Skip to content

Add session id to audit log#85451

Merged
thomheymann merged 4 commits intomasterfrom
audit/sessionid
Dec 14, 2020
Merged

Add session id to audit log#85451
thomheymann merged 4 commits intomasterfrom
audit/sessionid

Conversation

@thomheymann
Copy link
Copy Markdown
Contributor

@thomheymann thomheymann commented Dec 9, 2020

Summary

This PR adds session id output to the audit log.

This is useful for auditors in order to trace different user sessions.

Checklist

Delete any items that are not applicable to this PR.

@thomheymann thomheymann added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.11.0 labels Dec 9, 2020
@thomheymann thomheymann marked this pull request as ready for review December 9, 2020 18:30
@thomheymann thomheymann requested a review from a team as a code owner December 9, 2020 18:30
@legrego legrego requested a review from azasypkin December 9, 2020 19:10
@azasypkin
Copy link
Copy Markdown
Contributor

azasypkin commented Dec 10, 2020

ACK: will review today

azasypkin
azasypkin approved these changes Dec 10, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a couple of nits, thanks!

x-pack/plugins/security/server/session_management/session.ts
const sessionCookieValue = await this.options.sessionCookie.get(request);
if (sessionCookieValue) {
return sessionCookieValue.sid;
}
Copy link
Copy Markdown
Contributor

@azasypkin azasypkin Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question/nit: how do you feel about returning null instead of undefined here? So that it's consistent with getCurrentUser, Session.get and etc?

Copy link
Copy Markdown
Contributor Author

@thomheymann thomheymann Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find null a cause of unintended bugs and behaviours and the distinctions between "not set" (undefined) and "set but empty" (null) to be rarely important.

e.g. null can cause bugs when using optional parameters and default values since the default value will not be used. null is also of type object which is weird and can cause bugs so I rarely use it.

Having said that, I think in this case, we really are dealing with the "not set" scenario so I think undefined is correct.

Why are you using null for the other methods?

Copy link
Copy Markdown
Contributor

@azasypkin azasypkin Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you using null for the other methods?

TL;DR: We don't have any guidelines on that yet and even though I have a slightly stronger opinion on getCurrentUser and Session.get as explained below, I don't have the same strong reasons to use null in this particular case except for consistency. Both would work for me and I trust your judgement here 👍

I think that we historically treated null not as set but empty, but more like an intentional absence of any object value, like the user or session objects are absent in a particular context, it's expected and intentional, and we explicitly manifest that with null. As a side benefit, when you return null; you explicitly define an exit point, where undefined can be either intentional or not (e.g. forgotten return statement).

Regarding default and optional parameters, I'd say it's more about personal preference, I find the code that is explicit about using default and optional parameters a little bit easier to read and understand, and type system will prevent unintentional behavior in case parameter cannot be null.

Copy link
Copy Markdown
Contributor Author

@thomheymann thomheymann Dec 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the definition makes sense* then. For object values use null, for primitives use undefined. That also explains why null is of type object.

* I'm using "sense" in the loosest meaning of the word here since most other programming languages have a single type the denote absence of a value and get by just fine 🤷‍♀️

@thomheymann
Copy link
Copy Markdown
Contributor Author

thomheymann commented Dec 14, 2020

@elasticmachine merge upstream

@thomheymann thomheymann mentioned this pull request Dec 14, 2020
Merged
6 tasks
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Dec 14, 2020

💛 Build succeeded, but was flaky

Test Failures

X-Pack API Integration Tests.x-pack/test/api_integration/apis/security_solution/kpi_network·ts.apis SecuritySolution Endpoints Kpi Network With packetbeat Make sure that we get KpiNetwork networkEvents data

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]       │
[00:00:00]         └-: apis
[00:00:00]           └-> "before all" hook
[00:05:18]           └-: SecuritySolution Endpoints
[00:05:18]             └-> "before all" hook
[00:05:21]             └-: Kpi Network
[00:05:21]               └-> "before all" hook
[00:05:23]               └-: With packetbeat
[00:05:23]                 └-> "before all" hook
[00:05:23]                 └-> "before all" hook
[00:05:23]                   │ info [packetbeat/default] Loading "mappings.json"
[00:05:23]                   │ info [packetbeat/default] Loading "data.json.gz"
[00:05:23]                   │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1607937314856367188] [packetbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:05:24]                   │ info [packetbeat/default] Created index "packetbeat-8.0.0-2019.02.19-000001"
[00:05:24]                   │ debg [packetbeat/default] "packetbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"packetbeat-8.0.0","rollover_alias":"packetbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","type","server.process.name","server.process.args","server.process.executable","server.process.working_directory","server.process.start","client.process.name","client.process.args","client.process.executable","client.process.working_directory","client.process.start","flow.id","status","method","resource","path","query","params","request","response","amqp.reply-text","amqp.exchange","amqp.exchange-type","amqp.consumer-tag","amqp.routing-key","amqp.queue","amqp.content-type","amqp.content-encoding","amqp.delivery-mode","amqp.correlation-id","amqp.reply-to","amqp.expiration","amqp.message-id","amqp.timestamp","amqp.type","amqp.user-id","amqp.app-id","cassandra.request.headers.flags","cassandra.request.headers.stream","cassandra.request.headers.op","cassandra.request.query","cassandra.response.headers.flags","cassandra.response.headers.stream","cassandra.response.headers.op","cassandra.response.result.type","cassandra.response.result.rows.meta.keyspace","cassandra.response.result.rows.meta.table","cassandra.response.result.rows.meta.flags","cassandra.response.result.rows.meta.paging_state","cassandra.response.result.keyspace","cassandra.response.result.schema_change.change","cassandra.response.result.schema_change.keyspace","cassandra.response.result.schema_change.table","cassandra.response.result.schema_change.object","cassandra.response.result.schema_change.target","cassandra.response.result.schema_change.name","cassandra.response.result.schema_change.args","cassandra.response.result.prepared.prepared_id","cassandra.response.result.prepared.req_meta.keyspace","cassandra.response.result.prepared.req_meta.table","cassandra.response.result.prepared.req_meta.flags","cassandra.response.result.prepared.req_meta.paging_state","cassandra.response.result.prepared.resp_meta.keyspace","cassandra.response.result.prepared.resp_meta.table","cassandra.response.result.prepared.resp_meta.flags","cassandra.response.result.prepared.resp_meta.paging_state","cassandra.response.authentication.class","cassandra.response.warnings","cassandra.response.event.type","cassandra.response.event.change","cassandra.response.event.host","cassandra.response.event.schema_change.change","cassandra.response.event.schema_change.keyspace","cassandra.response.event.schema_change.table","cassandra.response.event.schema_change.object","cassandra.response.event.schema_change.target","cassandra.response.event.schema_change.name","cassandra.response.event.schema_change.args","cassandra.response.error.msg","cassandra.response.error.type","cassandra.response.error.details.read_consistency","cassandra.response.error.details.write_type","cassandra.response.error.details.keyspace","cassandra.response.error.details.table","cassandra.response.error.details.stmt_id","cassandra.response.error.details.num_failures","cassandra.response.error.details.function","cassandra.response.error.details.arg_types","dhcpv4.transaction_id","dhcpv4.flags","dhcpv4.client_mac","dhcpv4.server_name","dhcpv4.op_code","dhcpv4.hardware_type","dhcpv4.option.message_type","dhcpv4.option.parameter_request_list","dhcpv4.option.class_identifier","dhcpv4.option.domain_name","dhcpv4.option.hostname","dhcpv4.option.message","dhcpv4.option.boot_file_name","dns.op_code","dns.response_code","dns.question.name","dns.question.type","dns.question.class","dns.question.registered_domain","dns.answers.name","dns.answers.type","dns.answers.class","dns.answers.data","dns.authorities.name","dns.authorities.type","dns.authorities.class","dns.additionals.name","dns.additionals.type","dns.additionals.class","dns.additionals.data","dns.opt.version","dns.opt.ext_rcode","http.response.status_phrase","icmp.version","icmp.request.message","icmp.response.message","memcache.protocol_type","memcache.request.line","memcache.request.command","memcache.response.command","memcache.request.type","memcache.response.type","memcache.response.error_msg","memcache.request.opcode","memcache.response.opcode","memcache.response.status","memcache.request.raw_args","memcache.request.automove","memcache.response.version","mongodb.error","mongodb.fullCollectionName","mongodb.startingFrom","mongodb.query","mongodb.returnFieldsSelector","mongodb.selector","mongodb.update","mongodb.cursorId","mysql.insert_id","mysql.num_fields","mysql.num_rows","mysql.query","mysql.error_message","nfs.tag","nfs.opcode","nfs.status","rpc.xid","rpc.status","rpc.auth_flavor","rpc.cred.gids","rpc.cred.machinename","pgsql.error_message","pgsql.error_severity","pgsql.num_fields","pgsql.num_rows","redis.return_value","redis.error","thrift.params","thrift.service","thrift.return_value","thrift.exceptions","tls.version","tls.resumption_method","tls.client_hello.version","tls.client_hello.extensions.server_name_indication","tls.client_hello.extensions.application_layer_protocol_negotiation","tls.client_hello.extensions.session_ticket","tls.client_hello.extensions.supported_versions","tls.client_hello.extensions.supported_groups","tls.client_hello.extensions.signature_algorithms","tls.client_hello.extensions.ec_points_formats","tls.client_hello.extensions._unparsed_","tls.server_hello.version","tls.server_hello.selected_cipher","tls.server_hello.selected_compression_method","tls.server_hello.session_id","tls.server_hello.extensions.session_ticket","tls.server_hello.extensions.supported_versions","tls.server_hello.extensions.ec_points_formats","tls.server_hello.extensions._unparsed_","tls.client_certificate.serial_number","tls.client_certificate.public_key_algorithm","tls.client_certificate.signature_algorithm","tls.client_certificate.raw","tls.client_certificate.subject.country","tls.client_certificate.subject.organization","tls.client_certificate.subject.organizational_unit","tls.client_certificate.subject.province","tls.client_certificate.subject.common_name","tls.client_certificate.issuer.country","tls.client_certificate.issuer.organization","tls.client_certificate.issuer.organizational_unit","tls.client_certificate.issuer.province","tls.client_certificate.issuer.common_name","tls.client_certificate.fingerprint.md5","tls.client_certificate.fingerprint.sha1","tls.client_certificate.fingerprint.sha256","tls.server_certificate.serial_number","tls.server_certificate.public_key_algorithm","tls.server_certificate.signature_algorithm","tls.server_certificate.raw","tls.server_certificate.subject.country","tls.server_certificate.subject.organization","tls.server_certificate.subject.organizational_unit","tls.server_certificate.subject.province","tls.server_certificate.subject.common_name","tls.server_certificate.issuer.country","tls.server_certificate.issuer.organization","tls.server_certificate.issuer.organizational_unit","tls.server_certificate.issuer.province","tls.server_certificate.issuer.common_name","tls.server_certificate.fingerprint.md5","tls.server_certificate.fingerprint.sha1","tls.server_certificate.fingerprint.sha256","tls.alert_types","tls.fingerprints.ja3.hash","tls.fingerprints.ja3.str","fields.*"]},"refresh_interval":"5s"}}
[00:05:24]                   │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1607937314856367188] [packetbeat-8.0.0-2019.02.19-000001/4UcLWRURR_OCs5zR9VMxAQ] update_mapping [_doc]
[00:05:24]                   │ info [packetbeat/default] Indexed 665 docs into "packetbeat-8.0.0-2019.02.19-000001"
[00:05:24]                 └-> Make sure that we get KpiNetwork uniqueFlows data
[00:05:24]                   └-> "before each" hook: global before each
[00:05:24]                   └- ✓ pass  (23ms) "apis SecuritySolution Endpoints Kpi Network With packetbeat Make sure that we get KpiNetwork uniqueFlows data"
[00:05:24]                 └-> Make sure that we get KpiNetwork DNS data
[00:05:24]                   └-> "before each" hook: global before each
[00:05:24]                   └- ✓ pass  (18ms) "apis SecuritySolution Endpoints Kpi Network With packetbeat Make sure that we get KpiNetwork DNS data"
[00:05:24]                 └-> Make sure that we get KpiNetwork networkEvents data
[00:05:24]                   └-> "before each" hook: global before each
[00:05:24]                   │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1607937314856367188] [.async-search] creating index, cause [api], templates [], shards [1]/[0]
[00:05:24]                   └- ✖ fail: apis SecuritySolution Endpoints Kpi Network With packetbeat Make sure that we get KpiNetwork networkEvents data
[00:05:24]                   │       Error: expected 0 to sort of equal 665
[00:05:24]                   │       + expected - actual
[00:05:24]                   │ 
[00:05:24]                   │       -0
[00:05:24]                   │       +665
[00:05:24]                   │       
[00:05:24]                   │       at Assertion.assert (/dev/shm/workspace/parallel/7/kibana/packages/kbn-expect/expect.js:100:11)
[00:05:24]                   │       at Assertion.eql (/dev/shm/workspace/parallel/7/kibana/packages/kbn-expect/expect.js:244:8)
[00:05:24]                   │       at Context.<anonymous> (test/api_integration/apis/security_solution/kpi_network.ts:271:45)
[00:05:24]                   │       at Object.apply (/dev/shm/workspace/parallel/7/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:84:16)
[00:05:24]                   │ 
[00:05:24]                   │

Stack Trace

Error: expected 0 to sort of equal 665
    at Assertion.assert (/dev/shm/workspace/parallel/7/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/7/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.<anonymous> (test/api_integration/apis/security_solution/kpi_network.ts:271:45)
    at Object.apply (/dev/shm/workspace/parallel/7/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:84:16) {
  actual: '0',
  expected: '665',
  showDiff: true
}

Metrics [docs]

Distributable file count

id before after diff
default 47129 47889 +760

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@thomheymann thomheymann merged commit 5a8a5bf into master Dec 14, 2020
@thomheymann thomheymann deleted the audit/sessionid branch December 14, 2020 11:35
@thomheymann thomheymann mentioned this pull request Dec 14, 2020
Merged
gmmorris added a commit to gmmorris/kibana that referenced this pull request Dec 14, 2020
@gmmorris
Merge branch 'master' into alerts/examples-plugin-broke
dbbe459 
* master: (116 commits)
  Fix UX E2E tests (elastic#85722)
  Increasing default api key removalDelay to 1h (elastic#85576)
  align cors settings names with elasticsearch (elastic#85738)
  unskip tests and make sure submit is not triggered too quickly (elastic#85567)
  Row trigger 2 (elastic#83167)
  Add session id to audit log (elastic#85451)
  [TSVB] Fields lists do not populate all the times (elastic#85530)
  [Visualize] Removes the external link icon from OSS badges (elastic#85580)
  fixes EQL tests (elastic#85712)
  [APM] enable 'log_level' for Go (elastic#85511)
  ini `1.3.5` -> `1.3.7` (elastic#85707)
  Fix fleet route protections (elastic#85626)
  [Monitoring] Some progress on making alerts better in the UI (elastic#81569)
  [Security Solution] Refactor Timeline Notes to use EuiCommentList (elastic#85256)
  [Security Solution][Detections][Threshold Rules] Threshold rule exceptions (elastic#85103)
  [Security Solution] Alerts details (elastic#83963)
  skip flaky suite (elastic#62060)
  skip flaky suite (elastic#85098)
  skip flaky suite (elastic#84020)
  skip flaky suite (elastic#85671)
  ...
thomheymann added a commit that referenced this pull request Dec 14, 2020
@thomheymann @kibanamachine
Add session id to audit log (#85451) (#85757)
c47285e 
* Add session id to audit log

* fix naming

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees

No one assigned

Labels

release_note:skip Skip the PR/issue when compiling release notes v7.11.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thomheymann @azasypkin @kibanamachine