From 0864994bcbe34c40d0e16fbbefefa81ba72bbc61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20L=C3=B3pez=20de=20la=20Franca=20Beltran?= <5459617+joanlopez@users.noreply.github.com> Date: Mon, 31 Oct 2022 14:53:46 +0100 Subject: [PATCH] Docs: Update Auditing docs (#57867) * Docs: Update Auditing docs * Update docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md Co-authored-by: Ieva --- .../enterprise-configuration/index.md | 6 +- .../configure-security/audit-grafana.md | 93 ++++++++++++++++--- 2 files changed, 85 insertions(+), 14 deletions(-) diff --git a/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md b/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md index edc5f11c5f0..71b8e2fc5d5 100644 --- a/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md +++ b/docs/sources/setup-grafana/configure-grafana/enterprise-configuration/index.md @@ -179,12 +179,16 @@ Keep dashboard content in the logs (request or response fields). This can signif ### verbose -Log all GET requests and always include request body for generic POST/PUT/PATCH requests. +Log all requests and keep requests and responses body. This can significantly increase the size of your logs. ### log_all_status_codes Set to false to only log requests with 2xx, 3xx, 401, 403, 500 responses. +### max_response_size_bytes + +Maximum response body (in bytes) to be recorded. May help reducing the memory footprint caused by auditing. + ## [auditing.logs.file] ### path diff --git a/docs/sources/setup-grafana/configure-security/audit-grafana.md b/docs/sources/setup-grafana/configure-security/audit-grafana.md index 816d78495c5..80e69fb384f 100644 --- a/docs/sources/setup-grafana/configure-security/audit-grafana.md +++ b/docs/sources/setup-grafana/configure-security/audit-grafana.md @@ -68,6 +68,7 @@ The `additionalData` field can contain the following information: | `extUserInfo` | `login` | User information provided by the external system that was used to log in. | | `authTokenCount` | `login` | Number of active authentication tokens for the user that logged in. | | `terminationReason` | `logout` | The reason why the user logged out, such as a manual logout or a token expiring. | +| `billing_role` | `billing-information` | The billing role associated with the billing information being sent. | ### Recorded actions @@ -118,6 +119,10 @@ For example, creating an API key produces an audit log like this: Some actions can only be distinguished by their `requestUri` fields. For those actions, the relevant pattern of the `requestUri` field is given. +Note that almost all these recorded actions are actions that correspond to API requests or UI actions that +trigger an API request. Therefore, the action `{"action": "email", "resources": [{"type": "report"}]}` corresponds +to the action when the user requests a report's preview to be sent through email, and not the scheduled ones. + #### Sessions | Action | Distinguishing fields | @@ -133,6 +138,46 @@ pattern of the `requestUri` field is given. `ldap`, etc. \ \*\* Includes manual log out, token expired/revoked, and [SAML Single Logout]({{< relref "configure-authentication/saml/#single-logout" >}}). +#### Service accounts + +| Action | Distinguishing fields | +| ---------------------------- | ----------------------------------------------------------------------------------------------------- | +| Create service account | `{"action": "create", "resources": [{"type": "service-account"}]}` | +| Update service account | `{"action": "update", "resources": [{"type": "service-account"}]}` | +| Delete service account | `{"action": "delete", "resources": [{"type": "service-account"}]}` | +| Create service account token | `{"action": "create", "resources": [{"type": "service-account"}, {"type": "service-account-token"}]}` | +| Delete service account token | `{"action": "delete", "resources": [{"type": "service-account"}, {"type": "service-account-token"}]}` | +| Hide API keys | `{"action": "hide-api-keys"}` | +| Migrate API keys | `{"action": "migrate-api-keys"}` | +| Migrate API key | `{"action": "migrate-api-keys"}, "resources": [{"type": "api-key"}]}` | + +#### Access control + +| Action | Distinguishing fields | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | +| Create role | `{"action": "create", "resources": [{"type": "role"}]}` | +| Update role | `{"action": "update", "resources": [{"type": "role"}]}` | +| Delete role | `{"action": "delete", "resources": [{"type": "role"}]}` | +| Assign built-in role | `{"action": "assign-builtin-role", "resources": [{"type": "role"}, {"type": "builtin-role"}]}` | +| Remove built-in role | `{"action": "remove-builtin-role", "resources": [{"type": "role"}, {"type": "builtin-role"}]}` | +| Grant team role | `{"action": "grant-team-role", "resources": [{"type": "team"}]}` | +| Set team roles | `{"action": "set-team-roles", "resources": [{"type": "team"}]}` | +| Revoke team role | `{"action": "revoke-team-role", "resources": [{"type": "role"}, {"type": "team"}]}` | +| Grant user role | `{"action": "grant-user-role", "resources": [{"type": "role"}, {"type": "user"}]}` | +| Set user roles | `{"action": "set-user-roles", "resources": [{"type": "user"}]}` | +| Revoke user role | `{"action": "revoke-user-role", "resources": [{"type": "role"}, {"type": "user"}]}` | +| Set user permissions on folder | `{"action": "set-user-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "user"}]}` | +| Set team permissions on folder | `{"action": "set-team-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "team"}]}` | +| Set basic role permissions on folder | `{"action": "set-basic-role-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "builtin-role"}]}` | +| Set user permissions on dashboard | `{"action": "set-user-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "user"}]}` | +| Set team permissions on dashboard | `{"action": "set-team-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "team"}]}` | +| Set basic role permissions on dashboard | `{"action": "set-basic-role-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "builtin-role"}]}` | +| Set user permissions on team | `{"action": "set-user-permissions-on-teams", "resources": [{"type": "teams"}, {"type": "user"}]}` | +| Set user permissions on service account | `{"action": "set-user-permissions-on-service-accounts", "resources": [{"type": "service-account"}, {"type": "user"}]}` | +| Set user permissions on datasource | `{"action": "set-user-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "user"}]}` | +| Set team permissions on datasource | `{"action": "set-team-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "team"}]}` | +| Set basic role permissions on datasource | `{"action": "set-basic-role-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "builtin-role"}]}` | + #### User management | Action | Distinguishing fields | @@ -275,15 +320,18 @@ The following legacy alerting actions are still supported: | Delete playlist | `{"action": "delete", "resources": [{"type": "playlist"}]}` | | Create a snapshot | `{"action": "create", "resources": [{"type": "dashboard"}, {"type": "snapshot"}]}` | | Delete a snapshot | `{"action": "delete", "resources": [{"type": "snapshot"}]}` | +| Delete a snapshot by delete key | `{"action": "delete", "resources": [{"type": "snapshot"}]}` | #### Provisioning -| Action | Distinguishing fields | -| -------------------------------- | ------------------------------------------ | -| Reload provisioned dashboards | `{"action": "provisioning-dashboards"}` | -| Reload provisioned datasources | `{"action": "provisioning-datasources"}` | -| Reload provisioned plugins | `{"action": "provisioning-plugins"}` | -| Reload provisioned notifications | `{"action": "provisioning-notifications"}` | +| Action | Distinguishing fields | +| --------------------------------- | ------------------------------------------ | +| Reload provisioned dashboards | `{"action": "provisioning-dashboards"}` | +| Reload provisioned datasources | `{"action": "provisioning-datasources"}` | +| Reload provisioned plugins | `{"action": "provisioning-plugins"}` | +| Reload provisioned notifications | `{"action": "provisioning-notifications"}` | +| Reload provisioned alerts | `{"action": "provisioning-alerts"}` | +| Reload provisioned access control | `{"action": "provisioning-accesscontrol"}` | #### Plugins management @@ -294,9 +342,25 @@ The following legacy alerting actions are still supported: #### Miscellaneous -| Action | Distinguishing fields | -| ------------------- | ------------------------------------------------------------ | -| Set licensing token | `{"action": "create", "requestUri": "/api/licensing/token"}` | +| Action | Distinguishing fields | +| ------------------------ | ------------------------------------------------------------ | +| Set licensing token | `{"action": "create", "requestUri": "/api/licensing/token"}` | +| Save billing information | `{"action": "billing-information"}` | + +#### Generic actions + +In addition to the actions listed above, any HTTP request (`POST`, `PATCH`, `PUT`, and `DELETE`) +against the API is recorded with one of the following generic actions. + +Furthermore, you can also record `GET` requests. See below how to configure it. + +| Action | Distinguishing fields | +| -------------- | ------------------------------ | +| POST request | `{"action": "action"}` | +| PATCH request | `{"action": "partial-update"}` | +| PUT request | `{"action": "update"}` | +| DELETE request | `{"action": "delete"}` | +| GET request | `{"action": "retrieve"}` | ## Configuration @@ -317,11 +381,14 @@ enabled = false loggers = file # Keep dashboard content in the logs (request or response fields); this can significantly increase the size of your logs. log_dashboard_content = false -# Log all GET requests and always include request body for generic POST/PUT/PATCH requests. +# Keep requests and responses body; this can significantly increase the size of your logs. verbose = false -# By default Grafana logs requests even if the status code indicates that no changes to the system were made. -# Set to false to only log requests with 2xx, 3xx, 401, 403, 500 responses. -log_all_status_codes = true +# Write an audit log for every status code. +# By default it only logs the following ones: 2XX, 3XX, 401, 403 and 500. +log_all_status_codes = false +# Maximum response body (in bytes) to be audited; 500KiB by default. +# May help reducing the memory footprint caused by auditing. +max_response_size_bytes = 512000 ``` Each exporter has its own configuration fields.