Killing the audit process allows auditable activities to be carried out without an audit trail being generated

mojaloop / project

Repo to track product development issues for the Mojaloop project.

Other

22 stars 15 forks source link

Killing the audit process allows auditable activities to be carried out without an audit trail being generated #3914

Closed PaulMakinMojaloop closed 1 week ago

PaulMakinMojaloop commented 1 month ago

Summary: When running vNext, I found that if the audit BC process failed to start, or was directly terminated, I was able to carry out auditable activities (liquidity changes etc) with no entries being made in the audit log. This is a clear security/integrity risk; if an attacker is able to kill the audit process, they could (for example) allow a DFSP to continue transaction even if there is no liquidity available; come settlement time, this presents an existential risk to the scheme operator.

Severity: High

Priority: Critical

Expected Behavior If it is not possible to add an audit log entry, then the associated activity should not be allowed.

Acceptance Criteria

[1 ] Scenario: Audit process failure or termination prevents auditable activities
- Given the audit process fails or is terminated
- When an auditable activity is attempted
- Then the activity should not be allowed to proceed

elnyry-sam-k commented 1 month ago

Thanks @PaulMakinMojaloop , this is critical. I've observed the same as well.

PhyuSinMyat8 commented 2 weeks ago

Dear @PaulMakinMojaloop ,

We have already tested the auditing service and discovered that once the auditing service has been restored, the actions that were performed during the downtime are recorded in the audit log.

Scenario 1 Step 1 : Terminate the auditing service

Step 2 : Deposit 1000 MXN to demoWalletLcc

Step 3 : Approve that fund deposit by user account

Result 1 : Any audit log is available since auditing service is down

Step 5 : Auditing service is up

Result 2 : Fund deposit and approval actions appear after the service has been up

Result 3 : Log details in kibana search

Scenario 2 Step 1 : Terminate the auditing service Step 2 : Make transactions

Step 3 : Auditing service is up Result : These transactions appears in kibana after the service has been up

ei-nghon-phoo commented 2 weeks ago

Testing Result after termination of Kafka service

State 1: Kafka service is up.

result 1: transaction is successful with 0 error.

State 2: Kakfa service is terminated.

Result 2: transaction is failed with 100% error rate.

Result 3: No participant data available and no deposit activity available after Kafka service termination.

Result 4: All the related services that need to communicate with Kafka that included settlement, participant, quote, transfer, account lookup and such are down.

Monicaminzy commented 2 weeks ago

test momo

JulieG19 commented 1 week ago

Confirmed by @PaulMakinMojaloop that we can closed this comment.