Audit & security log

[MartinWahnschaffe]

Situation Description & Motivation

To comply with data protection regulation, we need to make sure that SORMAS provides an audit log trail which can be easily ingested by dedicated log processing systems and allows investigation by officials.

The existing audit mechanisms only cover the manipulation of data, but we are required to log when a user is accessing data as-well.

This is based on https://github.com/hzi-braunschweig/SORMAS-RFC/blob/sormas-audit-trail/0001-sormas-audit-trail.md and "SORMAS-X Umsetzungskonzept Logging" provided by the data security team (sometimes chapters are referenced here).

Use cases

• User opens case in UI -> call to backend method CaseFacade.getCaseDataByUuid needs to be logged
• User edits/deletes case in UI -> call to backend method CaseFacade.save/deleteCase needs to be logged
• User does export -> call to CaseFacade.getExportList needs to be logged
• User opens case directory -> call to CaseFacade.getIndexList needs to be logged

High-Level Explanation

The audit trail gets populated by automatically logging every invocation of a facade/EJB method. By this, we can trace every interaction with the system (i.e., via Vaadin UI or REST). We will output the collect logs to user configurable log sink such that the logs can be easily ingested for further processing.

The most important module that needs to be covered is the SORMAS backend, so this epic will mostly be about the implementation needed there.

In addition to that the following modules need to be covered (5.1.1):

• [ ] #8022
• [x] #8021
• [x] #8023
• [x] #8902

Timeline

• Main mechanics until end of March 2022.

Tasks - SORMAS Backend

Logging service & sink

• [x] #8029
• [x] #8030

Acquiring log data

Use the interceptor pattern to log all calls to the SORMAS backend, similar as we are doing it with PerformanceLoggingInterceptor.

• [x] #8025
• [x] #8891
• [x] ~Dealing with calls from cron services, since they likely aren't covered by the interceptor~ We actively ignore local bean calls
• [x] #9881
• [x] #9889
• [x] #9882

What to log (5.2.3)?

We need to log

1. Data reads
2. Creation of data
3. Change of existing
4. Deletion of data

for the following processes:

• [x] Access to data
• [x] Users and permission -> covered through backend logging
• [x] Import and Export -> covered through backend logging
• [x] Authentication and login, including failed login attempts (5.2.5) -> Done in #8790
• [x] Infrastructure data -> shows up as AbstractInfrastructureFacadeEjb.save through backend logging

The following external interfaces

• [ ] #11637
• [ ] #8022
• [x] SORMAS2SORMAS (5.2.4.2) -> covered through backend logging

Misc:

• [x] Administrator activity (5.2.6) -> admin is normal user who is subject to backend logging
• [x] #9710 Change of username (5.2.5)
• [x] #8790

General requirements (4.2)

• [x] Under all circumstances adhere to the principle of data minimization
• [x] Only log the UUID of entities, never the entity directly.
• [x] Use propery ISO timestamp format. May be part of FHIR specification. We use setRecorded( java.util.Date value) from the library to timestamp.

In general the log shall only contain pseudonymized personal data, the only exception being the name of the active user.

Alternatives

Risks

• AuditEvent based JSON log messages contain quite some redundant data. This big amount of data needs to be digested by the log processing systems.

Additional Information

Refinement Todos

• [x] Adjust #8029 to use HAPI FHIR
• [x] Refine #8025
• [x] Refine #8030
• [x] Check what is not covered and needs to be specified (@JonasCir : I think we are missing central for some reason)

[MartinWahnschaffe]

@JonasCir I have created a wiki page. Feel free to extend with what you feel is missing there.

Also a note on https://github.com/hzi-braunschweig/SORMAS-RFC: We haven't really used it and my feeling is that using epics is a better fit for our processes. I'd suggest to close the SORMAS-RFC project and to discuss whether we want to add one ore two more of the RFC template sections to our epic template.

[JonasCir]

@MartinWahnschaffe thanks going to add to the page if anything comes up :)

Agreed, I archived the repo for now, we can see if we can salvage something.

[JonasCir]

Missing issues to close this epic are #11637 and #8022