Skip to content

Add usage statistics for modsecurity for packets/anomalous

What does this MR do?

Related to #32358 (closed)

In this MR we are adding new usage statistics for WAF:

  • modsecurity_statistics_unavailable - number of environments where statistics for WAF are not available
  • modsecurity_packets_processed
  • modsecurity_packets_anomalous

Currently this change only measures applications installed using GitLab Managed Apps and does not take into account apps installed using GitLab CI/CD (https://docs.gitlab.com/ee/user/clusters/applications.html#install-using-gitlab-cicd-alpha). I will work to add these in my next MRs.

Queries

SELECT
  DISTINCT "clusters".*
FROM "clusters"
INNER JOIN "clusters_applications_ingress" ON "clusters_applications_ingress"."cluster_id" = "clusters"."id"
INNER JOIN "clusters_applications_elastic_stacks" ON "clusters_applications_elastic_stacks"."cluster_id" = "clusters"."id"
INNER JOIN "deployments" ON "deployments"."cluster_id" = "clusters"."id"
INNER JOIN "environments" ON "environments"."id" = "deployments"."environment_id"
WHERE
  "clusters_applications_ingress"."modsecurity_enabled" = TRUE
  AND "clusters_applications_elastic_stacks"."status" IN (3, 5)
  AND "deployments"."status" = 2;

First execution: https://explain.depesz.com/s/pNzg (~2.26s)

Second execution: https://explain.depesz.com/s/ATSD (~22.33ms)

In batches

BATCH SIZE: 100

SELECT
  DISTINCT "clusters".*
FROM "clusters"
INNER JOIN "clusters_applications_ingress" ON "clusters_applications_ingress"."cluster_id" = "clusters"."id"
INNER JOIN "clusters_applications_elastic_stacks" ON "clusters_applications_elastic_stacks"."cluster_id" = "clusters"."id"
INNER JOIN "deployments" ON "deployments"."cluster_id" = "clusters"."id"
INNER JOIN "environments" ON "environments"."id" = "deployments"."environment_id"
WHERE
  "clusters_applications_ingress"."modsecurity_enabled" = TRUE
  AND "clusters_applications_elastic_stacks"."status" IN (3, 5)
  AND "deployments"."status" = 2;
LIMIT
  100

https://explain.depesz.com/s/6BMb (~266ms)

We are using find_each, so by default this query will be executed in batches.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Alan (Maciej) Paruszewski

Merge request reports

Loading