Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-50336

System event is missing when audit settings are modified by disabling audit for an user

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.1.0
    • 7.1.0
    • ns_server
    • Centos 7 64 bit; CB EE 7.1.0-2036

    Description

      Summary:
      When a user modifies audit settings along with disabling audit events for a user, the corresponding system event is not logged.

      Steps to Repro
      1. Create a 2 node KV cluster with nodes: 172.23.136.108, 172.23.136.111
      2. Create a local user "myuser".
      3. Start event streaming to observe the latest events logged.

      curl -v -u Administrator:password http://172.23.136.112:8091/eventsStreaming

      4. Enable audit. The corresponding security event is logged as expected

      {"timestamp":"2022-01-11T15:43:53.213Z","event_id":9216,"component":"security","description":"Audit enabled","severity":"info","node":"172.23.136.111","otp_node":"ns_1@172.23.136.111","uuid":"eef95ba5-8ae4-44f6-a253-54b610ad1c01","extra_attributes":{"new_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/opt/couchbase/var/lib/couchbase/logs","rotate_interval":86400,"rotate_size":20971520}}}]

      5. Now modify the audit settings by enabling "read document" audit event and disabling the audit events for user "myuser". Observe the eventStreaming api. No event for "audit configuration changed" is logged. (The only events that I see logged here are from view engine as event " View engine settings modified", but that leaks the username for which I opened MB-50302

      But on a different cluster, I tried the 5th step without disabling the audit events for user , and I see the event getting logged fine. 

      ,{"timestamp":"2022-01-11T15:48:02.074Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"172.23.136.112","otp_node":"ns_1@172.23.136.112","uuid":"737d476c-264a-4cc4-a3b6-f1ac12ce495c","extra_attributes":{"old_settings":{"disabled_users":[],"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/opt/couchbase/var/lib/couchbase/logs","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"enabled_audit_ids":[8243,8255,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/opt/couchbase/var/lib/couchbase/logs","rotate_interval":86400,"rotate_size":20971520}}}

       

      Attachments

        For Gerrit Dashboard: MB-50336
        # Subject Branch Project Status CR V

        Activity

          dfinlay Dave Finlay added a comment -

          Hareen - would you mind taking a look into this one?

          dfinlay Dave Finlay added a comment - Hareen - would you mind taking a look into this one?
          hareen.kancharla Hareen Kancharla added a comment - - edited

          I have changed the events logs to read as below:
          1) When there are no "disabled users", the Settings keys (old_settings and new_settings keys) will not have the disabled_users key.
          2) When there is atleast one "disabled user", the 'disabled_users' key's value is "redacted".
          3) When the Audit settings changes between the number of "disabled users" - a audit_cfg_changed event log will be generated where 'disabled_users' key under NewSettings and OldSettings read "redacted".
          #UNIT-TEST
          1. enable audit.

          {"timestamp":"2022-01-12T19:43:34.742Z","event_id":9216,"component":"security","description":"Audit enabled","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"d3d74b23-874d-4e8b-8757-5eed5cc74a15","extra_attributes":{"new_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}}
          

          2. Add a user to the "disabled user" list.

          {"timestamp":"2022-01-12T19:44:24.371Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"67569052-d168-42e7-b4b4-c656c7802ad0","extra_attributes":{"old_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}}
          

          3. Remove user from the "disabled user" list:

          {"timestamp":"2022-01-12T19:44:48.700Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"1b7de9f2-3318-49a1-8171-9bb95b2db395","extra_attributes":{"old_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}}
          

          4. Change the number of users in the "disabled user" list:

          {"timestamp":"2022-01-12T19:45:59.475Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"418ec74c-80b3-458a-b39f-a7ddddd4ae08","extra_attributes":{"old_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}}    /0.0s
          

          hareen.kancharla Hareen Kancharla added a comment - - edited I have changed the events logs to read as below: 1) When there are no "disabled users", the Settings keys (old_settings and new_settings keys) will not have the disabled_users key. 2) When there is atleast one "disabled user", the 'disabled_users' key's value is "redacted". 3) When the Audit settings changes between the number of "disabled users" - a audit_cfg_changed event log will be generated where 'disabled_users' key under NewSettings and OldSettings read "redacted". #UNIT-TEST 1. enable audit. {"timestamp":"2022-01-12T19:43:34.742Z","event_id":9216,"component":"security","description":"Audit enabled","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"d3d74b23-874d-4e8b-8757-5eed5cc74a15","extra_attributes":{"new_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}} 2. Add a user to the "disabled user" list. {"timestamp":"2022-01-12T19:44:24.371Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"67569052-d168-42e7-b4b4-c656c7802ad0","extra_attributes":{"old_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}} 3. Remove user from the "disabled user" list: {"timestamp":"2022-01-12T19:44:48.700Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"1b7de9f2-3318-49a1-8171-9bb95b2db395","extra_attributes":{"old_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}} 4. Change the number of users in the "disabled user" list: {"timestamp":"2022-01-12T19:45:59.475Z","event_id":9218,"component":"security","description":"Audit configuration changed","severity":"info","node":"127.0.0.1","otp_node":"n_0@127.0.0.1","uuid":"418ec74c-80b3-458a-b39f-a7ddddd4ae08","extra_attributes":{"old_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520,"sync":[]},"new_settings":{"disabled_users":"redacted","enabled_audit_ids":[8243,8257,8265,20480,20482,20483,20492,20494,32768,32769,32773,32774,32775,32776,32777,32778,32779,32781,32784,32789,32790,32791,32792,32794,32797,36865,36866,40960,40961,40962,40964,40966,45056,45058,45059,45060,45062,45063,45064,45065,45067,45068,45069,45071,45072,45073,45074],"log_path":"/tmp","rotate_interval":86400,"rotate_size":20971520}}} /0.0s

          Build couchbase-server-7.1.0-2104 contains ns_server commit 999f3ba with commit message:
          MB-50336 Redact user information in audit_cfg_changed event log

          build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-2104 contains ns_server commit 999f3ba with commit message: MB-50336 Redact user information in audit_cfg_changed event log

          People

            hareen.kancharla Hareen Kancharla
            sumedh.basarkod Sumedh Basarkod (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty