19f5e2d83SIvan Mikhaylov# phosphor-audit 29f5e2d83SIvan Mikhaylov 39f5e2d83SIvan MikhaylovAuthor: 49f5e2d83SIvan Mikhaylov Ivan Mikhaylov, [i.mikhaylov@yadro.com](mailto:i.mikhaylov@yadro.com) 59f5e2d83SIvan Mikhaylov 69f5e2d83SIvan MikhaylovOther contributors: 79f5e2d83SIvan Mikhaylov Alexander Amelkin, [a.amelkin@yadro.com](mailto:a.amelkin@yadro.com) 89f5e2d83SIvan Mikhaylov Alexander Filippov, [a.filippov@yadro.com](mailto:a.filippov@yadro.com) 99f5e2d83SIvan Mikhaylov 109f5e2d83SIvan MikhaylovCreated: 119f5e2d83SIvan Mikhaylov 2019-07-23 129f5e2d83SIvan Mikhaylov 139f5e2d83SIvan Mikhaylov## Problem Description 149f5e2d83SIvan Mikhaylov 159f5e2d83SIvan MikhaylovEnd users of OpenBMC may take actions that change the system state and/or 169f5e2d83SIvan Mikhaylovconfiguration. Such actions may be taken using any of the numerous interfaces 179f5e2d83SIvan Mikhaylovprovided by OpenBMC. That includes RedFish, IPMI, ssh or serial console shell, 189f5e2d83SIvan Mikhaylovand other interfaces, including the future ones. 199f5e2d83SIvan Mikhaylov 209f5e2d83SIvan MikhaylovConsequences of those actions may sometimes be harmful and an investigation may 219f5e2d83SIvan Mikhaylovbe conducted in order to find out the person responsible for the unwelcome 229f5e2d83SIvan Mikhaylovchanges. Currently, most changes leave no trace in OpenBMC logs, which hampers 239f5e2d83SIvan Mikhaylovthe aforementioned investigation. 249f5e2d83SIvan Mikhaylov 259f5e2d83SIvan MikhaylovIt is required to develop a mechanism that would allow for tracking such 269f5e2d83SIvan Mikhaylovuser activity, logging it, and taking certain actions if necessary. 279f5e2d83SIvan Mikhaylov 289f5e2d83SIvan Mikhaylov## Background and References 299f5e2d83SIvan Mikhaylov 309f5e2d83SIvan MikhaylovYADRO had an internal solution for the problem. It was only applicable to an 319f5e2d83SIvan Mikhaylovoutdated version of OpenBMC and needed a redesign. There was also a parallel 329f5e2d83SIvan Mikhayloveffort by IBM that can be found here: 33*0ee8da09SNodeMan97[REST and Redfish Traffic Logging](https://gerrit.openbmc.org/c/openbmc/bmcweb/+/22699) 349f5e2d83SIvan Mikhaylov 359f5e2d83SIvan Mikhaylov## Assumptions 369f5e2d83SIvan Mikhaylov 379f5e2d83SIvan MikhaylovThis design assumes that an end user is never given a direct access to the 389f5e2d83SIvan Mikhaylovsystem shell. The shell allows for direct manipulation of user database 399f5e2d83SIvan Mikhaylov(add/remove users, change passwords) and system configuration (network scripts, 409f5e2d83SIvan Mikhaylovetc.), and it doesn't seem feasible to track such user actions taken within the 419f5e2d83SIvan Mikhaylovshell. This design assumes that all user interaction with OpenBMC is limited to 429f5e2d83SIvan Mikhaylovcontrolled interfaces served by other Phosphor OpenBMC components interacting 439f5e2d83SIvan Mikhaylovvia D-Bus. 449f5e2d83SIvan Mikhaylov 459f5e2d83SIvan Mikhaylov## Requirements 469f5e2d83SIvan Mikhaylov 479f5e2d83SIvan Mikhaylov * Provide a unified method of logging user actions independent of the user 489f5e2d83SIvan Mikhaylov interface, where possible user actions are: 499f5e2d83SIvan Mikhaylov * Redfish/REST PUT/POST/DELETE/PATCH 509f5e2d83SIvan Mikhaylov * IPMI 519f5e2d83SIvan Mikhaylov * PAM 529f5e2d83SIvan Mikhaylov * PLDM 539f5e2d83SIvan Mikhaylov * Any other suitable service 549f5e2d83SIvan Mikhaylov * Provide a way to configure system response actions taken upon certain user 559f5e2d83SIvan Mikhaylov actions, where possible response actions are: 569f5e2d83SIvan Mikhaylov * Log an event 579f5e2d83SIvan Mikhaylov * Notify an administrator or an arbitrary notification receiver 589f5e2d83SIvan Mikhaylov * Run an arbitrary command 599f5e2d83SIvan Mikhaylov * Provide a way to configure notification receivers: 609f5e2d83SIvan Mikhaylov * E-mail 619f5e2d83SIvan Mikhaylov * SNMP 629f5e2d83SIvan Mikhaylov * Instant messengers 639f5e2d83SIvan Mikhaylov * D-Bus 649f5e2d83SIvan Mikhaylov 659f5e2d83SIvan Mikhaylov## Proposed Design 669f5e2d83SIvan Mikhaylov 679f5e2d83SIvan MikhaylovThe main idea is to catch D-Bus requests sent by user interfaces, then handle the 689f5e2d83SIvan Mikhaylovrequest according to the configuration. In future, support for flexible policies 699f5e2d83SIvan Mikhaylovmay be implemented that would allow for better flexibility in handling and 709f5e2d83SIvan Mikhaylovtracking. 719f5e2d83SIvan Mikhaylov 729f5e2d83SIvan MikhaylovThe phosphor-audit service represents a service that provides user activity 739f5e2d83SIvan Mikhaylovtracking and corresponding action taking in response of user actions. 749f5e2d83SIvan Mikhaylov 759f5e2d83SIvan MikhaylovThe key benefit of using phosphor-audit is that all action handling will be kept 769f5e2d83SIvan Mikhaylovinside this project instead of spreading it across multiple dedicated interface 779f5e2d83SIvan Mikhaylovservices with a risk of missing a handler for some action in one of them and 789f5e2d83SIvan Mikhaylovbloating the codebase. 799f5e2d83SIvan Mikhaylov 809f5e2d83SIvan MikhaylovThe component diagram below shows the example of service overview. 819f5e2d83SIvan Mikhaylov 829f5e2d83SIvan Mikhaylov```ascii 839f5e2d83SIvan Mikhaylov +----------------+ audit event +-----------------+ 849f5e2d83SIvan Mikhaylov | IPMI NET +-----------+ | action | 859f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 869f5e2d83SIvan Mikhaylov | | | logging | | 879f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 889f5e2d83SIvan Mikhaylov | IPMI HOST +-----------+ +--------------+ | | 899f5e2d83SIvan Mikhaylov +----------------+ | | audit | | +-------------+ | 909f5e2d83SIvan Mikhaylov +----->+ service +----->| | command | | 919f5e2d83SIvan Mikhaylov +----------------+ | | | | +-------------+ | 929f5e2d83SIvan Mikhaylov | RedFish/REST +-----------+ +--------------+ | | 939f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 949f5e2d83SIvan Mikhaylov | | | notify | | 959f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 969f5e2d83SIvan Mikhaylov | any service +-----------+ | | 979f5e2d83SIvan Mikhaylov +----------------+ | +-------------+ | 989f5e2d83SIvan Mikhaylov | | ... | | 999f5e2d83SIvan Mikhaylov | +-------------+ | 1009f5e2d83SIvan Mikhaylov +-----------------+ 1019f5e2d83SIvan Mikhaylov``` 1029f5e2d83SIvan Mikhaylov 1039f5e2d83SIvan MikhaylovThe audit event from diagram generated by an application to track user activity. 1049f5e2d83SIvan MikhaylovThe application sends 'signal' to audit service via D-Bus. What is happening 1059f5e2d83SIvan Mikhaylovnext in audit service's handler depends on user requirements and needs. It is 1069f5e2d83SIvan Mikhaylovpossible to just store logs, run arbitrary command or notify someone in handler 1079f5e2d83SIvan Mikhaylovor we can do all of the above and all of this can be optional. 1089f5e2d83SIvan Mikhaylov 1099f5e2d83SIvan Mikhaylov**Audit event call** 1109f5e2d83SIvan Mikhaylov 1119f5e2d83SIvan MikhaylovAudit event call performs preprocessing of incoming data at application side 1129f5e2d83SIvan Mikhaylovbefore sending it to the audit service, if the request is filtered out, it will 1139f5e2d83SIvan Mikhaylovbe dropped at this moment and will no longer be processed. After the filter 1149f5e2d83SIvan Mikhaylovcheck, the audit event call sends the data through D-Bus to the audit service 1159f5e2d83SIvan Mikhaylovwhich makes a decision regarding next steps. Also, it caches list of possible 1169f5e2d83SIvan Mikhaylovcommands (blacklist or whitelist) and status of its service (disabled or enabled). 1179f5e2d83SIvan MikhaylovIf the service in undefined state, the call checks if service alive or not. 1189f5e2d83SIvan Mikhaylov 1199f5e2d83SIvan Mikhaylov > `audit_event(type, rc, request, user, host, data)` 1209f5e2d83SIvan Mikhaylov > * type - type of event source : IPMI, REST, PAM, etc. 1219f5e2d83SIvan Mikhaylov > * rc - return code of the handler event (status, rc, etc.) 1229f5e2d83SIvan Mikhaylov > * request - a generalized identifier of the event, e.g. ipmi command 1239f5e2d83SIvan Mikhaylov > (cmd/netfn/lun), web path, or anything else that can describe the event. 1249f5e2d83SIvan Mikhaylov > * user - the user account on behalf of which the event was processed. 1259f5e2d83SIvan Mikhaylov > depends on context, NA/None in case of user inaccessibility. 1269f5e2d83SIvan Mikhaylov > * source - identifier of the host that the event has originated from. This can 1279f5e2d83SIvan Mikhaylov > be literally "host" for events originating from the local host (via locally 1289f5e2d83SIvan Mikhaylov > connected IPMI), or an IP address or a hostname of a remote host. 1299f5e2d83SIvan Mikhaylov > * data - any supplementary data that can help better identify the event 1309f5e2d83SIvan Mikhaylov > (e.g., some first bytes of the IPMI command data). 1319f5e2d83SIvan Mikhaylov 1329f5e2d83SIvan MikhaylovService itself can control flow of events with configuration on its side. 1339f5e2d83SIvan Mikhaylov 1349f5e2d83SIvan MikhaylovPseudocode for example: 1359f5e2d83SIvan Mikhaylov 1369f5e2d83SIvan Mikhaylov audit_event(NET_IPMI, "access denied"(rc=-1), "ipmi cmd", "qwerty223", 1379f5e2d83SIvan Mikhaylov "192.168.0.1", <some additional data if needed>) 1389f5e2d83SIvan Mikhaylov audit_event(REST, "login successful"(rc=200), "rest login", 1399f5e2d83SIvan Mikhaylov "qwerty223", "192.168.0.1", NULL) 1409f5e2d83SIvan Mikhaylov audit_event(HOST_IPMI, "shutting down the host"(rc=0), "host poweroff", 1419f5e2d83SIvan Mikhaylov NULL, NULL, NULL) 1429f5e2d83SIvan Mikhaylov 1439f5e2d83SIvan Mikhaylov`audit_event(blob_data)` 1449f5e2d83SIvan MikhaylovBlob can be described as structure: 1459f5e2d83SIvan Mikhaylov 1469f5e2d83SIvan Mikhaylov struct blob_audit 1479f5e2d83SIvan Mikhaylov { 1489f5e2d83SIvan Mikhaylov uint8_t type; 1499f5e2d83SIvan Mikhaylov int32_t rc; 1509f5e2d83SIvan Mikhaylov uint32_t request_id; 1519f5e2d83SIvan Mikhaylov char *user; 1529f5e2d83SIvan Mikhaylov sockaddr_in6 *addr; 1539f5e2d83SIvan Mikhaylov struct iovec *data; 1549f5e2d83SIvan Mikhaylov } 1559f5e2d83SIvan Mikhaylov 1569f5e2d83SIvan MikhaylovWhen the call reaches the server destination via D-Bus, the server already knows 1579f5e2d83SIvan Mikhaylovthat the call should be processed via predefined list of actions which are set 1589f5e2d83SIvan Mikhaylovin the server configuration. 1599f5e2d83SIvan Mikhaylov 1609f5e2d83SIvan MikhaylovStep by step execution of call: 1619f5e2d83SIvan Mikhaylov * client's layer 1629f5e2d83SIvan Mikhaylov 1. checks if audit is enabled for such service 1639f5e2d83SIvan Mikhaylov 2. checks if audit event should be whitelisted or blacklisted at 1649f5e2d83SIvan Mikhaylov the audit service side for preventing spamming of unneeded events 1659f5e2d83SIvan Mikhaylov to audit service 1669f5e2d83SIvan Mikhaylov 3. send the data to the audit service via D-Bus 1679f5e2d83SIvan Mikhaylov * server's layer 1689f5e2d83SIvan Mikhaylov 1. accept D-Bus request 1699f5e2d83SIvan Mikhaylov 2. goes through list of actions for each services 1709f5e2d83SIvan Mikhaylov 1719f5e2d83SIvan MikhaylovHow the checks will be processed at client's layer: 1729f5e2d83SIvan Mikhaylov 1. check the status of service and cache that value 1739f5e2d83SIvan Mikhaylov 2. check the list of possible actions which should be logged and cache them also 1749f5e2d83SIvan Mikhaylov 3. listen on 'propertiesChanged' event in case of changing list or status 1759f5e2d83SIvan Mikhaylov of service 1769f5e2d83SIvan Mikhaylov 1779f5e2d83SIvan Mikhaylov## Service configuration 1789f5e2d83SIvan Mikhaylov 1799f5e2d83SIvan MikhaylovThe configuration structure can be described as tree with set of options, 1809f5e2d83SIvan Mikhaylovas example of structure: 1819f5e2d83SIvan Mikhaylov 1829f5e2d83SIvan Mikhaylov``` 1839f5e2d83SIvan Mikhaylov[IPMI] 1849f5e2d83SIvan Mikhaylov [Enabled] 1859f5e2d83SIvan Mikhaylov [Whitelist] 1869f5e2d83SIvan Mikhaylov [Cmd 0x01] ["reset request"] 1879f5e2d83SIvan Mikhaylov [Cmd 0x02] ["hello world"] 1889f5e2d83SIvan Mikhaylov [Cmd 0x03] ["goodbye cruel world"] 1899f5e2d83SIvan Mikhaylov [Actions] 1909f5e2d83SIvan Mikhaylov [Notify type1] [Recipient] 1919f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 1929f5e2d83SIvan Mikhaylov [Notify type3] [Recipient] 1939f5e2d83SIvan Mikhaylov [Logging type] [Options] 1949f5e2d83SIvan Mikhaylov [Exec] [ExternalCommand] 1959f5e2d83SIvan Mikhaylov[REST] 1969f5e2d83SIvan Mikhaylov [Disabled] 1979f5e2d83SIvan Mikhaylov [Blacklist] 1989f5e2d83SIvan Mikhaylov [Path1] [Options] 1999f5e2d83SIvan Mikhaylov [Path2] [Options] 2009f5e2d83SIvan Mikhaylov [Actions] 2019f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 2029f5e2d83SIvan Mikhaylov [Logging type] [Options] 2039f5e2d83SIvan Mikhaylov``` 2049f5e2d83SIvan Mikhaylov 2059f5e2d83SIvan MikhaylovOptions can be updated via D-Bus properties. The audit service listens changes 2069f5e2d83SIvan Mikhaylovon configuration file and emit 'PropertiesChanged' signal with changed details. 2079f5e2d83SIvan Mikhaylov 2089f5e2d83SIvan Mikhaylov* The whitelisting and blacklisting 2099f5e2d83SIvan Mikhaylov 2109f5e2d83SIvan Mikhaylov > Possible list of requests which have to be filtered and processed. 2119f5e2d83SIvan Mikhaylov > 'Whitelist' filters possible requests which can be processed. 2129f5e2d83SIvan Mikhaylov > 'Blacklist' blocks only exact requests. 2139f5e2d83SIvan Mikhaylov 2149f5e2d83SIvan Mikhaylov* Enable/disable the event processing for directed services, where the directed 2159f5e2d83SIvan Mikhaylov service is any suitable services which can use audit service. 2169f5e2d83SIvan Mikhaylov 2179f5e2d83SIvan Mikhaylov > Each audit processing type can be disabled or enabled at runtime via 2189f5e2d83SIvan Mikhaylov > config file or D-Bus property. 2199f5e2d83SIvan Mikhaylov 2209f5e2d83SIvan Mikhaylov* Notification setup via SNMP/E-mail/Instant messengers/D-Bus 2219f5e2d83SIvan Mikhaylov 2229f5e2d83SIvan Mikhaylov > The end recipient notification system with different transports. 2239f5e2d83SIvan Mikhaylov 2249f5e2d83SIvan Mikhaylov* Logging 2259f5e2d83SIvan Mikhaylov 2269f5e2d83SIvan Mikhaylov > phosphor-logging, journald or anything else suitable for. 2279f5e2d83SIvan Mikhaylov 2289f5e2d83SIvan Mikhaylov* User actions 2299f5e2d83SIvan Mikhaylov 2309f5e2d83SIvan Mikhaylov > Running a command as consequenced action. 2319f5e2d83SIvan Mikhaylov 2329f5e2d83SIvan Mikhaylov## Workflow 2339f5e2d83SIvan Mikhaylov 2349f5e2d83SIvan MikhaylovAn example of possible flow: 2359f5e2d83SIvan Mikhaylov 2369f5e2d83SIvan Mikhaylov```ascii 2379f5e2d83SIvan Mikhaylov +----------------+ 2389f5e2d83SIvan Mikhaylov | NET IPMI | 2399f5e2d83SIvan Mikhaylov | REQUEST | 2409f5e2d83SIvan Mikhaylov +----------------+ 2419f5e2d83SIvan Mikhaylov | 2429f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2439f5e2d83SIvan Mikhaylov | +-------v--------+ IPMI | 2449f5e2d83SIvan Mikhaylov | | NET IPMI | | 2459f5e2d83SIvan Mikhaylov | +----------------+ | 2469f5e2d83SIvan Mikhaylov | | | 2479f5e2d83SIvan Mikhaylov | +-------v--------+ +---------------------------+ | 2489f5e2d83SIvan Mikhaylov | | rc = handle() +------->| audit_event<NET_IPMI>() | | 2499f5e2d83SIvan Mikhaylov | +----------------+ +---------------------------+ | 2509f5e2d83SIvan Mikhaylov | | | | 2519f5e2d83SIvan Mikhaylov | | | | 2529f5e2d83SIvan Mikhaylov | +-------v--------+ | | 2539f5e2d83SIvan Mikhaylov | | Processing | | | 2549f5e2d83SIvan Mikhaylov | | further | | | 2559f5e2d83SIvan Mikhaylov | +----------------+ | | 2569f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2579f5e2d83SIvan Mikhaylov | 2589f5e2d83SIvan Mikhaylov | 2599f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2609f5e2d83SIvan Mikhaylov | +-----------------------------+ | 2619f5e2d83SIvan Mikhaylov | | Audit Service | 2629f5e2d83SIvan Mikhaylov | | | 2639f5e2d83SIvan Mikhaylov | | | 2649f5e2d83SIvan Mikhaylov | | | 2659f5e2d83SIvan Mikhaylov | +-----v------+ | 2669f5e2d83SIvan Mikhaylov | NO | Is logging | YES | 2679f5e2d83SIvan Mikhaylov | +------+ enabled +--------------------+ | 2689f5e2d83SIvan Mikhaylov | | | for type? | | | 2699f5e2d83SIvan Mikhaylov | | +------------+ +-------v-----+ | 2709f5e2d83SIvan Mikhaylov | | NO | Is request | YES | 2719f5e2d83SIvan Mikhaylov | | +--------+ type +--------+ | 2729f5e2d83SIvan Mikhaylov | | | | filtered? | | | 2739f5e2d83SIvan Mikhaylov | | | +-------------+ | | 2749f5e2d83SIvan Mikhaylov | | | | | 2759f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2769f5e2d83SIvan Mikhaylov | | | Notify | | | 2779f5e2d83SIvan Mikhaylov | | | Administrator | | | 2789f5e2d83SIvan Mikhaylov | | +---------------+ | | 2799f5e2d83SIvan Mikhaylov | | | | | 2809f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2819f5e2d83SIvan Mikhaylov | | | Log Event | | | 2829f5e2d83SIvan Mikhaylov | | +---------------+ | | 2839f5e2d83SIvan Mikhaylov | | | | | 2849f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2859f5e2d83SIvan Mikhaylov | | | User | | | 2869f5e2d83SIvan Mikhaylov | | | actions | | | 2879f5e2d83SIvan Mikhaylov | | +---------------+ | | 2889f5e2d83SIvan Mikhaylov | | | | | 2899f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2909f5e2d83SIvan Mikhaylov | +-------------->| End |<----------------------+ | 2919f5e2d83SIvan Mikhaylov | +---------------+ | 2929f5e2d83SIvan Mikhaylov | | 2939f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2949f5e2d83SIvan Mikhaylov``` 2959f5e2d83SIvan Mikhaylov 2969f5e2d83SIvan Mikhaylov## Notification mechanisms 2979f5e2d83SIvan Mikhaylov 2989f5e2d83SIvan MikhaylovThe unified model for reporting accidents to the end user, where the transport can be: 2999f5e2d83SIvan Mikhaylov 3009f5e2d83SIvan Mikhaylov* E-mail 3019f5e2d83SIvan Mikhaylov 3029f5e2d83SIvan Mikhaylov > Sending a note to directed recipient which set in configuration via 3039f5e2d83SIvan Mikhaylov > sendmail or anything else. 3049f5e2d83SIvan Mikhaylov 3059f5e2d83SIvan Mikhaylov* SNMP 3069f5e2d83SIvan Mikhaylov 3079f5e2d83SIvan Mikhaylov > Sending a notification via SNMP trap messages to directed recipient which 3089f5e2d83SIvan Mikhaylov > set in configuration. 3099f5e2d83SIvan Mikhaylov 3109f5e2d83SIvan Mikhaylov* Instant messengers 3119f5e2d83SIvan Mikhaylov 3129f5e2d83SIvan Mikhaylov > Sending a notification to directed recipient which set in configuration via 3139f5e2d83SIvan Mikhaylov > jabber/sametime/gtalk/etc. 3149f5e2d83SIvan Mikhaylov 3159f5e2d83SIvan Mikhaylov* D-Bus 3169f5e2d83SIvan Mikhaylov 3179f5e2d83SIvan Mikhaylov > Notify the other service which set in configuration via 'method_call' or 3189f5e2d83SIvan Mikhaylov > 'signal'. 3199f5e2d83SIvan Mikhaylov 3209f5e2d83SIvan MikhaylovNotifications will be skipped in case if there is no any of above configuration 3219f5e2d83SIvan Mikhaylovrules is set inside configuration. It is possible to pick up rules at runtime. 3229f5e2d83SIvan Mikhaylov 3239f5e2d83SIvan Mikhaylov## User Actions 3249f5e2d83SIvan Mikhaylov 3259f5e2d83SIvan Mikhaylov * Exec application via 'system' call. 3269f5e2d83SIvan Mikhaylov * The code for directed handling type inside handler itself. 327146f9098SGeorge Keishing As example for 'net ipmi' in case of unsuccessful user login inside handler: 3289f5e2d83SIvan Mikhaylov * Sends a notification to administrator. 3299f5e2d83SIvan Mikhaylov * echo heartbeat > /sys/class/leds/alarm_red/trigger 3309f5e2d83SIvan Mikhaylov 3319f5e2d83SIvan Mikhaylov## Alternatives Considered 3329f5e2d83SIvan Mikhaylov 3339f5e2d83SIvan MikhaylovProcessing user requests in each dedicated interface service and logging 3349f5e2d83SIvan Mikhaylovthem separately for each of the interfaces. Scattered handling looks like 3359f5e2d83SIvan Mikhaylovan error-prone and rigid approach. 3369f5e2d83SIvan Mikhaylov 3379f5e2d83SIvan Mikhaylov## Impacts 3389f5e2d83SIvan Mikhaylov 3399f5e2d83SIvan MikhaylovImproves system manageability and security. 3409f5e2d83SIvan Mikhaylov 3419f5e2d83SIvan MikhaylovImpacts when phosphor-audit is not enabled: 3429f5e2d83SIvan Mikhaylov - Many services will have slightly larger code size and longer CPU path length 3439f5e2d83SIvan Mikhaylov due to invocations of audit_event(). 3449f5e2d83SIvan Mikhaylov - Increased D-Bus traffic. 3459f5e2d83SIvan Mikhaylov 3469f5e2d83SIvan MikhaylovImpacts when phosphor-audit is enabled: 3479f5e2d83SIvan MikhaylovAll of the above, plus: 3489f5e2d83SIvan Mikhaylov - Additional BMC processor time needed to handle audit events. 3499f5e2d83SIvan Mikhaylov - Additional BMC flash storage needed to store logged events. 3509f5e2d83SIvan Mikhaylov - Additional outbound network traffic to notify users. 3519f5e2d83SIvan Mikhaylov - Additional space for notification libraries. 3529f5e2d83SIvan Mikhaylov 3539f5e2d83SIvan Mikhaylov## Testing 3549f5e2d83SIvan Mikhaylov 3559f5e2d83SIvan Mikhaylov`dbus-send` as command-line tool for generating audit events. 3569f5e2d83SIvan Mikhaylov 3579f5e2d83SIvan MikhaylovScenarios: 3589f5e2d83SIvan Mikhaylov - For each supported service (such as Redfish, net IPMI, host IPMI, PLDM), create audit events, and validate they get logged. 3599f5e2d83SIvan Mikhaylov - Ensure message-type and request-type filtering works as expected. 3609f5e2d83SIvan Mikhaylov - Ensure basic notification actions work as expected (log, command, notify). 3619f5e2d83SIvan Mikhaylov - When continuously generating audit-events, change the phosphor-audit service's configuration, and validate no audit events are lost, and the new configuration takes effect. 362