From d77784ba51fd6a5d598ea2b87cb6e36e0fed8e72 Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Wed, 7 Jun 2023 17:49:33 -0400 Subject: [PATCH 1/3] Add writeAuditRPCEvent to agent_oss --- agent/agent_oss.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/agent/agent_oss.go b/agent/agent_oss.go index 93e633cc656f..e8cfea681b3c 100644 --- a/agent/agent_oss.go +++ b/agent/agent_oss.go @@ -69,3 +69,7 @@ func (a *Agent) AgentEnterpriseMeta() *acl.EnterpriseMeta { func (a *Agent) registerEntCache() {} func (*Agent) fillEnterpriseProxyDataSources(*proxycfg.DataSources) {} + +func (a *Agent) writeAuditRPCEvent(_ string, _ string) interface{} { + return nil +} From f5a557dd7a5995094b3af96f1c522d49acfe795b Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Wed, 7 Jun 2023 18:13:19 -0400 Subject: [PATCH 2/3] fix the other diffs --- agent/agent.go | 11 +++++++++++ agent/config/config.go | 5 +++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 678d110d534c..0b06688c483b 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1621,7 +1621,18 @@ func (a *Agent) RPC(ctx context.Context, method string, args interface{}, reply method = e + "." + p[1] } } + + // audit log only on consul clients + _, ok := a.delegate.(*consul.Client) + if ok { + a.writeAuditRPCEvent(method, "OperationStart") + } + a.endpointsLock.RUnlock() + + defer func() { + a.writeAuditRPCEvent(method, "OperationComplete") + }() return a.delegate.RPC(ctx, method, args, reply) } diff --git a/agent/config/config.go b/agent/config/config.go index e26d6edc4d95..d8d7149afebf 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -807,8 +807,9 @@ type ConfigEntries struct { // Audit allows us to enable and define destinations for auditing type Audit struct { - Enabled *bool `mapstructure:"enabled"` - Sinks map[string]AuditSink `mapstructure:"sink"` + Enabled *bool `mapstructure:"enabled"` + Sinks map[string]AuditSink `mapstructure:"sink"` + RPCEnabled *bool `mapstructure:"rpc_enabled"` } // AuditSink can be provided multiple times to define pipelines for auditing From 1d782d63c437ab16e30d5bd00a6b8c3cbad08845 Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Wed, 7 Jun 2023 18:20:30 -0400 Subject: [PATCH 3/3] backport change log --- .changelog/_5740.txt | 3 +++ .changelog/_5750.txt | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 .changelog/_5740.txt create mode 100644 .changelog/_5750.txt diff --git a/.changelog/_5740.txt b/.changelog/_5740.txt new file mode 100644 index 000000000000..4f1d6f6448f3 --- /dev/null +++ b/.changelog/_5740.txt @@ -0,0 +1,3 @@ +```release-note:feature +api: (Enterprise only) Add `POST /v1/operator/audit-hash` endpoint to calculate the hash of the data used by the audit log hash function and salt. +``` \ No newline at end of file diff --git a/.changelog/_5750.txt b/.changelog/_5750.txt new file mode 100644 index 000000000000..027753c72156 --- /dev/null +++ b/.changelog/_5750.txt @@ -0,0 +1,3 @@ +```release-note:feature +cli: (Enterprise only) Add a new `consul operator audit hash` command to retrieve and compare the hash of the data used by the audit log hash function and salt. +``` \ No newline at end of file