Log security incidents - Githubissues

iris-connect / eps

Our endpoint system (eps) that manages and secures the communication between different actors in the IRIS connect ecosystem. Think of it as a distributed service mesh router as well as a decentralized message broker. Still evolving, use with caution.

https://iris-connect.github.io/eps/docs/

GNU Affero General Public License v3.0

12 stars 2 forks source link

Log security incidents #15

Open lucky-lusa opened 3 years ago

lucky-lusa commented 3 years ago

There is an interface that can be used to create tickets for the dev team in slack and zammad in the event of security incidents. the eps should also use this interface to report security-related events.

iris-connect/backlog#199

iris-connect/backlog#232

[ ] Define which incidents should trigger corresponding tickets. For example #14
[ ] Use the interface for these incidents.

hey-johnnypark commented 3 years ago

It should be possible to configure the endpoint of the alert receiver.

adewes commented 3 years ago

Which incidents should we log? I'm not sure if logging certificate errors will make sense as for public EPS instances we'll probably get drowned in alerts (since there's a lot of scanning going on in general), probably permission errors are more interesting here (e.g. a given EPS server tries to call a method that's not permitted for the given group).

adewes commented 3 years ago

Proposal

We define a Report function in the message broker that can be used by channels and the message broker itself to report different types of incidents (e.g. failed authentication, use of valid but unpinned certificates etc.). The message broker can the be configured with an operator name to send these reports to (e.g. iris-1) using a report method. The receiving EPS will then forward the reports via the JSON-RPC client to an internal endpoint, which in turn can store or process them.