minvws / nl-kat-coordination

OpenKAT scans networks, finds vulnerabilities and creates accessible reports. It integrates the most widely used network tools and scanning software into a modular framework, accesses external databases such as shodan, and combines the information from all these sources into clear reports. It also includes lots of cat hair.
https://openkat.nl
European Union Public License 1.2
127 stars 58 forks source link

Audit trail #3038

Open madelondohmen opened 5 months ago

madelondohmen commented 5 months ago

This is an epic ticket

About this epic

Detailed description

Currently within OpenKAT, the "Who did it?" piece is still missing. For example:

That's why we want a structured log, which people can then filter into. We bring out the JSON, then people can use it for all purposes.

But we also want to process some information in OpenKAT itself, to be able to use this in the future to display in the frontend. Therefore, we store some data from the structured log. (See "Implementation" section for how we can do this.)

Feature benefit/User story

As a user, I want to see who made changes in the organization so that I can detect abuse.

Implementation

Possible solution

There are two paths:

  1. Spit out structured JSON when an operation is performed
  2. Store in our own data models and possibly make it visible in our frontend

Storing the data

Excessive logs/alerts.

If you start looking for abuse in data and you link it to names, then you have to deal with the works council, with GDPR, etc.

This is where Kelvin comes in (we're not going to run Elastricsearch, just Kelvin). That looks to see if any outrageous things are happening to a user. In that context, a tool such as Kelvin can automatically detect that something excessive is happening. No person is directly linked to this. But depending on the behavior and risk, you can then pass along a hashed/encrypted userID. Collecting audit logs is a duty, viewing them is a duty, but only if there is a reason. You may also only keep the data for a certain amount of time.

Steps

We need to:

Scope is now the structured JSON side. But we now need to try to get a picture of what we all want to make insightful.

First logical step:

Alternatives considered

Storing it centrally, but we can't, because the KATalogus is not in XTDB.

Related tickets

underdarknl commented 5 months ago

We need to investigate which events we want to add the our Audit Log.

underdarknl commented 5 months ago

We need to create a Concise way of reporting about events based on the use cases of our users.

underdarknl commented 5 months ago

We need to create a Library of method that we can include in the various locations / services that trigger Auditable Events.

stephanie0x00 commented 4 months ago

Some inspiration items from the NEN7513 that could also be applicable to our logging are written below:

What to log?

Logging must be verifiable against the authorisation and access model as applicable when the action was performed.

Default actions:

Special actions:

Other items to log: Creating/changes/deletions in the authorisation model Enabling/disabling of logging should always be logged. Access to the logging data should always be logged.