zmb3
commented
1 year ago When auditing a Teleport cluster from historical information in the log, it is important to be able to reason about the state of the authentication configuration at any point.
This is a much larger feature request than just SAML. Teleport does not store the history of any resource, so reasoning about the state of auth configuration at any point would also require you to know the state of all roles, cluster auth preference, MFA devices, etc.
jof
What would you like Teleport to do?
When SAML connectors are changed, the audit log is a bit sparse. Teleport should reflect the changes, or complete SAML metadata/spec document into the
saml.createdaudit record.Teleport should probably explicitly exclude some sensitive fields like
signing_key_pair.private_keyfrom the Audit log, and perhaps just log that the field changed at all.What problem does this solve?
When auditing a Teleport cluster from historical information in the log, it is important to be able to reason about the state of the authentication configuration at any point. Without the critical SAML connector information in the audit log, there is not a way to reconstruct historical state. It could be possible for an administrator with access to update SAML connectors to install a malicious SAML connector config to a new IdP, log in maliciously as another Teleport User, and alter privileged cluster configuration. (As a privilege escalation) Afterwards, by setting the SAML connector back to the old values, it could be possible to evade detection.
If a workaround exists, please include it.
It might be possible to (ab)use the Teleport APIs to regularly export and log changes to important resources like SAML connectors (but leaves open the possibility of timing and race attacks)