Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COMP-264 Updating documentation for audit secret logging (Audit Log section) #2716

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

COMP-264 Updating documentation for audit secret logging (Audit Log section) #2716

wants to merge 4 commits into from

Conversation

123sarahj123
Copy link
Contributor

@123sarahj123 123sarahj123 commented Mar 14, 2024
edited
Loading

ON HOLD
Secrets is currently paused while we the Compute team focuses on Cache Volumes. See our roadmap here.

Description

This PR just focuses on updating the relevant documentation of the audit event types for Audit Secret Logging.
Docs: Pipelines -> Security -> Audit Log

A major part of incident investigation for secrets is audit logging. We assume at some point in the future, that the secrets service will be compromised either within a tenant or across all tenants. When an event like this happens it will be important to get a list of the actions the attacker took during the compromise.

Audit events implemented for creating, reading, updating and destroying a secret from actors across the Agent API, Rest API, Web. We want to display relevant information for the user to view the audit logs in the UI.

There is this Linear ticket for creating the public docs for audit secret logging, however that is relying on the Secrets UI and REST API to have been built. This PR just focuses on updating the relevant documentation of the audit event types on the Audit Log section for Audit Secret Logging.

The Audit Secret Logging project has included:

  • Additional audit events that can be queried via GraphQL, as well as a description of Audit Secret Logging on the Audit Log page (Docs: Pipelines -> Security -> Audit Log)
SECRET_CREATED
SECRET_DELETED
SECRET_QUERIED
SECRET_READ
SECRET_UPDATED

These docs are auto-generated and popped up in another PR
(Autogenerated GraphQL docs)
Also see more in my PR comment below

  • Changes to the GraphQL Schema to include a Secret type
  • Changes to the GraphQL schema to include an AgentAPIContext
  • Changes to the GraphQL schema to include an actor type Agent

Context

BC Post
Linear Ticket
Linear Project for Audit Secret Logging

@github-actions github-actions bot added the pipelines Pull requests that update content related to Pipelines label Mar 14, 2024
@123sarahj123 123sarahj123 marked this pull request as draft March 14, 2024 03:41
@buildkite-docs-bot
Copy link
Contributor

Preview URL: https://2716--bk-docs-preview.netlify.app

@123sarahj123
Copy link
Contributor Author

123sarahj123 commented Mar 14, 2024
edited
Loading

I have popped this on the Linear ticket, but will also pop here:

Re technical documentation in the docs. Where should this go?
There is security-> secret management
There is also security -> audit log (which has the updated states, but do I describe the secret audit logging here and what it contains?)

Also looking at the cookbook documentation I don't think I should add Secrets there (as the cookbook is for common tasks). This sort of links in with the question in the above comment. I need to write about these audit logs specifically for secrets to reassure that they do not contain sensitive information.

GraphQL schema docs has secret included

ENUMS->AuditEventType have the secret events included
ENUMS->AuditActorType has the agent included

ENUMS->AuditSubjectType has SECRET included
Unions->AuditActorNode has Agent
Unions->AuditContext includes AgentAPIContext, and in GraphQL->Objects section

@123sarahj123 123sarahj123 marked this pull request as ready for review March 15, 2024 02:03
@123sarahj123 123sarahj123 changed the title COMP-264 WIP updating documentation for audit secret logging COMP-264 Updating documentation for audit secret logging (Audit Log section) Mar 15, 2024
@123sarahj123
COMP-264 WIP updating documentation for audit secret logging
b6ff952 
- Extending audit_log.md to include secret audit events for GraphQL, and information about these events
@123sarahj123 123sarahj123 force-pushed the updating-audit-log-docs-secrets branch from 4b47361 to b6ff952 Compare March 15, 2024 02:47
gilesgas
gilesgas requested changes Mar 25, 2024
View reviewed changes
Copy link
Contributor

@gilesgas gilesgas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@123sarahj123 has requested this has been put on hold for a few cycles.

Therefore, marking this as 'changes requested' to help block merging.

@123sarahj123 123sarahj123 added the On Hold Project/feature is paused label Apr 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@l-suzuki l-suzuki l-suzuki left review comments

@gilesgas gilesgas gilesgas requested changes

@mbelton-buildkite mbelton-buildkite Awaiting requested review from mbelton-buildkite

@matthewborden matthewborden Awaiting requested review from matthewborden

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
On Hold Project/feature is paused pipelines Pull requests that update content related to Pipelines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@123sarahj123 @buildkite-docs-bot @l-suzuki @gilesgas