Audit event logging for DAST config changes
Problem to solve
As the person responsible for the security scanning of my websites, I want to know when changes have been made to the DAST scan and site configs, so that I can know who made what changes.
Intended users
- Cameron (Compliance Manager)
- Parker (Product Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Rachel (Release Manager)
User experience goal
The user should be able to go to the "Security & Compliance" => "Audit Events" section of their project and see anything that has been logged there, specifically, any changes to the DAST config profiles.
Proposal
The events that should be logged are:
- Creation of a new Scanner or Site profile
- The "Action" should state that a new [Scanner/Site] profile was created
- The "Target" should state the name of the new profile
- Deletion of a Scanner or Site profile
- The "Action" should state that a [Scanner/Site] profile was deleted
- The "Target" should state the name of the deleted profile
- Editing of a Scanner or Site profile
- The "Action" should state that a [Scanner/Site] profile was edited
- (Stretch) The Action should state what fields were changed and what the new selected options are
- The "Target" should state the name of the edited profile
- The "Action" should state that a [Scanner/Site] profile was edited
- Creation of a saved on-demand DAST test
- The "Action" should state that a new on-demand DAST test was created
- The "Target" should state the name of the new test
- Deletion of a saved on-demand DAST test
- The "Action" should state that an on-demand DAST test was deleted
- The "Target" should state the name of the deleted test
- Editing of a saved on-demand DAST test
- The "Action" should state that an on-demand DAST test was edited
- (Stretch) The Action should state what was changed (profile/branch/name) and what the new value is
- The "Target" should state the name of the on-demand DAST test
- The "Action" should state that an on-demand DAST test was edited
Further details
Maintainer and owner roles should have access to see the audit events.
Documentation
- Update of the DAST docs to notify that all changes to the config profiles will be logged to the project Audit Event log.
- Update of docs describing the Audit event log to include the new changes that will be logged there.
Execution
Use AuditEventService#security_event to persist events for the DastSiteProfile, DastScannerProfile, and Dast::Profile models. This will involve adding a method for each of the objects to AuditEventService that can handle :create, :update, and :destroy events. The AuditEventService#for_member method can serve as a guide on how to structure the new methods.
AuditEventService#for_changes might be worth using for the Stretch goal of including details on the changes made during :update events.
-
Use AuditEventServiceto log uses ofDastScannerProfiles::CreateService,DastScannerProfiles::UpdateService, andDastScannerProfiles::DestroyServiceusing the parameters defined in the Proposal -
Use AuditEventServiceto log uses ofDastSiteProfiles::CreateService,DastSiteProfiles::UpdateService, andDastSiteProfiles::DestroyServiceusing the parameters defined in the Proposal -
Use AuditEventServiceto log uses ofDast::Profiles::CreateService,Dast::Profiles::UpdateService, andDast::Profiles::DestroyServiceusing the parameters defined in the Proposal -
Update the documentation as mentioned in Documentation -
Stretch create one audit event for each field changed on the object, and specify the details using AuditEventService#for_changesso that users can see exactly what changed -
Stretch ~"technical debt" if possible, move the changed DAST services into the AppSec::Dastnamespace