How to get explicit audit events users remove/delete access to an org/space in system log
search cancel

How to get explicit audit events users remove/delete access to an org/space in system log

book

Article ID: 375153

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

For audit purpose, users might want to extract events on assigning and removing org or space roles to CF users.

When a user is granted a role (for example, organization auditor) in an org or space, the event (audit.user.***_***_add) can be found in cloud_controller VMs cloud_controller_ng logs.

Here is an example log for granting role event:

{"timestamp":"202*-0*-1*T03:09:56.803818807Z","message":"{\"guid\":\"ecbdf76e-****-****-****-dcf3e1b65aeb\",\"created_at\":\"202*-0*-1*T03:09:56Z\",\"updated_at\":\"202*-0*-1*T03:09:56Z\",\"type\":\"audit.user.organization_auditor_add\",\"actor\":{\"guid\":\"284313c1-****-****-****-119cfe30914a\",\"type\":\"user\",\"name\":\"****\"},\"target\":{\"guid\":\"128fea43-****-****-****-d040dece4a14\",\"type\":\"user\",\"name\":\"****\"},\"data\":{\"request\":{\"type\":\"organization_auditor\",\"relationships\":{\"organization\":{\"data\":{\"guid\":\"c31330dc-****-****-****-a0d849b756f9\"}},\"user\":{\"data\":{\"username\":\"***\"}}}}},\"space\":null,\"organization\":{\"guid\":\"c31330dc-****-****-****-a0d849b756f9\"}}","log_level":"info","source":"cc.model.event","data":{"request_guid":"6eb49003-****-****-****-62ff17ff2fe5::3a2a7533-****-****-****-cf1ba3464e01","user_guid":"284313c1-****-****-****-119cfe30914a","b3_trace_id":"6eb4************************2fe5","b3_span_id":"4ed5********2fe5"},"thread_id":57100,"fiber_id":57120,"process_id":6,"file":"/var/vcap/data/packages/cloud_controller_ng/e612********************************d43f/cloud_controller_ng/app/models/runtime/event.rb","lineno":55,"method":"after_save"}

However, for removing org or space roles to users, there is no explicit audit events like granting roles in the system log.

Environment

Tanzu Application Service 4.0

Cause

The audit events are logged by default by the Cloud Controller web server. However, this did not enable it by default in Cloud Controller Worker or Cloud Controller Clock. They have separate properties and these are disabled by default.

The worker often processes user initiated actions, such as Deletion and these create audit events, these are currently not being logged by default. Often it's the case that create audit events are logged synchronously, and since delete actions are async, their audit events are not logged.

 

 

Resolution

Permanent-Fix:
The issue is fixed in the below version:

  • 4.0.28+LTS-T


Temporary-Fix:

Method 1:

The remove events can be found in GET /v3/audit_events endpoint 

Method 2:

Set log_audit_events: true manually in each cloud controller worker vm job config, but this change would be removed on every ops-manager apply changes.

Here are the steps:

  1. ssh into cloud controller work via 'bosh -d cf-xx ssh cloud_controller_worker/xxx'
  2. sudo su
  3. vim /var/vcap/jobs/cloud_controller_worker/config/cloud_controller_ng.yml 
  4. set config log_audit_events: true and save it
  5. monit restart cloud_controller_worker_1

The remove user role event log can be found in cloud_controller_worker VMs /var/vcap/data/sys/log/cloud_controller_worker/cloud_controller_worker.log.

Additional Information

Powered by Wolken Software