Include sdm audit: users, roles & resources info

strongdm / log-export-container

A docker container for easily export strongDM query logs

Apache License 2.0

8 stars 9 forks source link

Include sdm audit: users, roles & resources info #86

Closed devlucassantos closed 2 years ago

devlucassantos commented 2 years ago

Is your feature request related to a problem? Please describe. Currently the LEC already supports the auditing of activities through the strongDM CLI, but it still does not support the auditing for users, roles and resources which is interesting to add.

Describe the solution you'd like Add support for auditing users, roles and resources through commands already available in the strongDM CLI.

Additional context It should be considered that the commands for auditing users and roles in the strongDM CLI do not have a time filtering tool, therefore, this data can become a data in constant redundancy.

camposer commented 2 years ago

For simplicity sake we'll add only one variable that allow a user to enable different activity entities and specify a custom time (if needed). For example:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities:15 resources:15 users:480 roles:480"
or
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities resources:15 users:480 roles:480"

Notes:

All frequencies are expressed in minutes
When a frequency is not in the list, we'll use the default value (should be documented)
For activities, if the variable LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES=true, LEC will omit the entry in LOG_EXPORT_CONTAINER_EXTRACT_AUDIT and execute according to what was previously configured.
The final config should be logged and if there's a wrong value we should inform the user via logs

camposer commented 2 years ago

About config clash for activities, take a look at the following example:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES=true
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES_INTERVAL=30
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities:15 resources:15 users:480 roles:480"

The system should extract audit activities every 30m, resources every 15m, users every 8h and roles every 8h.

camposer commented 2 years ago

Because yaml has some problems interpreting colon symbols in variables, we'll change to forward slashes. For example:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities/15 resources/15 users/480 roles/480"

camposer commented 2 years ago

If there's a config similar to this:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES=true
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities/13 resources/15 users/480 roles/480"

LEC is going to interpret activities extraction interval time = 13m. But, if:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES=true
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES_INTERVAL=30
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities/13 resources/15 users/480 roles/480"

LEC is going to interpret activities extraction interval time = 30m. if:

LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES=false
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES_INTERVAL=30
LOG_EXPORT_CONTAINER_EXTRACT_AUDIT="activities/13 resources/15 users/480 roles/480"

LEC is going to interpret activities extraction interval time = 30m

camposer commented 2 years ago

The path LOG_EXPORT_CONTAINER_EXTRACT_AUDIT_ACTIVITIES has precedence over LOG_EXPORT_CONTAINER_EXTRACT_AUDIT because it's more specific.