Merge pull request #729 from jmpsec/audit-log-api

Audit logs in `osctrl-api` and `osctrl-cli`

Author: javuto

cmd/admin/handlers/json-audit.go

@@ -5,7 +5,6 @@ import (
 	"net/http"
 
 	"github.com/jmpsec/osctrl/cmd/admin/sessions"
-	"github.com/jmpsec/osctrl/pkg/auditlog"
 	"github.com/jmpsec/osctrl/pkg/environments"
 	"github.com/jmpsec/osctrl/pkg/users"
 	"github.com/jmpsec/osctrl/pkg/utils"
@@ -61,8 +60,8 @@ func (h *HandlersAdmin) JSONAuditLogHandler(w http.ResponseWriter, r *http.Reque
 			Username: logEntry.Username,
 			Line:     logEntry.Line,
 			SourceIP: logEntry.SourceIP,
-			LogType:  auditlog.LogTypeToString(logEntry.LogType),
-			Severity: auditlog.SeverityToString(logEntry.Severity),
+			LogType:  h.AuditLog.LogTypeToString(logEntry.LogType),
+			Severity: h.AuditLog.SeverityToString(logEntry.Severity),
 			Env:      environments.EnvironmentFinderID(logEntry.EnvironmentID, envs, false),
 			When: CreationTimes{
 				Display: utils.PastFutureTimes(logEntry.CreatedAt),

cmd/admin/main.go

@@ -226,8 +226,6 @@ func osctrlAdminService() {
 	if err := loadingSettings(settingsmgr, flagParams.ConfigValues); err != nil {
 		log.Fatal().Msgf("Error loading settings - %v", err)
 	}
-	log.Info().Msg("Loading service metrics")
-
 	// Start SAML Middleware if we are using SAML
 	if flagParams.ConfigValues.Auth == config.AuthSAML {
 		log.Debug().Msg("SAML enabled for authentication")
@@ -248,7 +246,6 @@ func osctrlAdminService() {
 			log.Fatal().Msgf("Can not initialize SAML Middleware %s", err)
 		}
 	}
-
 	// FIXME Redis cache - Ticker to cleanup sessions
 	// FIXME splay this?
 	log.Info().Msg("Initialize cleanup sessions")
@@ -263,7 +260,6 @@ func osctrlAdminService() {
 			time.Sleep(time.Duration(_t) * time.Second)
 		}
 	}()
-
 	// Goroutine to cleanup expired queries and carves
 	log.Info().Msg("Initialize cleanup queries/carves")
 	go func() {
@@ -294,7 +290,6 @@ func osctrlAdminService() {
 			time.Sleep(time.Duration(_t) * time.Second)
 		}
 	}()
-
 	var loggerDBConfig *backend.JSONConfigurationDB
 	// Set the logger configuration file if we have a DB logger
 	if flagParams.ConfigValues.Logger == config.LoggingDB {
@@ -303,13 +298,16 @@ func osctrlAdminService() {
 			loggerDBConfig = &flagParams.DBConfigValues
 		}
 	}
-
 	// Initialize audit log manager
+	if flagParams.AuditLog {
+		log.Info().Msg("Initialize audit log (enabled)")
+	} else {
+		log.Info().Msg("Initialize audit log (disabled)")
+	}
 	auditLog, err = auditlog.CreateAuditLogManager(db.Conn, serviceName, flagParams.AuditLog)
 	if err != nil {
 		log.Fatal().Msgf("Error initializing audit log manager - %v", err)
 	}
-
 	// Initialize Admin handlers before router
 	log.Info().Msg("Initializing handlers")
 	handlersAdmin = handlers.CreateHandlersAdmin(
@@ -339,12 +337,10 @@ func osctrlAdminService() {
 		handlers.WithDBLogger(flagParams.LoggerFile, loggerDBConfig),
 		handlers.WithDebugHTTP(&flagParams.DebugHTTPValues),
 	)
-
 	// ////////////////////////// ADMIN
 	log.Info().Msg("Initializing router")
 	// Create router for admin
 	adminMux := http.NewServeMux()
-
 	// ///////////////////////// UNAUTHENTICATED CONTENT
 	// Admin: login only if local auth is enabled
 	if flagParams.ConfigValues.Auth != config.AuthNone && flagParams.ConfigValues.Auth != config.AuthSAML {

cmd/api/handlers/audit.go

@@ -0,0 +1,36 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/jmpsec/osctrl/pkg/auditlog"
+	"github.com/jmpsec/osctrl/pkg/users"
+	"github.com/jmpsec/osctrl/pkg/utils"
+	"github.com/rs/zerolog/log"
+)
+
+// AuditLogsHandler - GET Handler for all audit logs
+func (h *HandlersApi) AuditLogsHandler(w http.ResponseWriter, r *http.Request) {
+	// Debug HTTP if enabled
+	if h.DebugHTTPConfig.Enabled {
+		utils.DebugHTTPDump(h.DebugHTTP, r, h.DebugHTTPConfig.ShowBody)
+	}
+	// Get context data and check access
+	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
+	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, users.NoEnvironment) {
+		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		return
+	}
+	// Get audit logs
+	auditLogs, err := h.AuditLog.GetAll()
+	if err != nil {
+		log.Err(err).Msg("error getting audit logs")
+		return
+	}
+	// Serialize and serve JSON
+	log.Debug().Msgf("Returned %d audit log entries", len(auditLogs))
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], auditlog.NoEnvironment)
+	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, auditLogs)
+}

cmd/api/handlers/carves.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/jmpsec/osctrl/pkg/carves"
@@ -58,6 +59,7 @@ func (h *HandlersApi) CarveShowHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned carve %s", name)
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, carve)
 }
 
@@ -108,6 +110,7 @@ func (h *HandlersApi) CarveQueriesHandler(w http.ResponseWriter, r *http.Request
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned %d carves", len(carves))
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, carves)
 }
 
@@ -147,6 +150,7 @@ func (h *HandlersApi) CarveListHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned %d carves", len(carves))
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, carves)
 }
 
@@ -239,6 +243,7 @@ func (h *HandlersApi) CarvesRunHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Return query name as serialized response
 	log.Debug().Msgf("Created query %s", newQuery.Name)
+	h.AuditLog.NewCarve(ctx[ctxUser], newQuery.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiQueriesResponse{Name: newQuery.Name})
 }
 
@@ -306,5 +311,6 @@ func (h *HandlersApi) CarvesActionHandler(w http.ResponseWriter, r *http.Request
 	}
 	// Return message as serialized response
 	log.Debug().Msgf("%s", msgReturn)
+	h.AuditLog.CarveAction(ctx[ctxUser], actionVar+" carve "+nameVar, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})
 }

cmd/api/handlers/environments.go

@@ -4,7 +4,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 
+	"github.com/jmpsec/osctrl/pkg/auditlog"
 	"github.com/jmpsec/osctrl/pkg/environments"
 	"github.com/jmpsec/osctrl/pkg/settings"
 	"github.com/jmpsec/osctrl/pkg/types"
@@ -52,6 +54,7 @@ func (h *HandlersApi) EnvironmentHandler(w http.ResponseWriter, r *http.Request)
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned environment %s", env.Name)
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, env)
 }
 
@@ -95,6 +98,7 @@ func (h *HandlersApi) EnvironmentMapHandler(w http.ResponseWriter, r *http.Reque
 	}
 	// Serialize and serve JSON
 	log.Debug().Msg("Returned environments map")
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], auditlog.NoEnvironment)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, envMap)
 }
 
@@ -118,6 +122,7 @@ func (h *HandlersApi) EnvironmentsHandler(w http.ResponseWriter, r *http.Request
 	}
 	// Serialize and serve JSON
 	log.Debug().Msg("Returned environments")
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], auditlog.NoEnvironment)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, envAll)
 }
 
@@ -181,6 +186,7 @@ func (h *HandlersApi) EnvEnrollHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned data for environment%s : %s", env.Name, returnData)
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiDataResponse{Data: returnData})
 }
 
@@ -238,6 +244,7 @@ func (h *HandlersApi) EnvRemoveHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned data for environment %s : %s", env.Name, returnData)
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiDataResponse{Data: returnData})
 }
 
@@ -337,6 +344,7 @@ func (h *HandlersApi) EnvEnrollActionsHandler(w http.ResponseWriter, r *http.Req
 	}
 	// Return query name as serialized response
 	log.Debug().Msgf("Returned data for environment %s : %s", env.Name, msgReturn)
+	h.AuditLog.EnvAction(ctx[ctxUser], actionVar+" enrollment for environment "+env.Name, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})
 }
 
@@ -411,5 +419,6 @@ func (h *HandlersApi) EnvRemoveActionsHandler(w http.ResponseWriter, r *http.Req
 	}
 	// Return query name as serialized response
 	log.Debug().Msgf("Returned data for environment %s : %s", env.Name, msgReturn)
+	h.AuditLog.EnvAction(ctx[ctxUser], actionVar+" removal for environment "+env.Name, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})
 }

cmd/api/handlers/handlers.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"github.com/jmpsec/osctrl/pkg/auditlog"
 	"github.com/jmpsec/osctrl/pkg/cache"
 	"github.com/jmpsec/osctrl/pkg/carves"
 	"github.com/jmpsec/osctrl/pkg/config"
@@ -31,6 +32,7 @@ type HandlersApi struct {
 	RedisCache      *cache.RedisManager
 	ServiceVersion  string
 	ServiceName     string
+	AuditLog        *auditlog.AuditLogManager
 	ApiConfig       *config.JSONConfigurationService
 	DebugHTTP       *zerolog.Logger
 	DebugHTTPConfig *config.DebugHTTPConfiguration
@@ -104,6 +106,12 @@ func WithName(name string) HandlersOption {
 	}
 }
 
+func WithAuditLog(auditLog *auditlog.AuditLogManager) HandlersOption {
+	return func(h *HandlersApi) {
+		h.AuditLog = auditLog
+	}
+}
+
 func WithDebugHTTP(cfg *config.DebugHTTPConfiguration) HandlersOption {
 	return func(h *HandlersApi) {
 		h.DebugHTTPConfig = cfg

cmd/api/handlers/login.go

@@ -8,7 +8,6 @@ import (
 	"github.com/jmpsec/osctrl/pkg/types"
 	"github.com/jmpsec/osctrl/pkg/users"
 	"github.com/jmpsec/osctrl/pkg/utils"
-	"github.com/rs/zerolog/log"
 )
 
 // LoginHandler - POST Handler for API login request
@@ -59,7 +58,7 @@ func (h *HandlersApi) LoginHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		user.APIToken = token
 	}
+	h.AuditLog.NewLogin(l.Username, r.RemoteAddr)
 	// Serialize and serve JSON
-	log.Debug().Msgf("Returning token for %s", user.Username)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiLoginResponse{Token: user.APIToken})
 }

cmd/api/handlers/nodes.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/jmpsec/osctrl/pkg/nodes"
 	"github.com/jmpsec/osctrl/pkg/types"
@@ -53,8 +54,9 @@ func (h *HandlersApi) NodeHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
-	// Serialize and serve JSON
 	log.Debug().Msgf("Returned node %s", nodeVar)
+	h.AuditLog.NodeAction(ctx[ctxUser], "viewed node "+nodeVar, strings.Split(r.RemoteAddr, ":")[0], env.ID)
+	// Serialize and serve JSON
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, node)
 }
 
@@ -93,7 +95,8 @@ func (h *HandlersApi) ActiveNodesHandler(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	// Serialize and serve JSON
-	log.Debug().Msg("Returned nodes")
+	log.Debug().Msg("Returned active nodes")
+	h.AuditLog.NodeAction(ctx[ctxUser], "viewed active nodes", strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, nodes)
 }
 
@@ -132,7 +135,8 @@ func (h *HandlersApi) InactiveNodesHandler(w http.ResponseWriter, r *http.Reques
 		return
 	}
 	// Serialize and serve JSON
-	log.Debug().Msg("Returned nodes")
+	log.Debug().Msg("Returned inactive nodes")
+	h.AuditLog.NodeAction(ctx[ctxUser], "viewed inactive nodes", strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, nodes)
 }
 
@@ -171,7 +175,8 @@ func (h *HandlersApi) AllNodesHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Serialize and serve JSON
-	log.Debug().Msg("Returned nodes")
+	log.Debug().Msg("Returned all nodes")
+	h.AuditLog.NodeAction(ctx[ctxUser], "viewed all nodes", strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, nodes)
 }
 
@@ -213,8 +218,9 @@ func (h *HandlersApi) DeleteNodeHandler(w http.ResponseWriter, r *http.Request)
 		}
 		return
 	}
+	log.Debug().Msgf("Deleted node %s", n.UUID)
+	h.AuditLog.NodeAction(ctx[ctxUser], "deleted node "+n.UUID, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	// Serialize and serve JSON
-	log.Debug().Msgf("Returned node %s", n.UUID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: "node deleted"})
 }
 
@@ -262,8 +268,9 @@ func (h *HandlersApi) TagNodeHandler(w http.ResponseWriter, r *http.Request) {
 		apiErrorResponse(w, "error tagging node", http.StatusInternalServerError, err)
 		return
 	}
-	// Serialize and serve JSON
 	log.Debug().Msgf("Tagged node %s with %s", n.UUID, t.Tag)
+	h.AuditLog.NodeAction(ctx[ctxUser], "tagged node "+n.UUID+" with "+t.Tag, strings.Split(r.RemoteAddr, ":")[0], env.ID)
+	// Serialize and serve JSON
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: "node tagged"})
 }
 
@@ -298,6 +305,8 @@ func (h *HandlersApi) LookupNodeHandler(w http.ResponseWriter, r *http.Request)
 		}
 		return
 	}
+	log.Debug().Msgf("Looked up node %s", l.Identifier)
+	h.AuditLog.NodeAction(ctx[ctxUser], "looked up node "+l.Identifier, strings.Split(r.RemoteAddr, ":")[0], n.ID)
 	// Serialize and serve JSON
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, n)
 }

cmd/api/handlers/platforms.go

@@ -3,7 +3,9 @@ package handlers
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
+	"github.com/jmpsec/osctrl/pkg/auditlog"
 	"github.com/jmpsec/osctrl/pkg/users"
 	"github.com/jmpsec/osctrl/pkg/utils"
 	"github.com/rs/zerolog/log"
@@ -29,6 +31,7 @@ func (h *HandlersApi) PlatformsHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	// Serialize and serve JSON
 	log.Debug().Msg("Returned platforms")
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], auditlog.NoEnvironment)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, platforms)
 }
 
@@ -68,5 +71,6 @@ func (h *HandlersApi) PlatformsEnvHandler(w http.ResponseWriter, r *http.Request
 	}
 	// Serialize and serve JSON
 	log.Debug().Msg("Returned platforms")
+	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, platforms)
 }