Changes to Linked Security Policy Project are not Audited
Summary
When a project owner modifies the linked Security Policy Project, no entry is generated in the Audit Log. This is problematic because Project Owners can potentially temporarily disable and re-enable policies without any record of their activity.
Steps to reproduce
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation Plan
-
backend Create a new audit event type ( policy_project_updated
) following the documentation -
backend Update ee/app/services/security/orchestration/assign_service.rb
andee/app/services/security/orchestration/unassign_service.rb
to push the audit payload along with message.
Reference implementation:
Draft: Audit policy project changes (!101817 - closed) can be used as a reference.
Edited by Sashi Kumar Kumaresan