WIP

elastic · Oct 26, 2021 · 9698215 · 9698215
1 parent c50511f
commit 9698215
Show file tree

Hide file tree

Showing 49 changed files with 618 additions and 2,112 deletions.
diff --git a/docs/settings/security-settings.asciidoc b/docs/settings/security-settings.asciidoc
@@ -324,7 +324,7 @@ For more details and a reference of audit events, refer to <<xpack-security-audi
 [cols="2*<"]
 |======
 | `xpack.security.audit.enabled` {ess-icon}
-| Set to `true` _and_ configure an appender with `xpack.security.audit.appender` to enable ECS audit logging`. *Default:* `false`
+| Set to `true` _and_ configure an appender with `xpack.security.audit.appender` to enable audit logging`. *Default:* `false`
 
 2+a| For example:
 [source,yaml]
@@ -356,18 +356,8 @@ xpack.security.audit.appender.type: rolling-file
 ----------------------------------------
 ============
 
-[NOTE]
-============
-deprecated:[7.15.0,"In 8.0 and later, the legacy audit logger will be removed, and this setting will enable the ECS audit logger with a default appender."] To enable the legacy audit logger only specify:
-
-[source,yaml]
-----------------------------------------
-xpack.security.audit.enabled: true
-----------------------------------------
-============
-
 | `xpack.security.audit.appender` {ess-icon}
-| Optional. Specifies where audit logs should be written to and how they should be formatted.
+| Required. Specifies where audit logs should be written to and how they should be formatted.
 
 | `xpack.security.audit.appender.type` {ess-icon}
 | Required. Specifies where audit logs should be written to. Allowed values are `console`, `file`, or `rolling-file`. 

diff --git a/docs/user/security/audit-logging.asciidoc b/docs/user/security/audit-logging.asciidoc
@@ -12,43 +12,22 @@ model for authentication, data index authorization, and features that are driven
 by cluster-wide privileges. For more information on enabling audit logging in
 {es}, refer to {ref}/auditing.html[Auditing security events].
 
-[IMPORTANT]
-============================================================================
-Kibana offers two audit logs: a **deprecated** legacy audit logger, and a new
-ECS-compliant audit logger. We strongly advise using the <<xpack-security-ecs-audit-logging, ECS audit logger>>,
-as the legacy audit logger will be removed in an upcoming version.
-============================================================================
-
 [NOTE]
 ============================================================================
 Audit logs are **disabled** by default. To enable this functionality, you must
 set `xpack.security.audit.enabled` to `true` in `kibana.yml`, and configure
 an <<audit-logging-settings, appender>> to write the audit log to a location of your choosing.
 ============================================================================
 
-The legacy audit logger uses the standard {kib} logging output,
-which can be configured in `kibana.yml`. For more information, refer to <<settings>>.
-The <<xpack-security-ecs-audit-logging, ECS audit logger>> uses a separate logger and can be configured using
+The <<xpack-security-ecs-audit-logging, audit logger>> uses a separate logger and can be configured using
 the options in <<audit-logging-settings>>. 
 
-==== Legacy audit event types
-
-When you are auditing security events, each request can generate multiple audit
-events. The following is a list of the events that can be generated:
-
-|======
-| `saved_objects_authorization_success`    | Logged when a user is authorized to access a saved
-                                             objects when using a role with <<kibana-privileges>>
-| `saved_objects_authorization_failure`    | Logged when a user isn't authorized to access a saved
-                                             objects when using a role with <<kibana-privileges>>
-|======
-
 [[xpack-security-ecs-audit-logging]]
-==== ECS audit events
+==== Audit events
 
 [IMPORTANT]
 ============================================================================
-The following events are only logged if the ECS audit logger is enabled.
+The following events are only logged if the audit logger is enabled.
 For information on how to configure `xpack.security.audit.appender`, refer to
 <<audit-logging-settings>>.
 ============================================================================
@@ -255,7 +234,7 @@ Refer to the corresponding {es} logs for potential write errors.
 
 
 [[xpack-security-ecs-audit-schema]]
-==== ECS audit schema
+==== Audit schema
 
 Audit logs are written in JSON using https://www.elastic.co/guide/en/ecs/1.6/index.html[Elastic Common Schema (ECS)] specification.
 

diff --git a/x-pack/plugins/actions/server/authorization/audit_logger.test.ts b/x-pack/plugins/actions/server/authorization/audit_logger.test.ts
@@ -5,73 +5,70 @@
  * 2.0.
  */
 
-import { ActionsAuthorizationAuditLogger } from './audit_logger';
+// import { ActionsAuthorizationAuditLogger } from './audit_logger';
 
-const createMockAuditLogger = () => {
-  return {
-    log: jest.fn(),
-  };
-};
+// const createMockAuditLogger = () => {
+//   return {
+//     log: jest.fn(),
+//   };
+// };
 
 describe(`#constructor`, () => {
-  test('initializes a noop auditLogger if security logger is unavailable', () => {
-    const actionsAuditLogger = new ActionsAuthorizationAuditLogger(undefined);
-
-    const username = 'foo-user';
-    const actionTypeId = 'action-type-id';
-    const operation = 'create';
-    expect(() => {
-      actionsAuditLogger.actionsAuthorizationFailure(username, operation, actionTypeId);
-      actionsAuditLogger.actionsAuthorizationSuccess(username, operation, actionTypeId);
-    }).not.toThrow();
-  });
+  // TODO: Update to use ECS audit logger?
+  // test('initializes a noop auditLogger if security logger is unavailable', () => {
+  //   const actionsAuditLogger = new ActionsAuthorizationAuditLogger(undefined);
+  //   const username = 'foo-user';
+  //   const actionTypeId = 'action-type-id';
+  //   const operation = 'create';
+  //   expect(() => {
+  //     actionsAuditLogger.actionsAuthorizationFailure(username, operation, actionTypeId);
+  //     actionsAuditLogger.actionsAuthorizationSuccess(username, operation, actionTypeId);
+  //   }).not.toThrow();
+  // });
 });
 
 describe(`#actionsAuthorizationFailure`, () => {
-  test('logs auth failure', () => {
-    const auditLogger = createMockAuditLogger();
-    const actionsAuditLogger = new ActionsAuthorizationAuditLogger(auditLogger);
-    const username = 'foo-user';
-    const actionTypeId = 'action-type-id';
-    const operation = 'create';
-
-    actionsAuditLogger.actionsAuthorizationFailure(username, operation, actionTypeId);
-
-    expect(auditLogger.log.mock.calls[0]).toMatchInlineSnapshot(`
-      Array [
-        "actions_authorization_failure",
-        "foo-user Unauthorized to create a \\"action-type-id\\" action",
-        Object {
-          "actionTypeId": "action-type-id",
-          "operation": "create",
-          "username": "foo-user",
-        },
-      ]
-    `);
-  });
+  // TODO: Update to use ECS audit logger?
+  // test('logs auth failure', () => {
+  //   const auditLogger = createMockAuditLogger();
+  //   const actionsAuditLogger = new ActionsAuthorizationAuditLogger(auditLogger);
+  //   const username = 'foo-user';
+  //   const actionTypeId = 'action-type-id';
+  //   const operation = 'create';
+  //   actionsAuditLogger.actionsAuthorizationFailure(username, operation, actionTypeId);
+  //   expect(auditLogger.log.mock.calls[0]).toMatchInlineSnapshot(`
+  //     Array [
+  //       "actions_authorization_failure",
+  //       "foo-user Unauthorized to create a \\"action-type-id\\" action",
+  //       Object {
+  //         "actionTypeId": "action-type-id",
+  //         "operation": "create",
+  //         "username": "foo-user",
+  //       },
+  //     ]
+  //   `);
+  // });
 });
 
 describe(`#savedObjectsAuthorizationSuccess`, () => {
-  test('logs auth success', () => {
-    const auditLogger = createMockAuditLogger();
-    const actionsAuditLogger = new ActionsAuthorizationAuditLogger(auditLogger);
-    const username = 'foo-user';
-    const actionTypeId = 'action-type-id';
-
-    const operation = 'create';
-
-    actionsAuditLogger.actionsAuthorizationSuccess(username, operation, actionTypeId);
-
-    expect(auditLogger.log.mock.calls[0]).toMatchInlineSnapshot(`
-      Array [
-        "actions_authorization_success",
-        "foo-user Authorized to create a \\"action-type-id\\" action",
-        Object {
-          "actionTypeId": "action-type-id",
-          "operation": "create",
-          "username": "foo-user",
-        },
-      ]
-    `);
-  });
+  // TODO: Update to use ECS audit logger?
+  // test('logs auth success', () => {
+  //   const auditLogger = createMockAuditLogger();
+  //   const actionsAuditLogger = new ActionsAuthorizationAuditLogger(auditLogger);
+  //   const username = 'foo-user';
+  //   const actionTypeId = 'action-type-id';
+  //   const operation = 'create';
+  //   actionsAuditLogger.actionsAuthorizationSuccess(username, operation, actionTypeId);
+  //   expect(auditLogger.log.mock.calls[0]).toMatchInlineSnapshot(`
+  //     Array [
+  //       "actions_authorization_success",
+  //       "foo-user Authorized to create a \\"action-type-id\\" action",
+  //       Object {
+  //         "actionTypeId": "action-type-id",
+  //         "operation": "create",
+  //         "username": "foo-user",
+  //       },
+  //     ]
+  //   `);
+  // });
 });
diff --git a/x-pack/plugins/actions/server/authorization/audit_logger.ts b/x-pack/plugins/actions/server/authorization/audit_logger.ts
@@ -5,19 +5,19 @@
  * 2.0.
  */
 
-import { LegacyAuditLogger } from '../../../security/server';
+// import { LegacyAuditLogger } from '../../../security/server';
 
 export enum AuthorizationResult {
   Unauthorized = 'Unauthorized',
   Authorized = 'Authorized',
 }
 
 export class ActionsAuthorizationAuditLogger {
-  private readonly auditLogger: LegacyAuditLogger;
+  // private readonly auditLogger: LegacyAuditLogger;
 
-  constructor(auditLogger: LegacyAuditLogger = { log() {} }) {
-    this.auditLogger = auditLogger;
-  }
+  // constructor(auditLogger: LegacyAuditLogger = { log() {} }) {
+  //   this.auditLogger = auditLogger;
+  // }
 
   public getAuthorizationMessage(
     authorizationResult: AuthorizationResult,
@@ -39,11 +39,12 @@ export class ActionsAuthorizationAuditLogger {
       operation,
       actionTypeId
     );
-    this.auditLogger.log('actions_authorization_failure', `${username} ${message}`, {
-      username,
-      actionTypeId,
-      operation,
-    });
+    // TODO: Update to use ECS audit logger?
+    // this.auditLogger.log('actions_authorization_failure', `${username} ${message}`, {
+    //   username,
+    //   actionTypeId,
+    //   operation,
+    // });
     return message;
   }
 
@@ -57,11 +58,12 @@ export class ActionsAuthorizationAuditLogger {
       operation,
       actionTypeId
     );
-    this.auditLogger.log('actions_authorization_success', `${username} ${message}`, {
-      username,
-      actionTypeId,
-      operation,
-    });
+    // TODO: Update to use ECS audit logger?
+    // this.auditLogger.log('actions_authorization_success', `${username} ${message}`, {
+    //   username,
+    //   actionTypeId,
+    //   operation,
+    // });
     return message;
   }
 }
diff --git a/x-pack/plugins/actions/server/plugin.ts b/x-pack/plugins/actions/server/plugin.ts
@@ -479,9 +479,11 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
       authorizationMode,
       authorization: this.security?.authz,
       authentication: this.security?.authc,
-      auditLogger: new ActionsAuthorizationAuditLogger(
-        this.security?.audit.getLogger(ACTIONS_FEATURE.id)
-      ),
+      auditLogger: new ActionsAuthorizationAuditLogger(),
+      // TODO: Update to use ECS audit logger?
+      // auditLogger: new ActionsAuthorizationAuditLogger(
+      //   this.security?.audit.getLogger(ACTIONS_FEATURE.id)
+      // ),
     });
   };
 

diff --git a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts
@@ -10,7 +10,7 @@ import { ruleTypeRegistryMock } from './rule_type_registry.mock';
 import { KibanaRequest } from '../../../../src/core/server';
 import { savedObjectsClientMock } from '../../../../src/core/server/mocks';
 import { securityMock } from '../../security/server/mocks';
-import { ALERTS_FEATURE_ID } from '../common';
+// import { ALERTS_FEATURE_ID } from '../common';
 import {
   AlertingAuthorizationClientFactory,
   AlertingAuthorizationClientFactoryOpts,
@@ -79,7 +79,8 @@ test('creates an alerting authorization client with proper constructor arguments
   });
 
   expect(AlertingAuthorizationAuditLogger).toHaveBeenCalled();
-  expect(securityPluginSetup.audit.getLogger).toHaveBeenCalledWith(ALERTS_FEATURE_ID);
+  // TODO: Update to use ECS audit logger?
+  // expect(securityPluginSetup.audit.getLogger).toHaveBeenCalledWith(ALERTS_FEATURE_ID);
 });
 
 test('creates an alerting authorization client with proper constructor arguments', async () => {
@@ -101,5 +102,6 @@ test('creates an alerting authorization client with proper constructor arguments
   });
 
   expect(AlertingAuthorizationAuditLogger).toHaveBeenCalled();
-  expect(securityPluginSetup.audit.getLogger).not.toHaveBeenCalled();
+  // TODO: Update to use ECS audit logger?
+  // expect(securityPluginSetup.audit.getLogger).not.toHaveBeenCalled();
 });
diff --git a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts
@@ -6,7 +6,7 @@
  */
 
 import { KibanaRequest } from 'src/core/server';
-import { ALERTS_FEATURE_ID } from '../common';
+// import { ALERTS_FEATURE_ID } from '../common';
 import { RuleTypeRegistry } from './types';
 import { SecurityPluginSetup, SecurityPluginStart } from '../../security/server';
 import { PluginStartContract as FeaturesPluginStart } from '../../features/server';
@@ -27,7 +27,7 @@ export class AlertingAuthorizationClientFactory {
   private isInitialized = false;
   private ruleTypeRegistry!: RuleTypeRegistry;
   private securityPluginStart?: SecurityPluginStart;
-  private securityPluginSetup?: SecurityPluginSetup;
+  // private securityPluginSetup?: SecurityPluginSetup;
   private features!: FeaturesPluginStart;
   private getSpace!: (request: KibanaRequest) => Promise<Space | undefined>;
   private getSpaceId!: (request: KibanaRequest) => string | undefined;
@@ -39,24 +39,27 @@ export class AlertingAuthorizationClientFactory {
     this.isInitialized = true;
     this.getSpace = options.getSpace;
     this.ruleTypeRegistry = options.ruleTypeRegistry;
-    this.securityPluginSetup = options.securityPluginSetup;
+    // this.securityPluginSetup = options.securityPluginSetup;
     this.securityPluginStart = options.securityPluginStart;
     this.features = options.features;
     this.getSpaceId = options.getSpaceId;
   }
 
   public create(request: KibanaRequest): AlertingAuthorization {
-    const { securityPluginSetup, securityPluginStart, features } = this;
+    // const { securityPluginSetup, securityPluginStart, features } = this;
+    const { securityPluginStart, features } = this;
     return new AlertingAuthorization({
       authorization: securityPluginStart?.authz,
       request,
       getSpace: this.getSpace,
       getSpaceId: this.getSpaceId,
       ruleTypeRegistry: this.ruleTypeRegistry,
       features: features!,
-      auditLogger: new AlertingAuthorizationAuditLogger(
-        securityPluginSetup?.audit.getLogger(ALERTS_FEATURE_ID)
-      ),
+      auditLogger: new AlertingAuthorizationAuditLogger(),
+      // TODO: Update to use ECS audit logger?
+      // auditLogger: new AlertingAuthorizationAuditLogger(
+      //   securityPluginSetup?.audit.getLogger(ALERTS_FEATURE_ID)
+      // ),
     });
   }
 }