built-in user. | | example13bis + is being invoked to enable a native or a built-in user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` | `change_disable_user` | | Logged when the <> - is being invoked to disable a native or a built-in user. | | example13bis2 + is being invoked to disable a native or a built-in user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` | `put_role` | | Logged when the <> - is being invoked to create or update a role. | | example14 + is being invoked to create or update a role. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` | `delete_role` | | Logged when the <> is being invoked to delete a role. | | example18 | `put_role_mapping` | | Logged when the <> From 0448643a9a5d7c900fa8dcae67f25f3c83086944 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 00:43:08 +0200 Subject: [PATCH 23/63] All examples --- .../docs/en/security/auditing/event-types.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index a094de246cb8e..33aa57c43729a 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -56,23 +56,23 @@ The following is an exhaustive list of the events that can be generated: | `put_role` | | Logged when the <> is being invoked to create or update a role. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` | `delete_role` | | Logged when the <> - is being invoked to delete a role. | | example18 + is being invoked to delete a role. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` | `put_role_mapping` | | Logged when the <> - is being invoked to create or update a role mapping. | | example15 + is being invoked to create or update a role mapping. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` | `delete_role_mapping` | | Logged when the <> - is being invoked to delete a role mapping. | | example19 + is being invoked to delete a role mapping. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` | `create_apikey` | | Logged when the <> or the <> APIs are - being invoked to create a new API key. | | example16 + being invoked to create a new API key. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` | `invalidate_apikeys` | | Logged when the <> - is being invoked to invalidate one or more API Keys. | | example20 + is being invoked to invalidate one or more API Keys. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` | `put_privileges` | | Logged when the <> - is being invoked to add or update one or more application privileges. | | example15 + is being invoked to add or update one or more application privileges. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` | `delete_privileges` | | Logged when the <> - is being invoked to remove one or more application privileges. | | example21 + is being invoked to remove one or more application privileges. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` |====== [discrete] From d5e38982f7a64044cab22732a315e7a0313cab24 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 08:04:58 +0200 Subject: [PATCH 24/63] Logfile output WIP --- .../en/security/auditing/event-types.asciidoc | 4 +- .../security/auditing/output-logfile.asciidoc | 80 +++---------------- 2 files changed, 12 insertions(+), 72 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 33aa57c43729a..685095c1fe4f2 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -48,7 +48,7 @@ The following is an exhaustive list of the events that can be generated: | `delete_user` | | Logged when the <> is being invoked to delete a specific native user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` | `change_password` | | Logged when the <> - is being invoked to change the password of a native or built-in user. | | example13 + is being invoked to change the password of a native or built-in user. | | Example: `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` | `change_enable_user` | | Logged when the <> is being invoked to enable a native or a built-in user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` | `change_disable_user` | | Logged when the <> @@ -260,7 +260,7 @@ request bodies of the corresponding security APIs. `disable` :: A simple object like `{"user":{"name": }}`. `apikey` :: An object like `{"name": , "expiration": , "role_descriptors" []}`. The `role_descriptors` objects have the same schema as the `role_descriptor` object that - is part of the `role` config object, from the above. + is part of the above `role` config object. `grant` :: An object like `{"type": , "user": {"name": , "has_password": }, "has_access_token": }` `apikeys` :: An object like `{"ids": , "name": , "owned_by_authenticated_user": diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 2179af6e389cf..1a2466223ab40 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -2,42 +2,13 @@ [[audit-log-output]] === Logfile audit output -The `logfile` audit output is the default output for auditing. It writes data to -the `_audit.json` file in the logs directory. To maintain -compatibility with releases prior to 6.5.0, a `_access.log` file -is also generated. They differ in the output format but the contents -are similar. For systems that are not ingesting the audit file for search or -analytics it is strongly recommended to keep only the newer format. - -To turn off the deprecated output format, you can disable the logger in the -`log4j2.properties` file: - -[source, properties] --------------------------------------------------- -# change info to off -# logger.xpack_security_audit_deprecated_logfile.level = info -logger.xpack_security_audit_deprecated_logfile.level = off --------------------------------------------------- - -Alternatively, use the -<> to dynamically -configure the logger: - -[source,console] --------------------------------------------------- -PUT /_cluster/settings -{ - "persistent": { - "logger.org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail": "off" - } -} --------------------------------------------------- +The `logfile` audit output is the only output for auditing. It writes data to +the `_audit.json` file in the logs directory. NOTE: If you overwrite the `log4j2.properties` and do not specify appenders for any of the audit trails, audit events are forwarded to the root appender, which by default points to the `elasticsearch.log` file. - [discrete] [[audit-log-entry-format]] === Log entry format @@ -56,34 +27,6 @@ The log entries in the `_audit.json` file have the following format There is a list of <> specifying the set of fields for each sog entry type. -[discrete] -[[deprecated-audit-log-entry-format]] -=== Deprecated log entry format - -The log entries in the `_access.log` file have the following format: - -[source,txt] ----------------------------------------------------------------------------- -[] [] [] [] ----------------------------------------------------------------------------- - -`` :: When the event occurred. You can configure the - timestamp format in `log4j2.properties`. -`` :: Information about the local node that generated - the log entry. You can control what node information - is included by configuring the - <>. -`` :: The layer from which this event originated: - `rest`, `transport` or `ip_filter`. -`` :: The type of event that occurred: `anonymous_access_denied`, - `authentication_failed`, `access_denied`, `access_granted`, - `connection_granted`, `connection_denied`. -`` :: A comma-separated list of key-value pairs that contain - data pertaining to the event. Formatted as - `attr1=[val1], attr2=[val2]`. See <> for the attributes that can be included - for each type of event. - [discrete] [[audit-log-settings]] === Logfile output settings @@ -93,20 +36,17 @@ controlled using settings in the `elasticsearch.yml` file. See <> and <>. -IMPORTANT: No filtering is performed when auditing, so sensitive data may be -audited in plain text when including the request body in audit events. +IMPORTANT: Be advised that *sensitive data may be audited in plain text* when including +the request body in audit events, even though all the security APIs, such as those that +change the user’s password, have the credentials filtered out when audited. -[[logging-file]] You can also configure how the logfile is written in the `log4j2.properties` -file located in `ES_PATH_CONF`. By default, audit information is appended to the +file located in `ES_PATH_CONF` (or check out the relevant portion of +the https://github.com/elastic/elasticsearch/blob/{branch}/x-pack/plugin/core/src/main/config/log4j2.properties[log4j2.properties in the sources]). +By default, audit information is appended to the `_audit.json` file located in the standard Elasticsearch `logs` directory -(typically located at `$ES_HOME/logs`). The file rolls over on a daily basis. -The deprecated logfile audit format (`_access.log`) can be disabled -from the same `log4j2.properties` file (hint: look for the comment -instructing to set the log level to `off`). The deprecated format is a duplication -of information that is in place to assure backwards compatibility. If you are -not strict about the audit format it is strongly recommended to only use the -`_audit.json` log appender. +(typically located at `$ES_HOME/logs`). +The file is also rotated and archived daily or upon reaching the 1GB file size limit. [discrete] [[audit-log-ignore-policy]] From 8417412408c5c9da6bcd2e84bc60c8f3eccd1ed3 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 08:35:12 +0200 Subject: [PATCH 25/63] Almost --- .../settings/audit-settings.asciidoc | 4 +++ .../auditing/enable-audit-logging.asciidoc | 5 +-- .../en/security/auditing/event-types.asciidoc | 14 +------- .../security/auditing/output-logfile.asciidoc | 34 +++++++++++++------ 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 5f8bf8796b2fe..4c453f859c554 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -13,6 +13,10 @@ as creating, updating and removing <> and <> users, <>, <> and <> are also recorded. +-- +TIP: Audit logs are only available on certain subscription levels. +For more information, see https://www.elastic.co/subscriptions. +-- If configured, auditing settings must be set on every node in the cluster. Static settings, such as `xpack.security.audit.enabled`, must be configured in diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 44a27a4de97d5..8102d4d71d4c3 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -24,10 +24,7 @@ To enable enable audit logging: When audit logging is enabled, <> are persisted to a dedicated `_audit.json` file on the host's file system, on every cluster node. -The file is rotated and archived daily or upon reaching the 1GB file size limit. -For more details, check out the -https://github.com/elastic/elasticsearch/blob/{branch}/x-pack/plugin/core/src/main/config/log4j2.properties[log4j2.properties] -for the security audit logger. +For more information, see <>. You can configure additional options to control what events are logged and what information is included in the audit log. diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 685095c1fe4f2..619936e709e30 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -81,19 +81,7 @@ The following is an exhaustive list of the events that can be generated: The audit events are formatted as JSON documents, and each event is printed on a separate line in the audit log (the entries themselves do not contain the end-of-line delimiter). -The audit event JSON format is somewhat particular, as *most* fields follow a dotted -name syntax, are ordered, and contain non-null string values. This format creates a -structured columnar aspect, similar to a CSV, that can be more easily inspected visually -(compared to an equivalent nested JSON document). - -There are however a few attributes that are exceptions to the above format. The `put`, -`delete`, `change`, `create` and `invalidate` attributes, which are only present for -events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* -representation of the security change taking effect. The contents of the security config change -are hence not splayed as top-level dot-named fields in the audit event document. That's because -the fields are specific to the particular kind of the security change and do not show up in -any other audit events, and so the benefits of a columnar format are much more limited; the -space-saving benefits of the nested structure is the favoured trade-off in this case. +For more details, see <>. The following list shows attributes that are common to all audit event types: diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 1a2466223ab40..38dfc46b8bc4f 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -13,19 +13,28 @@ by default points to the `elasticsearch.log` file. [[audit-log-entry-format]] === Log entry format -The log entries in the `_audit.json` file have the following format: - -- Each log entry is a one line JSON document and each one is printed on a separate line. -- The fields of a log entry are ordered. However, if a field does not have a value it - will not be printed. The precise line pattern, together with the complete field - order, are specified in the `log4j2.properties` config file. -- The log entry does not contain nested inner JSON objects, i.e. the doc is flat. -- The field names follow a dotted notation to flatten inner objects. -- A field's value can be a string, a number or an array of strings. -- A field's value, a request body as well, will be escaped as per the JSON RFC 4627. +The audit events are formatted as JSON documents, and each event is printed on a separate +line in the `_audit.json` file (the entries themselves do not contain the +end-of-line delimiter). +The audit event JSON format is somewhat particular, as *most* fields follow a dotted +name syntax, are ordered, and contain non-null string values. This format creates a +structured columnar aspect, similar to a CSV, that can be more easily inspected visually +(compared to an equivalent nested JSON document). + +There are however a few attributes that are exceptions to the above format. The `put`, +`delete`, `change`, `create` and `invalidate` attributes, which are only present for +events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* +representation of the security change taking effect. The contents of the security config change +are hence not splayed as top-level dot-named fields in the audit event document. That's because +the fields are specific to the particular kind of the security change and do not show up in +any other audit events, and so the benefits of a columnar format are much more limited; the +space-saving benefits of the nested structure is the favoured trade-off in this case. + +When the `request.body` attribute is present (see <>), it contains a +string value containing the full HTTP request body, ascaped as per the JSON RFC 4677. There is a list of <> specifying the -set of fields for each sog entry type. +set of fields, as well as examples, for each entry type. [discrete] [[audit-log-settings]] @@ -64,6 +73,9 @@ Sometimes the verbosity of the audit trail may become a problem that the event t These policies define rules that match audit events which will be _ignored_ (read as: not printed). Rules match on the values of attributes of audit events and complement the <> method. Imagine the corpus of audit events and the policies chopping off unwanted events. +With a sole exception, all audit events are subject to the ignore policies. +The exception are events of type `security_config_change`, which cannot be filtered out, +unless excluded altogether. IMPORTANT: When utilizing audit events ignore policies you are acknowledging potential accountability gaps that could render illegitimate actions undetectable. From ff19308388a0c3c36981612e7f74cd3156c02ff2 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 08:42:24 +0200 Subject: [PATCH 26/63] Ignore policy as separate file --- .../security/auditing/ignore-policy.asciidoc | 79 +++++++++++++++++++ .../docs/en/security/auditing/index.asciidoc | 2 + .../audit/logfile/LoggingAuditTrail.java | 2 +- 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 x-pack/docs/en/security/auditing/ignore-policy.asciidoc diff --git a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc new file mode 100644 index 0000000000000..bd5696ddf2593 --- /dev/null +++ b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc @@ -0,0 +1,79 @@ +[role="xpack"] +[[audit-log-ignore-policy]] +=== Logfile audit events ignore policies + +The comprehensive audit trail is necessary to ensure accountability. It offers tremendous +value during incident response and can even be required for demonstrating compliance. + +The drawback of an audited system is represented by the inevitable performance penalty incurred. +In all truth, the audit trail spends _I/O ops_ that are not available anymore for the user's queries. +Sometimes the verbosity of the audit trail may become a problem that the event type restrictions, +<>, will not alleviate. + +*Audit events ignore policies* are a finer way to tune the verbosity of the audit trail. +These policies define rules that match audit events which will be _ignored_ (read as: not printed). +Rules match on the values of attributes of audit events and complement the <> method. +Imagine the corpus of audit events and the policies chopping off unwanted events. +With a sole exception, all audit events are subject to the ignore policies. +The exception are events of type `security_config_change`, which cannot be filtered out, +unless excluded altogether. + +IMPORTANT: When utilizing audit events ignore policies you are acknowledging potential +accountability gaps that could render illegitimate actions undetectable. +Please take time to review these policies whenever your system architecture changes. + +A policy is a named set of filter rules. Each filter rule applies to a single event attribute, +one of the `users`, `realms`, `roles` or `indices` attributes. The filter rule defines +a list of <>, *any* of which has to match the value of the audit +event attribute for the rule to match. +A policy matches an event if *all* the rules comprising it match the event. +An audit event is ignored, therefore not printed, if it matches *any* policy. All other +non-matching events are printed as usual. + +All policies are defined under the `xpack.security.audit.logfile.events.ignore_filters` +settings namespace. For example, the following policy named _example1_ matches +events from the _kibana_system_ or _admin_user_ principals **and** operating over indices of the +wildcard form _app-logs*_: + +[source,yaml] +---------------------------- +xpack.security.audit.logfile.events.ignore_filters: + example1: + users: ["kibana_system", "admin_user"] + indices: ["app-logs*"] +---------------------------- + +An audit event generated by the _kibana_system_ user and operating over multiple indices +, some of which do not match the indices wildcard, will not match. +As expected, operations generated by all other users (even operating only on indices that +match the _indices_ filter) will not match this policy either. + +Audit events of different types may have <>. +If an event does not contain an attribute for which some policy defines filters, the +event will not match the policy. +For example, the following policy named _example2_, will never match `authentication_success` or +`authentication_failed` events, irrespective of the user's roles, because these +event schemas do not contain the `role` attribute: + +[source,yaml] +---------------------------- +xpack.security.audit.logfile.events.ignore_filters: + example2: + roles: ["admin", "ops_admin_*"] +---------------------------- + +Likewise, any events of users with multiple roles, some of which do not match the +regexps will not match this policy. + +For completeness, although practical use cases should be sparse, a filter can match +a missing attribute of an event, using the empty string ("") or the empty list ([]). +For example, the following policy will match events that do not have the `indices` +attribute (`anonymous_access_denied`, `authentication_success` and other types) as well +as events over the _next_ index. + +[source,yaml] +---------------------------- +xpack.security.audit.logfile.events.ignore_filters: + example3: + indices: ["next", ""] +---------------------------- diff --git a/x-pack/docs/en/security/auditing/index.asciidoc b/x-pack/docs/en/security/auditing/index.asciidoc index 55886c548b5bf..7c39563ee7f76 100644 --- a/x-pack/docs/en/security/auditing/index.asciidoc +++ b/x-pack/docs/en/security/auditing/index.asciidoc @@ -4,4 +4,6 @@ include::event-types.asciidoc[] include::output-logfile.asciidoc[] +include::ignore-policy.asciidoc[] + include::auditing-search-queries.asciidoc[] diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java index ebd0059627ae8..c1b047fe19cc4 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java @@ -1023,7 +1023,7 @@ private void withRoleDescriptor(XContentBuilder builder, RoleDescriptor roleDesc ConfigurableClusterPrivileges.toXContent(builder, ToXContent.EMPTY_PARAMS, Arrays.asList(roleDescriptor.getConditionalClusterPrivileges())); } - builder.startArray(RoleDescriptor.Fields.INDICES.getPreferredName()); + builder.startArray(RoleDescriptor.Fieldst.INDICES.getPreferredName()); for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) { withIndicesPrivileges(builder, indicesPrivileges); } From f7cc454a8448bea62aff36e3ce73b66c0722718d Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 Dec 2020 09:00:25 +0200 Subject: [PATCH 27/63] Remove moved section --- .../security/auditing/output-logfile.asciidoc | 79 ------------------- 1 file changed, 79 deletions(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 38dfc46b8bc4f..4286f208221bf 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -57,82 +57,3 @@ By default, audit information is appended to the (typically located at `$ES_HOME/logs`). The file is also rotated and archived daily or upon reaching the 1GB file size limit. -[discrete] -[[audit-log-ignore-policy]] -=== Logfile audit events ignore policies - -The comprehensive audit trail is necessary to ensure accountability. It offers tremendous -value during incident response and can even be required for demonstrating compliance. - -The drawback of an audited system is represented by the inevitable performance penalty incurred. -In all truth, the audit trail spends _I/O ops_ that are not available anymore for the user's queries. -Sometimes the verbosity of the audit trail may become a problem that the event type restrictions, -<>, will not alleviate. - -*Audit events ignore policies* are a finer way to tune the verbosity of the audit trail. -These policies define rules that match audit events which will be _ignored_ (read as: not printed). -Rules match on the values of attributes of audit events and complement the <> method. -Imagine the corpus of audit events and the policies chopping off unwanted events. -With a sole exception, all audit events are subject to the ignore policies. -The exception are events of type `security_config_change`, which cannot be filtered out, -unless excluded altogether. - -IMPORTANT: When utilizing audit events ignore policies you are acknowledging potential -accountability gaps that could render illegitimate actions undetectable. -Please take time to review these policies whenever your system architecture changes. - -A policy is a named set of filter rules. Each filter rule applies to a single event attribute, -one of the `users`, `realms`, `roles` or `indices` attributes. The filter rule defines -a list of <>, *any* of which has to match the value of the audit -event attribute for the rule to match. -A policy matches an event if *all* the rules comprising it match the event. -An audit event is ignored, therefore not printed, if it matches *any* policy. All other -non-matching events are printed as usual. - -All policies are defined under the `xpack.security.audit.logfile.events.ignore_filters` -settings namespace. For example, the following policy named _example1_ matches -events from the _kibana_system_ or _admin_user_ principals **and** operating over indices of the -wildcard form _app-logs*_: - -[source,yaml] ----------------------------- -xpack.security.audit.logfile.events.ignore_filters: - example1: - users: ["kibana_system", "admin_user"] - indices: ["app-logs*"] ----------------------------- - -An audit event generated by the _kibana_system_ user and operating over multiple indices -, some of which do not match the indices wildcard, will not match. -As expected, operations generated by all other users (even operating only on indices that -match the _indices_ filter) will not match this policy either. - -Audit events of different types may have <>. -If an event does not contain an attribute for which some policy defines filters, the -event will not match the policy. -For example, the following policy named _example2_, will never match `authentication_success` or -`authentication_failed` events, irrespective of the user's roles, because these -event schemas do not contain the `role` attribute: - -[source,yaml] ----------------------------- -xpack.security.audit.logfile.events.ignore_filters: - example2: - roles: ["admin", "ops_admin_*"] ----------------------------- - -Likewise, any events of users with multiple roles, some of which do not match the -regexps will not match this policy. - -For completeness, although practical use cases should be sparse, a filter can match -a missing attribute of an event, using the empty string ("") or the empty list ([]). -For example, the following policy will match events that do not have the `indices` -attribute (`anonymous_access_denied`, `authentication_success` and other types) as well -as events over the _next_ index. - -[source,yaml] ----------------------------- -xpack.security.audit.logfile.events.ignore_filters: - example3: - indices: ["next", ""] ----------------------------- From 2e2997c6cf7afc1c0e0e5d5742cd8d27b994013d Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:29:45 +0200 Subject: [PATCH 28/63] Mention _all as an option for events.include --- docs/reference/settings/audit-settings.asciidoc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 4c453f859c554..7d16a12af8e65 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -48,8 +48,10 @@ by using the following settings: // tag::xpack-sa-lf-events-include-tag[] `xpack.security.audit.logfile.events.include`:: (<>) -Specifies the kind of events to print in the auditing output. The default list value -contains: +Specifies the <> to print in the auditing output. +In addition, `_all` can be used to exhaustively audit all the events, but this is usually +discouraged since it will get very verbose. +The default list value contains: `access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted, security_config_change`. @@ -59,8 +61,9 @@ security_config_change`. // tag::xpack-sa-lf-events-exclude-tag[] `xpack.security.audit.logfile.events.exclude`:: (<>) -Excludes the specified kind of events from the include list. Useful in the case where -the `events.include` setting contains the special value `_all`. The default is the empty list. +Excludes the specified <> from the include list. +This is useful in the case where the `events.include` setting contains the special value `_all`. +The default is the empty list. // end::xpack-sa-lf-events-exclude-tag[] [[xpack-sa-lf-events-emit-request]] From cae982d551b04969a3a419ffd5998350ffbf67e3 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:34:19 +0200 Subject: [PATCH 29/63] Update x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc index 8102d4d71d4c3..98d9905b2ba19 100644 --- a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc +++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc @@ -14,7 +14,7 @@ Audit logs are **disabled** by default. You must explicitly enable audit logging ============================================================================ -- TIP: Audit logs are only available on certain subscription levels. -For more information, see https://www.elastic.co/subscriptions. +For more information, see {subscriptions}. -- To enable enable audit logging: From 6f15400ed4d291f024637c5452b478e03ec166f4 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:34:51 +0200 Subject: [PATCH 30/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 619936e709e30..d20de0b93c1ae 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -6,7 +6,6 @@ When you are <>, a single client might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. -The following is an exhaustive list of the events that can be generated: |====== | `anonymous_access_denied` | | Logged when a request is denied due to a missing @@ -336,4 +335,3 @@ that have been previously described: This attribute is only provided for authentication using an API key. `api_key.name` :: API key name provided in the <> request. This attribute is only provided for authentication using an API key. - From 539303cb405928527cf7241d97fd22968282ee1c Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:42:49 +0200 Subject: [PATCH 31/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index d20de0b93c1ae..985bb88ebca47 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -7,7 +7,11 @@ might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. +[options="header"] |====== +| Event type +| Description +| Example | `anonymous_access_denied` | | Logged when a request is denied due to a missing authentication token. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `authentication_success` | | Logged when a user successfully authenticates. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` From 635d9f73ab231b12911de59c09b32b88ae9d3d87 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:43:41 +0200 Subject: [PATCH 32/63] Update x-pack/docs/en/security/auditing/output-logfile.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 4286f208221bf..b42a1577e18f8 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -31,7 +31,7 @@ any other audit events, and so the benefits of a columnar format are much more l space-saving benefits of the nested structure is the favoured trade-off in this case. When the `request.body` attribute is present (see <>), it contains a -string value containing the full HTTP request body, ascaped as per the JSON RFC 4677. +string value containing the full HTTP request body, escaped as per the JSON RFC 4677. There is a list of <> specifying the set of fields, as well as examples, for each entry type. @@ -56,4 +56,3 @@ By default, audit information is appended to the `_audit.json` file located in the standard Elasticsearch `logs` directory (typically located at `$ES_HOME/logs`). The file is also rotated and archived daily or upon reaching the 1GB file size limit. - From 2fb3890f8cfe2f45b505ecb03c46fb834b3da682 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:44:05 +0200 Subject: [PATCH 33/63] Update x-pack/docs/en/security/auditing/output-logfile.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index b42a1577e18f8..5120d36126d89 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -26,7 +26,7 @@ There are however a few attributes that are exceptions to the above format. The events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* representation of the security change taking effect. The contents of the security config change are hence not splayed as top-level dot-named fields in the audit event document. That's because -the fields are specific to the particular kind of the security change and do not show up in +the fields are specific to the particular kind of security change and do not show up in any other audit events, and so the benefits of a columnar format are much more limited; the space-saving benefits of the nested structure is the favoured trade-off in this case. From 170cb64cc4be75bffa6eff4082c8b8bd2cfdb331 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:44:31 +0200 Subject: [PATCH 34/63] Update x-pack/docs/en/security/auditing/output-logfile.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 5120d36126d89..6ac87cdd45ba6 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -27,7 +27,7 @@ events with the `event.type: "security_config_change"` attribute, contain the *n representation of the security change taking effect. The contents of the security config change are hence not splayed as top-level dot-named fields in the audit event document. That's because the fields are specific to the particular kind of security change and do not show up in -any other audit events, and so the benefits of a columnar format are much more limited; the +any other audit events. The benefits of a columnar format are therefore much more limited; the space-saving benefits of the nested structure is the favoured trade-off in this case. When the `request.body` attribute is present (see <>), it contains a From 02560b9ab460c1d0f96163ae4ad65b42dcbe287a Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:45:51 +0200 Subject: [PATCH 35/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 985bb88ebca47..23441aacb6d99 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -40,7 +40,7 @@ might generate multiple audit events, across multiple cluster nodes. The common requests when the scroll ID is believed to have been tampered with. | | Example: `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `connection_granted` | | Logged when an incoming TCP connection passes the - <> for a specific + <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` | `connection_denied` | | Logged when an incoming TCP connection does not pass the <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` From 20db5c3961e4a0b9abac3e256117977da2d3126f Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:46:07 +0200 Subject: [PATCH 36/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 23441aacb6d99..93838d7b094c8 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -43,7 +43,7 @@ might generate multiple audit events, across multiple cluster nodes. The common <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` | `connection_denied` | | Logged when an incoming TCP connection does not pass the - <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` + <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` | `put_user` | | Logged when the <> is being invoked to create or update a native or built-in user. Note that user updates can From 0f08acd1ecb82db55e43c4a4d0807ad646449b91 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 17:42:21 +0200 Subject: [PATCH 37/63] Subscriptions --- docs/reference/settings/audit-settings.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 7d16a12af8e65..71e0a3c0a0a85 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -15,7 +15,7 @@ as creating, updating and removing <> and <> are also recorded. -- TIP: Audit logs are only available on certain subscription levels. -For more information, see https://www.elastic.co/subscriptions. +For more information, see {subscriptions}. -- If configured, auditing settings must be set on every node in the cluster. From 2c329b3ed235883d8b380201e8935f1ba997ea38 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 18:11:49 +0200 Subject: [PATCH 38/63] event types table header --- .../en/security/auditing/event-types.asciidoc | 51 +++++++++---------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 93838d7b094c8..81a42cbd34b7c 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -6,76 +6,75 @@ When you are <>, a single client might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. - [options="header"] |====== -| Event type +| Event action | Description | Example | `anonymous_access_denied` | | Logged when a request is denied due to a missing - authentication token. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -| `authentication_success` | | Logged when a user successfully authenticates. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` + authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` +| `authentication_success` | | Logged when a user successfully authenticates. | | `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` | `authentication_failed` | | Logged when the authentication token cannot be - matched to a known user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + matched to a known user. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `realm_authentication_failed` | | Logged for every realm that fails to present a valid authentication token. `` represents the - realm type. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"reserved", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + realm type. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"reserved", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` + <> to perform. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` | `access_granted` | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` + not log system actions to avoid cluttering the logs. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` | `run_as_granted` | | Logged when an authenticated user attempts to <> another user that they have - the necessary privileges to do. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + the necessary privileges to do. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `run_as_denied` | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `tampered_request` | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been - tampered with. | | Example: `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` + tampered with. | | `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `connection_granted` | | Logged when an incoming TCP connection passes the <> for a specific - profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` + profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` | `connection_denied` | | Logged when an incoming TCP connection does not pass the - <> for a specific profile. | | Example: `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` + <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` | `put_user` | | Logged when the <> is being invoked to create or update a native or built-in user. Note that user updates can - also change the user's password. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` + also change the user's password. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` | `delete_user` | | Logged when the <> - is being invoked to delete a specific native user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` + is being invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` | `change_password` | | Logged when the <> - is being invoked to change the password of a native or built-in user. | | Example: `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` + is being invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` | `change_enable_user` | | Logged when the <> - is being invoked to enable a native or a built-in user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` + is being invoked to enable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` | `change_disable_user` | | Logged when the <> - is being invoked to disable a native or a built-in user. | | Example: `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` + is being invoked to disable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` | `put_role` | | Logged when the <> - is being invoked to create or update a role. | | Example: `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` + is being invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` | `delete_role` | | Logged when the <> - is being invoked to delete a role. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` + is being invoked to delete a role. | | `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` | `put_role_mapping` | | Logged when the <> - is being invoked to create or update a role mapping. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` + is being invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` | `delete_role_mapping` | | Logged when the <> - is being invoked to delete a role mapping. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` + is being invoked to delete a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` | `create_apikey` | | Logged when the <> or the <> APIs are - being invoked to create a new API key. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` + being invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` | `invalidate_apikeys` | | Logged when the <> - is being invoked to invalidate one or more API Keys. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` + is being invoked to invalidate one or more API Keys. | | `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` | `put_privileges` | | Logged when the <> - is being invoked to add or update one or more application privileges. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` + is being invoked to add or update one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` | `delete_privileges` | | Logged when the <> - is being invoked to remove one or more application privileges. | | Example: `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` + is being invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` |====== [discrete] From 751b1456881fae2f6744e46e66b9761e01cdefaf Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 18:25:09 +0200 Subject: [PATCH 39/63] Reverse typo --- .../xpack/security/audit/logfile/LoggingAuditTrail.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java index c1b047fe19cc4..ebd0059627ae8 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java @@ -1023,7 +1023,7 @@ private void withRoleDescriptor(XContentBuilder builder, RoleDescriptor roleDesc ConfigurableClusterPrivileges.toXContent(builder, ToXContent.EMPTY_PARAMS, Arrays.asList(roleDescriptor.getConditionalClusterPrivileges())); } - builder.startArray(RoleDescriptor.Fieldst.INDICES.getPreferredName()); + builder.startArray(RoleDescriptor.Fields.INDICES.getPreferredName()); for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) { withIndicesPrivileges(builder, indicesPrivileges); } From 1ab65a4e896523c346e1c9447dd9e94aeabf9eb3 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 18:45:20 +0200 Subject: [PATCH 40/63] Realm name --- x-pack/docs/en/security/auditing/event-types.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 81a42cbd34b7c..6601afa0895f2 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -17,8 +17,7 @@ might generate multiple audit events, across multiple cluster nodes. The common | `authentication_failed` | | Logged when the authentication token cannot be matched to a known user. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `realm_authentication_failed` | | Logged for every realm that fails to present a valid - authentication token. `` represents the - realm type. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"reserved", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary <> to perform. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` From 05d15aa5795e0654a1321f583b1be2857a3e7e16 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 18:49:23 +0200 Subject: [PATCH 41/63] run_as_denied --- x-pack/docs/en/security/auditing/event-types.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 6601afa0895f2..a15f212d85ed4 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -28,10 +28,10 @@ might generate multiple audit events, across multiple cluster nodes. The common not log system actions to avoid cluttering the logs. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` | `run_as_granted` | | Logged when an authenticated user attempts to <> another user that they have - the necessary privileges to do. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + the necessary privileges to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `run_as_denied` | | Logged when an authenticated user attempts to <> - another user action they do not have the necessary + another user that they do NOT have the necessary <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `tampered_request` | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` From a75acb753215bd410309947b8e0ad187fe351364 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 21:19:08 +0200 Subject: [PATCH 42/63] Request body auditing --- .../settings/audit-settings.asciidoc | 8 ++------ .../auditing/auditing-search-queries.asciidoc | 19 +++++++++++++------ .../en/security/auditing/event-types.asciidoc | 4 ++-- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 71e0a3c0a0a85..a293444e2a259 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -71,12 +71,8 @@ The default is the empty list. `xpack.security.audit.logfile.events.emit_request_body`:: (<>) Specifies whether to include the full request body from REST requests as an -attribute of certain kinds of audit events. The request body is printed as an -escaped JSON string value to the `request.body` attribute. -These events that contain the `request.body` attribute are `authentication_success`, -`authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, -and `anonymous_access_denied` that are printed on the coordinating node only -(the node that handles the REST request). +attribute of certain kinds of audit events. This setting can be used to +<>. + The default value is `false`, so request bodies are not printed. + diff --git a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc index 77680f8cb5d10..476a1e8f66990 100644 --- a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc +++ b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc @@ -4,14 +4,15 @@ === Auditing search queries There is no <> specifically -dedicated to search queries. Search queries are analyzed and then processed; the +dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs. Search queries are contained inside HTTP request bodies, however, and some -audit events that are generated by the REST layer can be toggled to output -the request body to the audit log. +audit events that are generated by the REST layer, on the coordinating node, +can be toggled to output the request body to the audit log. Therefore, one +must audit request bodies in order to audit search queries. To make certain audit events include the request body, edit the following setting in the `elasticsearch.yml` file: @@ -26,9 +27,15 @@ audited in plain text when audit events include the request body. Also, the request body can contain malicious content that can break a parser consuming the audit logs. -There are only a handful of <> that are -generated in the REST layer and can access the request body. Most of them are not -included by default. +The request body is printed as an escaped JSON string value (RFC 4627) to the `request.body` +event attribute. + +Not all events contain the `request.body` attribute, even when the above setting +is toggled. The ones that do are: `authentication_success`, +`authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, +and `anonymous_access_denied` that are printed on the coordinating node only +(the node that handles the REST request). Most of them are +<>. A good practical piece of advice is to add `authentication_success` to the event types that are audited (add it to the list in the `xpack.security.audit.logfile.events.include`), diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index a15f212d85ed4..86448032a5ba2 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -161,8 +161,8 @@ common ones): event. It is one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE and CONNECT. `request.body` :: The full content of the REST request associated with this - event, if enabled. This contains the query body. The body - is escaped according to the JSON RFC 4627. + event, if enabled. This contains the HTTP request body. + The body is escaped as a string value according to the JSON RFC 4627. ==== Audit event attributes of the transport event type From 86b55585f7a06011cf23683b1548723451aedbe6 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 21:32:00 +0200 Subject: [PATCH 43/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 86448032a5ba2..be15c2dae00d5 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -81,7 +81,7 @@ might generate multiple audit events, across multiple cluster nodes. The common === Audit event attributes The audit events are formatted as JSON documents, and each event is printed on a separate -line in the audit log (the entries themselves do not contain the end-of-line delimiter). +line in the audit log. The entries themselves do not contain an end-of-line delimiter. For more details, see <>. The following list shows attributes that are common to all audit event types: From c562d35fdeed71af09e5597ac584d13fe1557997 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 21:32:55 +0200 Subject: [PATCH 44/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index be15c2dae00d5..e1ec5cc84dc3e 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -204,7 +204,7 @@ ones); the attributes' value is a nested JSON object (that is not escaped): It contains the config for a `user`, `role`, `role_mapping`, or for application `privileges`. `delete` :: The object representation of the security config that - is being deleted. It can either be the config for a `user`, `role`, + is being deleted. It can be the config for a `user`, `role`, `role_mapping` or for application `privileges`. `change` :: The object representation of the security config that is being changed. It can either be the `password`, `enable` or `disable`, From b2ddcb38e457075f735e52a2fac8d3e9b3b9dc58 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 21:48:08 +0200 Subject: [PATCH 45/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index e1ec5cc84dc3e..d2e9817420513 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -116,7 +116,7 @@ The following list shows attributes that are common to all audit event types: In addition, all the events of types `rest`, `transport` and `ip_filter` (but not `security_config_change`) have the following extra attributes, which -show more details on the requesting client: +show more details about the requesting client: `origin.address` :: The source IP address of the request associated with this event. This could be the address of the remote client, From 3ac7cf54736fa6d64995c102c19c378924c69392 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 21:47:17 +0200 Subject: [PATCH 46/63] "Being" removal --- .../en/security/auditing/event-types.asciidoc | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index d2e9817420513..2c1f5acc7a5ae 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -31,8 +31,8 @@ might generate multiple audit events, across multiple cluster nodes. The common the necessary privileges to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `run_as_denied` | | Logged when an authenticated user attempts to <> - another user that they do NOT have the necessary - <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + another user that they do not have the necessary + <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` | `tampered_request` | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been @@ -43,37 +43,37 @@ might generate multiple audit events, across multiple cluster nodes. The common | `connection_denied` | | Logged when an incoming TCP connection does not pass the <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` | `put_user` | | Logged when the <> - is being invoked to create or + is invoked to create or update a native or built-in user. Note that user updates can also change the user's password. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` | `delete_user` | | Logged when the <> - is being invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` + is invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` | `change_password` | | Logged when the <> - is being invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` + is invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` | `change_enable_user` | | Logged when the <> - is being invoked to enable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` + is invoked to enable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` | `change_disable_user` | | Logged when the <> - is being invoked to disable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` + is invoked to disable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` | `put_role` | | Logged when the <> - is being invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` + is invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` | `delete_role` | | Logged when the <> - is being invoked to delete a role. | | `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` + is invoked to delete a role. | | `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` | `put_role_mapping` | | Logged when the <> - is being invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` + is invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` | `delete_role_mapping` | | Logged when the <> - is being invoked to delete a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` + is invoked to delete a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` | `create_apikey` | | Logged when the <> or the <> APIs are - being invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` + invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` | `invalidate_apikeys` | | Logged when the <> - is being invoked to invalidate one or more API Keys. | | `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` + is invoked to invalidate one or more API Keys. | | `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` | `put_privileges` | | Logged when the <> - is being invoked to add or update one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` + is invoked to add or update one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` | `delete_privileges` | | Logged when the <> - is being invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` + is invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` |====== [discrete] From 05111b40dde417fded60c3ad78fdd6b126c8794c Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 22:03:44 +0200 Subject: [PATCH 47/63] Misc --- .../docs/en/security/auditing/event-types.asciidoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 2c1f5acc7a5ae..e710e728dc124 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -197,7 +197,7 @@ The events with the `event.type` attribute equal to `security_config_change` hav `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys`, or `delete_privileges`. These events also have *one* of the following extra attributes (in addition to the common -ones); the attributes' value is a nested JSON object (that is not escaped): +ones). The attributes' value is a nested JSON object: `put` :: The object representation of the security config that is being created, or the overwrite of an existing config. @@ -207,13 +207,13 @@ ones); the attributes' value is a nested JSON object (that is not escaped): is being deleted. It can be the config for a `user`, `role`, `role_mapping` or for application `privileges`. `change` :: The object representation of the security config that - is being changed. It can either be the `password`, `enable` or `disable`, + is being changed. It can be the `password`, `enable` or `disable`, config object for native or built-in users. `create` :: The object representation of the new security config that is being - created. It contains the `apikey` config object, if the API key is - created using the <>, - and, in addition, if the API key is created using the - <>, it also contains + created. If the API key is created using the + <> it only contains + an `apikey` config object. If the API key is created using the + <> it also contains a `grant` config object. `invalidate` :: The object representation of the security configuration that is being invalidated. The only config currently supporting invalidation is of `apikeys`, through From 352adc37085aba954d7aab634727d51a54b3477c Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 22:10:23 +0200 Subject: [PATCH 48/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index e710e728dc124..23df56ab00187 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -216,7 +216,7 @@ ones). The attributes' value is a nested JSON object: <> it also contains a `grant` config object. `invalidate` :: The object representation of the security configuration that is being invalidated. - The only config currently supporting invalidation is of `apikeys`, through + The only config that currently supports invalidation is `apikeys`, through the <>. The schemas of the security config objects mentioned above are as follows. They are very similar to the From 634099ac28ddec7965f62073f713266f0297e768 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:11:11 +0200 Subject: [PATCH 49/63] Update x-pack/docs/en/security/auditing/ignore-policy.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/ignore-policy.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc index bd5696ddf2593..0140163a89bb0 100644 --- a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc +++ b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc @@ -51,7 +51,7 @@ match the _indices_ filter) will not match this policy either. Audit events of different types may have <>. If an event does not contain an attribute for which some policy defines filters, the event will not match the policy. -For example, the following policy named _example2_, will never match `authentication_success` or +For example, the following policy will never match `authentication_success` or `authentication_failed` events, irrespective of the user's roles, because these event schemas do not contain the `role` attribute: From 199fdf79bc3f6c32b069d6bcbcd318dacb994767 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:11:48 +0200 Subject: [PATCH 50/63] Update x-pack/docs/en/security/auditing/output-logfile.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 6ac87cdd45ba6..da08194674e9e 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -14,7 +14,7 @@ by default points to the `elasticsearch.log` file. === Log entry format The audit events are formatted as JSON documents, and each event is printed on a separate -line in the `_audit.json` file (the entries themselves do not contain the +line in the `_audit.json` file. The entries themselves do not contain the end-of-line delimiter). The audit event JSON format is somewhat particular, as *most* fields follow a dotted name syntax, are ordered, and contain non-null string values. This format creates a From 5dbf00c2a7e02a3bdd072158bdd2f001257907e6 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:12:15 +0200 Subject: [PATCH 51/63] Update x-pack/docs/en/security/auditing/output-logfile.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index da08194674e9e..eaffd0af36bb6 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -15,7 +15,7 @@ by default points to the `elasticsearch.log` file. The audit events are formatted as JSON documents, and each event is printed on a separate line in the `_audit.json` file. The entries themselves do not contain the -end-of-line delimiter). +end-of-line delimiter. The audit event JSON format is somewhat particular, as *most* fields follow a dotted name syntax, are ordered, and contain non-null string values. This format creates a structured columnar aspect, similar to a CSV, that can be more easily inspected visually From 6bd52678c447928ff6f8d89b242f60eecf860893 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 22:08:45 +0200 Subject: [PATCH 52/63] Nit --- x-pack/docs/en/security/auditing/event-types.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 23df56ab00187..5c96baa057f3b 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -210,7 +210,8 @@ ones). The attributes' value is a nested JSON object: is being changed. It can be the `password`, `enable` or `disable`, config object for native or built-in users. `create` :: The object representation of the new security config that is being - created. If the API key is created using the + created. This is currently only used for API keys auditing. + If the API key is created using the <> it only contains an `apikey` config object. If the API key is created using the <> it also contains From 33049356df11ed5e35901a95b5a3ba5875815f3f Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:10:35 +0200 Subject: [PATCH 53/63] principals that --- x-pack/docs/en/security/auditing/ignore-policy.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc index 0140163a89bb0..09e47466c25a1 100644 --- a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc +++ b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc @@ -32,7 +32,7 @@ non-matching events are printed as usual. All policies are defined under the `xpack.security.audit.logfile.events.ignore_filters` settings namespace. For example, the following policy named _example1_ matches -events from the _kibana_system_ or _admin_user_ principals **and** operating over indices of the +events from the _kibana_system_ or _admin_user_ principals that operate over indices of the wildcard form _app-logs*_: [source,yaml] From 3dc610356949f97219fac88f18483bbdf2e40b42 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:16:44 +0200 Subject: [PATCH 54/63] before events reordering --- x-pack/docs/en/security/auditing/output-logfile.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index eaffd0af36bb6..c55b7d4d3ef1b 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -25,7 +25,7 @@ There are however a few attributes that are exceptions to the above format. The `delete`, `change`, `create` and `invalidate` attributes, which are only present for events with the `event.type: "security_config_change"` attribute, contain the *nested JSON* representation of the security change taking effect. The contents of the security config change -are hence not splayed as top-level dot-named fields in the audit event document. That's because +are hence not displayed as top-level dot-named fields in the audit event document. That's because the fields are specific to the particular kind of security change and do not show up in any other audit events. The benefits of a columnar format are therefore much more limited; the space-saving benefits of the nested structure is the favoured trade-off in this case. From 72b0951082ece53dee1ee5a5a5ad94d0215a329c Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 4 Jan 2021 23:53:40 +0200 Subject: [PATCH 55/63] event types reordered alphabetically --- .../en/security/auditing/event-types.asciidoc | 81 +++++++++---------- 1 file changed, 40 insertions(+), 41 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 5c96baa057f3b..16dfd23cfc18e 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -11,13 +11,6 @@ might generate multiple audit events, across multiple cluster nodes. The common | Event action | Description | Example -| `anonymous_access_denied` | | Logged when a request is denied due to a missing - authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -| `authentication_success` | | Logged when a user successfully authenticates. | | `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` -| `authentication_failed` | | Logged when the authentication token cannot be - matched to a known user. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` -| `realm_authentication_failed` | | Logged for every realm that fails to present a valid - authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `access_denied` | | Logged when an authenticated user attempts to execute an action they do not have the necessary <> to perform. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` @@ -26,54 +19,60 @@ might generate multiple audit events, across multiple cluster nodes. The common When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does not log system actions to avoid cluttering the logs. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` -| `run_as_granted` | | Logged when an authenticated user attempts to - <> another user that they have - the necessary privileges to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` -| `run_as_denied` | | Logged when an authenticated user attempts to - <> - another user that they do not have the necessary - <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` -| `tampered_request` | | Logged when the {security-features} detect that the request has - been tampered with. Typically relates to `search/scroll` - requests when the scroll ID is believed to have been - tampered with. | | `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -| `connection_granted` | | Logged when an incoming TCP connection passes the - <> for a specific - profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` -| `connection_denied` | | Logged when an incoming TCP connection does not pass the - <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` -| `put_user` | | Logged when the <> - is invoked to create or - update a native or built-in user. Note that user updates can - also change the user's password. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` -| `delete_user` | | Logged when the <> - is invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` -| `change_password` | | Logged when the <> - is invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` +| `anonymous_access_denied` | | Logged when a request is denied due to a missing + authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` +| `authentication_failed` | | Logged when the authentication token cannot be + matched to a known user. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` +| `authentication_success` | | Logged when a user successfully authenticates. | | `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` | `change_enable_user` | | Logged when the <> is invoked to enable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` | `change_disable_user` | | Logged when the <> is invoked to disable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` -| `put_role` | | Logged when the <> - is invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` +| `change_password` | | Logged when the <> + is invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` +| `connection_denied` | | Logged when an incoming TCP connection does not pass the + <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` +| `connection_granted` | | Logged when an incoming TCP connection passes the + <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` +| `create_apikey` | | Logged when the <> + or the <> APIs are + invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` +| `delete_privileges` | | Logged when the + <> + is invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` | `delete_role` | | Logged when the <> is invoked to delete a role. | | `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` -| `put_role_mapping` | | Logged when the <> - is invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` | `delete_role_mapping` | | Logged when the <> is invoked to delete a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` -| `create_apikey` | | Logged when the <> - or the <> APIs are - invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` +| `delete_user` | | Logged when the <> + is invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` | `invalidate_apikeys` | | Logged when the <> is invoked to invalidate one or more API Keys. | | `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` | `put_privileges` | | Logged when the <> is invoked to add or update one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` -| `delete_privileges` | | Logged when the - <> - is invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` +| `put_role` | | Logged when the <> + is invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` +| `put_role_mapping` | | Logged when the <> + is invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` +| `put_user` | | Logged when the <> + is invoked to create or + update a native or built-in user. Note that user updates can + also change the user's password. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` +| `realm_authentication_failed` | | Logged for every realm that fails to present a valid + authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` +| `run_as_denied` | | Logged when an authenticated user attempts to + <> + another user that they do not have the necessary + <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` +| `run_as_granted` | | Logged when an authenticated user attempts to + <> another user that they have + the necessary privileges to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` +| `tampered_request` | | Logged when the {security-features} detect that the request has + been tampered with. Typically relates to `search/scroll` + requests when the scroll ID is believed to have been + tampered with. | | `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` |====== [discrete] From 33674d7ee84114c3f6a6ec47edecb448a5822c4a Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 4 Jan 2021 17:34:01 -0800 Subject: [PATCH 56/63] [DOCS] Fixes table formatting in audit event types --- .../en/security/auditing/event-types.asciidoc | 198 +++++++++++------- 1 file changed, 128 insertions(+), 70 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 16dfd23cfc18e..7f90712b2840c 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -6,73 +6,131 @@ When you are <>, a single client might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. -[options="header"] |====== -| Event action -| Description -| Example -| `access_denied` | | Logged when an authenticated user attempts to execute - an action they do not have the necessary - <> to perform. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` -| `access_granted` | | Logged when an authenticated user attempts to execute - an action they have the necessary privilege to perform. - When the `system_access_granted` event is included, all system - (internal) actions are also logged. The default setting does - not log system actions to avoid cluttering the logs. | | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` -| `anonymous_access_denied` | | Logged when a request is denied due to a missing - authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -| `authentication_failed` | | Logged when the authentication token cannot be - matched to a known user. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` -| `authentication_success` | | Logged when a user successfully authenticates. | | `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` -| `change_enable_user` | | Logged when the <> - is invoked to enable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` -| `change_disable_user` | | Logged when the <> - is invoked to disable a native or a built-in user. | | `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` -| `change_password` | | Logged when the <> - is invoked to change the password of a native or built-in user. | | `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` -| `connection_denied` | | Logged when an incoming TCP connection does not pass the - <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` -| `connection_granted` | | Logged when an incoming TCP connection passes the - <> for a specific profile. | | `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` -| `create_apikey` | | Logged when the <> - or the <> APIs are - invoked to create a new API key. | | `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` -| `delete_privileges` | | Logged when the - <> - is invoked to remove one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` -| `delete_role` | | Logged when the <> - is invoked to delete a role. | | `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` -| `delete_role_mapping` | | Logged when the - <> - is invoked to delete a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` -| `delete_user` | | Logged when the <> - is invoked to delete a specific native user. | | `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` -| `invalidate_apikeys` | | Logged when the - <> - is invoked to invalidate one or more API Keys. | | `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` -| `put_privileges` | | Logged when the <> - is invoked to add or update one or more application privileges. | | `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` -| `put_role` | | Logged when the <> - is invoked to create or update a role. | | `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` -| `put_role_mapping` | | Logged when the <> - is invoked to create or update a role mapping. | | `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` -| `put_user` | | Logged when the <> - is invoked to create or - update a native or built-in user. Note that user updates can - also change the user's password. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` -| `realm_authentication_failed` | | Logged for every realm that fails to present a valid - authentication token. | | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` -| `run_as_denied` | | Logged when an authenticated user attempts to - <> - another user that they do not have the necessary - <> to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` -| `run_as_granted` | | Logged when an authenticated user attempts to - <> another user that they have - the necessary privileges to do so. | | `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` -| `tampered_request` | | Logged when the {security-features} detect that the request has - been tampered with. Typically relates to `search/scroll` - requests when the scroll ID is believed to have been - tampered with. | | `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` +| Event action | Description | Example + +| `access_denied` +| Logged when an authenticated user attempts to execute an action they do not +have the necessary <> to perform. +| `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` + +| `access_granted` +| Logged when an authenticated user attempts to execute an action they have the +necessary privilege to perform. When the `system_access_granted` event is +included, all system (internal) actions are also logged. The default setting +does not log system actions to avoid cluttering the logs. +| `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` + +| `anonymous_access_denied` +| Logged when a request is denied due to a missing authentication token. +| `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` + +| `authentication_failed` +| Logged when the authentication token cannot be matched to a known user. +| `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + +| `authentication_success` +| Logged when a user successfully authenticates. +| `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` + +| `change_disable_user` +| Logged when the <> is invoked to +disable a native or a built-in user. +| `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` + +| `change_enable_user` +| Logged when the <> is invoked to +enable a native or a built-in user. +| `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` + +| `change_password` +| Logged when the <> is +invoked to change the password of a native or built-in user. +| `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` + +| `connection_denied` +| Logged when an incoming TCP connection does not pass the +<> for a specific profile. +| `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` + +| `connection_granted` +| Logged when an incoming TCP connection passes the <> +for a specific profile. +| `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` + +| `create_apikey` +| Logged when the <> or the +<> APIs are invoked to create a new +API key. +| `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` + +| `delete_privileges` +| Logged when the +<> is invoked +to remove one or more application privileges. +| `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` + +| `delete_role` +| Logged when the <> is invoked to +delete a role. +| `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` + +| `delete_role_mapping` +| Logged when the <> +is invoked to delete a role mapping. +| `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` + +| `delete_user` +| Logged when the <> is invoked to +delete a specific native user. +| `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` + +| `invalidate_apikeys` +| Logged when the <> is +invoked to invalidate one or more API keys. +| `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` + +| `put_privileges` +| Logged when the <> is invoked +to add or update one or more application privileges. +| `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` + +| `put_role` +| Logged when the <> is invoked to create or +update a role. +| `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` + +| `put_role_mapping` +| Logged when the <> is +invoked to create or update a role mapping. +| `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` + +| `put_user` +| Logged when the <> is invoked to create or +update a native or built-in user. Note that user updates can also change the +user's password. +| `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` + +| `realm_authentication_failed` +| Logged for every realm that fails to present a valid authentication token. +| `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` + +| `run_as_denied` +| Logged when an authenticated user attempts to <> +another user that they do not have the necessary +<> to do so. +| `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + +| `run_as_granted` +| Logged when an authenticated user attempts to <> +another user that they have the necessary privileges to do so. +| `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` + +| `tampered_request` +| Logged when the {security-features} detect that the request has been tampered +with. Typically relates to `search/scroll` requests when the scroll ID is +believed to have been tampered with. +| `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` |====== [discrete] @@ -272,12 +330,12 @@ that have been previously described: this instead denotes the name of the _impersonated_ user. If authenticated using an API key, this is the name of the API key owner. - `user.realm` :: Name of the realm to which the _effective_ user + `user.realm` :: Name of the realm to which the _effective_ user belongs. If authenticated using an API key, this is the name of the realm to which the API key owner belongs. `user.run_by.name` :: This attribute is present only if the request is using the <> - and denotes the name of the _authenticated_ user, + and denotes the name of the _authenticated_ user, which is also known as the _impersonator_. `user.run_by.realm` :: Name of the realm to which the _authenticated_ (_impersonator_) user belongs. @@ -292,7 +350,7 @@ that have been previously described: * `authentication_failed`: `user.name` :: The name of the user that failed authentication. - If the request authentication token is invalid or + If the request authentication token is invalid or unparsable, this information might be missing. * `realm_authentication_failed`: @@ -320,7 +378,7 @@ that have been previously described: this instead denotes the name of the _impersonated_ user. If authenticated using an API key, this is the name of the API key owner. - `user.realm` :: Name of the realm to which the _effective_ user + `user.realm` :: Name of the realm to which the _effective_ user belongs. If authenticated using an API key, this is the name of the realm to which the API key owner belongs. `user.run_by.name` :: This attribute is present only if the request is From 1059ba23125da7c1f7bd8a8e7eceee6f19a86f10 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 5 Jan 2021 10:20:31 +0200 Subject: [PATCH 57/63] Update x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc Co-authored-by: Lisa Cawley --- .../docs/en/security/auditing/auditing-search-queries.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc index 476a1e8f66990..f38ba143873f9 100644 --- a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc +++ b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc @@ -33,7 +33,7 @@ event attribute. Not all events contain the `request.body` attribute, even when the above setting is toggled. The ones that do are: `authentication_success`, `authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, -and `anonymous_access_denied` that are printed on the coordinating node only +and `anonymous_access_denied`. The `request.body` attribute is printed on the coordinating node only (the node that handles the REST request). Most of them are <>. From 906e328c068f7879315ba0e249cff40dbe950721 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Tue, 5 Jan 2021 10:25:35 +0200 Subject: [PATCH 58/63] Update x-pack/docs/en/security/auditing/ignore-policy.asciidoc Co-authored-by: Lisa Cawley --- x-pack/docs/en/security/auditing/ignore-policy.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc index 09e47466c25a1..854426f50f56d 100644 --- a/x-pack/docs/en/security/auditing/ignore-policy.asciidoc +++ b/x-pack/docs/en/security/auditing/ignore-policy.asciidoc @@ -12,7 +12,7 @@ Sometimes the verbosity of the audit trail may become a problem that the event t *Audit events ignore policies* are a finer way to tune the verbosity of the audit trail. These policies define rules that match audit events which will be _ignored_ (read as: not printed). -Rules match on the values of attributes of audit events and complement the <> method. +Rules match on the values of attributes of audit events and complement the `include` or `exclude` method. Imagine the corpus of audit events and the policies chopping off unwanted events. With a sole exception, all audit events are subject to the ignore policies. The exception are events of type `security_config_change`, which cannot be filtered out, From df6a65602b32f51f31c54ef48701f83d34caf1c2 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 15 Jan 2021 23:21:21 +0200 Subject: [PATCH 59/63] Update x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc Co-authored-by: Tim Vernum --- .../docs/en/security/auditing/auditing-search-queries.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc index f38ba143873f9..3e0e7314a9176 100644 --- a/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc +++ b/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc @@ -34,7 +34,7 @@ Not all events contain the `request.body` attribute, even when the above setting is toggled. The ones that do are: `authentication_success`, `authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, and `anonymous_access_denied`. The `request.body` attribute is printed on the coordinating node only -(the node that handles the REST request). Most of them are +(the node that handles the REST request). Most of these event types are <>. A good practical piece of advice is to add `authentication_success` to the event From 403c41b52c0bc3000474647d46960d396f59b2e8 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 15 Jan 2021 23:21:31 +0200 Subject: [PATCH 60/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Tim Vernum --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 7f90712b2840c..3a3622f30d078 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -22,7 +22,7 @@ does not log system actions to avoid cluttering the logs. | `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` | `anonymous_access_denied` -| Logged when a request is denied due to a missing authentication token. +| Logged when a request is denied due to missing authentication credentials. | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `authentication_failed` From 97470142bc36f6d93e5200d31c03d9ec41bd416a Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 15 Jan 2021 23:21:46 +0200 Subject: [PATCH 61/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Tim Vernum --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 3a3622f30d078..bd9825e500bc9 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -26,7 +26,7 @@ does not log system actions to avoid cluttering the logs. | `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` | `authentication_failed` -| Logged when the authentication token cannot be matched to a known user. +| Logged when the authentication credentials cannot be matched to a known user. | `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` | `authentication_success` From 3c57becc5935ff47e41c4ee7c8910ea372e5bf68 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 15 Jan 2021 23:27:57 +0200 Subject: [PATCH 62/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Tim Vernum --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index bd9825e500bc9..809832cfdb2df 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -107,7 +107,7 @@ invoked to create or update a role mapping. | `put_user` | Logged when the <> is invoked to create or -update a native or built-in user. Note that user updates can also change the +update a native user. Note that user updates can also change the user's password. | `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` From dbdc230e7f44e5c18d4f751b6f916eeaa043d27e Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 15 Jan 2021 23:29:22 +0200 Subject: [PATCH 63/63] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: Tim Vernum --- x-pack/docs/en/security/auditing/event-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 809832cfdb2df..009334f4bb346 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -254,7 +254,7 @@ The events with the `event.type` attribute equal to `security_config_change` hav `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys`, or `delete_privileges`. These events also have *one* of the following extra attributes (in addition to the common -ones). The attributes' value is a nested JSON object: +ones). The attribute's value is a nested JSON object: `put` :: The object representation of the security config that is being created, or the overwrite of an existing config.