19f5e2d83SIvan Mikhaylov# phosphor-audit 29f5e2d83SIvan Mikhaylov 39f5e2d83SIvan MikhaylovAuthor: 49f5e2d83SIvan Mikhaylov Ivan Mikhaylov, [i.mikhaylov@yadro.com](mailto:i.mikhaylov@yadro.com) 59f5e2d83SIvan Mikhaylov 69f5e2d83SIvan MikhaylovPrimary assignee: 79f5e2d83SIvan Mikhaylov Ivan Mikhaylov, [i.mikhaylov@yadro.com](mailto:i.mikhaylov@yadro.com) 89f5e2d83SIvan Mikhaylov 99f5e2d83SIvan MikhaylovOther contributors: 109f5e2d83SIvan Mikhaylov Alexander Amelkin, [a.amelkin@yadro.com](mailto:a.amelkin@yadro.com) 119f5e2d83SIvan Mikhaylov Alexander Filippov, [a.filippov@yadro.com](mailto:a.filippov@yadro.com) 129f5e2d83SIvan Mikhaylov 139f5e2d83SIvan MikhaylovCreated: 149f5e2d83SIvan Mikhaylov 2019-07-23 159f5e2d83SIvan Mikhaylov 169f5e2d83SIvan Mikhaylov## Problem Description 179f5e2d83SIvan Mikhaylov 189f5e2d83SIvan MikhaylovEnd users of OpenBMC may take actions that change the system state and/or 199f5e2d83SIvan Mikhaylovconfiguration. Such actions may be taken using any of the numerous interfaces 209f5e2d83SIvan Mikhaylovprovided by OpenBMC. That includes RedFish, IPMI, ssh or serial console shell, 219f5e2d83SIvan Mikhaylovand other interfaces, including the future ones. 229f5e2d83SIvan Mikhaylov 239f5e2d83SIvan MikhaylovConsequences of those actions may sometimes be harmful and an investigation may 249f5e2d83SIvan Mikhaylovbe conducted in order to find out the person responsible for the unwelcome 259f5e2d83SIvan Mikhaylovchanges. Currently, most changes leave no trace in OpenBMC logs, which hampers 269f5e2d83SIvan Mikhaylovthe aforementioned investigation. 279f5e2d83SIvan Mikhaylov 289f5e2d83SIvan MikhaylovIt is required to develop a mechanism that would allow for tracking such 299f5e2d83SIvan Mikhaylovuser activity, logging it, and taking certain actions if necessary. 309f5e2d83SIvan Mikhaylov 319f5e2d83SIvan Mikhaylov## Background and References 329f5e2d83SIvan Mikhaylov 339f5e2d83SIvan MikhaylovYADRO had an internal solution for the problem. It was only applicable to an 349f5e2d83SIvan Mikhaylovoutdated version of OpenBMC and needed a redesign. There was also a parallel 359f5e2d83SIvan Mikhayloveffort by IBM that can be found here: 369f5e2d83SIvan Mikhaylov[REST and Redfish Traffic Logging](https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/22699) 379f5e2d83SIvan Mikhaylov 389f5e2d83SIvan Mikhaylov## Assumptions 399f5e2d83SIvan Mikhaylov 409f5e2d83SIvan MikhaylovThis design assumes that an end user is never given a direct access to the 419f5e2d83SIvan Mikhaylovsystem shell. The shell allows for direct manipulation of user database 429f5e2d83SIvan Mikhaylov(add/remove users, change passwords) and system configuration (network scripts, 439f5e2d83SIvan Mikhaylovetc.), and it doesn't seem feasible to track such user actions taken within the 449f5e2d83SIvan Mikhaylovshell. This design assumes that all user interaction with OpenBMC is limited to 459f5e2d83SIvan Mikhaylovcontrolled interfaces served by other Phosphor OpenBMC components interacting 469f5e2d83SIvan Mikhaylovvia D-Bus. 479f5e2d83SIvan Mikhaylov 489f5e2d83SIvan Mikhaylov## Requirements 499f5e2d83SIvan Mikhaylov 509f5e2d83SIvan Mikhaylov * Provide a unified method of logging user actions independent of the user 519f5e2d83SIvan Mikhaylov interface, where possible user actions are: 529f5e2d83SIvan Mikhaylov * Redfish/REST PUT/POST/DELETE/PATCH 539f5e2d83SIvan Mikhaylov * IPMI 549f5e2d83SIvan Mikhaylov * PAM 559f5e2d83SIvan Mikhaylov * PLDM 569f5e2d83SIvan Mikhaylov * Any other suitable service 579f5e2d83SIvan Mikhaylov * Provide a way to configure system response actions taken upon certain user 589f5e2d83SIvan Mikhaylov actions, where possible response actions are: 599f5e2d83SIvan Mikhaylov * Log an event 609f5e2d83SIvan Mikhaylov * Notify an administrator or an arbitrary notification receiver 619f5e2d83SIvan Mikhaylov * Run an arbitrary command 629f5e2d83SIvan Mikhaylov * Provide a way to configure notification receivers: 639f5e2d83SIvan Mikhaylov * E-mail 649f5e2d83SIvan Mikhaylov * SNMP 659f5e2d83SIvan Mikhaylov * Instant messengers 669f5e2d83SIvan Mikhaylov * D-Bus 679f5e2d83SIvan Mikhaylov 689f5e2d83SIvan Mikhaylov## Proposed Design 699f5e2d83SIvan Mikhaylov 709f5e2d83SIvan MikhaylovThe main idea is to catch D-Bus requests sent by user interfaces, then handle the 719f5e2d83SIvan Mikhaylovrequest according to the configuration. In future, support for flexible policies 729f5e2d83SIvan Mikhaylovmay be implemented that would allow for better flexibility in handling and 739f5e2d83SIvan Mikhaylovtracking. 749f5e2d83SIvan Mikhaylov 759f5e2d83SIvan MikhaylovThe phosphor-audit service represents a service that provides user activity 769f5e2d83SIvan Mikhaylovtracking and corresponding action taking in response of user actions. 779f5e2d83SIvan Mikhaylov 789f5e2d83SIvan MikhaylovThe key benefit of using phosphor-audit is that all action handling will be kept 799f5e2d83SIvan Mikhaylovinside this project instead of spreading it across multiple dedicated interface 809f5e2d83SIvan Mikhaylovservices with a risk of missing a handler for some action in one of them and 819f5e2d83SIvan Mikhaylovbloating the codebase. 829f5e2d83SIvan Mikhaylov 839f5e2d83SIvan MikhaylovThe component diagram below shows the example of service overview. 849f5e2d83SIvan Mikhaylov 859f5e2d83SIvan Mikhaylov```ascii 869f5e2d83SIvan Mikhaylov +----------------+ audit event +-----------------+ 879f5e2d83SIvan Mikhaylov | IPMI NET +-----------+ | action | 889f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 899f5e2d83SIvan Mikhaylov | | | logging | | 909f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 919f5e2d83SIvan Mikhaylov | IPMI HOST +-----------+ +--------------+ | | 929f5e2d83SIvan Mikhaylov +----------------+ | | audit | | +-------------+ | 939f5e2d83SIvan Mikhaylov +----->+ service +----->| | command | | 949f5e2d83SIvan Mikhaylov +----------------+ | | | | +-------------+ | 959f5e2d83SIvan Mikhaylov | RedFish/REST +-----------+ +--------------+ | | 969f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 979f5e2d83SIvan Mikhaylov | | | notify | | 989f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 999f5e2d83SIvan Mikhaylov | any service +-----------+ | | 1009f5e2d83SIvan Mikhaylov +----------------+ | +-------------+ | 1019f5e2d83SIvan Mikhaylov | | ... | | 1029f5e2d83SIvan Mikhaylov | +-------------+ | 1039f5e2d83SIvan Mikhaylov +-----------------+ 1049f5e2d83SIvan Mikhaylov``` 1059f5e2d83SIvan Mikhaylov 1069f5e2d83SIvan MikhaylovThe audit event from diagram generated by an application to track user activity. 1079f5e2d83SIvan MikhaylovThe application sends 'signal' to audit service via D-Bus. What is happening 1089f5e2d83SIvan Mikhaylovnext in audit service's handler depends on user requirements and needs. It is 1099f5e2d83SIvan Mikhaylovpossible to just store logs, run arbitrary command or notify someone in handler 1109f5e2d83SIvan Mikhaylovor we can do all of the above and all of this can be optional. 1119f5e2d83SIvan Mikhaylov 1129f5e2d83SIvan Mikhaylov**Audit event call** 1139f5e2d83SIvan Mikhaylov 1149f5e2d83SIvan MikhaylovAudit event call performs preprocessing of incoming data at application side 1159f5e2d83SIvan Mikhaylovbefore sending it to the audit service, if the request is filtered out, it will 1169f5e2d83SIvan Mikhaylovbe dropped at this moment and will no longer be processed. After the filter 1179f5e2d83SIvan Mikhaylovcheck, the audit event call sends the data through D-Bus to the audit service 1189f5e2d83SIvan Mikhaylovwhich makes a decision regarding next steps. Also, it caches list of possible 1199f5e2d83SIvan Mikhaylovcommands (blacklist or whitelist) and status of its service (disabled or enabled). 1209f5e2d83SIvan MikhaylovIf the service in undefined state, the call checks if service alive or not. 1219f5e2d83SIvan Mikhaylov 1229f5e2d83SIvan Mikhaylov > `audit_event(type, rc, request, user, host, data)` 1239f5e2d83SIvan Mikhaylov > * type - type of event source : IPMI, REST, PAM, etc. 1249f5e2d83SIvan Mikhaylov > * rc - return code of the handler event (status, rc, etc.) 1259f5e2d83SIvan Mikhaylov > * request - a generalized identifier of the event, e.g. ipmi command 1269f5e2d83SIvan Mikhaylov > (cmd/netfn/lun), web path, or anything else that can describe the event. 1279f5e2d83SIvan Mikhaylov > * user - the user account on behalf of which the event was processed. 1289f5e2d83SIvan Mikhaylov > depends on context, NA/None in case of user inaccessibility. 1299f5e2d83SIvan Mikhaylov > * source - identifier of the host that the event has originated from. This can 1309f5e2d83SIvan Mikhaylov > be literally "host" for events originating from the local host (via locally 1319f5e2d83SIvan Mikhaylov > connected IPMI), or an IP address or a hostname of a remote host. 1329f5e2d83SIvan Mikhaylov > * data - any supplementary data that can help better identify the event 1339f5e2d83SIvan Mikhaylov > (e.g., some first bytes of the IPMI command data). 1349f5e2d83SIvan Mikhaylov 1359f5e2d83SIvan MikhaylovService itself can control flow of events with configuration on its side. 1369f5e2d83SIvan Mikhaylov 1379f5e2d83SIvan MikhaylovPseudocode for example: 1389f5e2d83SIvan Mikhaylov 1399f5e2d83SIvan Mikhaylov audit_event(NET_IPMI, "access denied"(rc=-1), "ipmi cmd", "qwerty223", 1409f5e2d83SIvan Mikhaylov "192.168.0.1", <some additional data if needed>) 1419f5e2d83SIvan Mikhaylov audit_event(REST, "login successful"(rc=200), "rest login", 1429f5e2d83SIvan Mikhaylov "qwerty223", "192.168.0.1", NULL) 1439f5e2d83SIvan Mikhaylov audit_event(HOST_IPMI, "shutting down the host"(rc=0), "host poweroff", 1449f5e2d83SIvan Mikhaylov NULL, NULL, NULL) 1459f5e2d83SIvan Mikhaylov 1469f5e2d83SIvan Mikhaylov`audit_event(blob_data)` 1479f5e2d83SIvan MikhaylovBlob can be described as structure: 1489f5e2d83SIvan Mikhaylov 1499f5e2d83SIvan Mikhaylov struct blob_audit 1509f5e2d83SIvan Mikhaylov { 1519f5e2d83SIvan Mikhaylov uint8_t type; 1529f5e2d83SIvan Mikhaylov int32_t rc; 1539f5e2d83SIvan Mikhaylov uint32_t request_id; 1549f5e2d83SIvan Mikhaylov char *user; 1559f5e2d83SIvan Mikhaylov sockaddr_in6 *addr; 1569f5e2d83SIvan Mikhaylov struct iovec *data; 1579f5e2d83SIvan Mikhaylov } 1589f5e2d83SIvan Mikhaylov 1599f5e2d83SIvan MikhaylovWhen the call reaches the server destination via D-Bus, the server already knows 1609f5e2d83SIvan Mikhaylovthat the call should be processed via predefined list of actions which are set 1619f5e2d83SIvan Mikhaylovin the server configuration. 1629f5e2d83SIvan Mikhaylov 1639f5e2d83SIvan MikhaylovStep by step execution of call: 1649f5e2d83SIvan Mikhaylov * client's layer 1659f5e2d83SIvan Mikhaylov 1. checks if audit is enabled for such service 1669f5e2d83SIvan Mikhaylov 2. checks if audit event should be whitelisted or blacklisted at 1679f5e2d83SIvan Mikhaylov the audit service side for preventing spamming of unneeded events 1689f5e2d83SIvan Mikhaylov to audit service 1699f5e2d83SIvan Mikhaylov 3. send the data to the audit service via D-Bus 1709f5e2d83SIvan Mikhaylov * server's layer 1719f5e2d83SIvan Mikhaylov 1. accept D-Bus request 1729f5e2d83SIvan Mikhaylov 2. goes through list of actions for each services 1739f5e2d83SIvan Mikhaylov 1749f5e2d83SIvan MikhaylovHow the checks will be processed at client's layer: 1759f5e2d83SIvan Mikhaylov 1. check the status of service and cache that value 1769f5e2d83SIvan Mikhaylov 2. check the list of possible actions which should be logged and cache them also 1779f5e2d83SIvan Mikhaylov 3. listen on 'propertiesChanged' event in case of changing list or status 1789f5e2d83SIvan Mikhaylov of service 1799f5e2d83SIvan Mikhaylov 1809f5e2d83SIvan Mikhaylov## Service configuration 1819f5e2d83SIvan Mikhaylov 1829f5e2d83SIvan MikhaylovThe configuration structure can be described as tree with set of options, 1839f5e2d83SIvan Mikhaylovas example of structure: 1849f5e2d83SIvan Mikhaylov 1859f5e2d83SIvan Mikhaylov``` 1869f5e2d83SIvan Mikhaylov[IPMI] 1879f5e2d83SIvan Mikhaylov [Enabled] 1889f5e2d83SIvan Mikhaylov [Whitelist] 1899f5e2d83SIvan Mikhaylov [Cmd 0x01] ["reset request"] 1909f5e2d83SIvan Mikhaylov [Cmd 0x02] ["hello world"] 1919f5e2d83SIvan Mikhaylov [Cmd 0x03] ["goodbye cruel world"] 1929f5e2d83SIvan Mikhaylov [Actions] 1939f5e2d83SIvan Mikhaylov [Notify type1] [Recipient] 1949f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 1959f5e2d83SIvan Mikhaylov [Notify type3] [Recipient] 1969f5e2d83SIvan Mikhaylov [Logging type] [Options] 1979f5e2d83SIvan Mikhaylov [Exec] [ExternalCommand] 1989f5e2d83SIvan Mikhaylov[REST] 1999f5e2d83SIvan Mikhaylov [Disabled] 2009f5e2d83SIvan Mikhaylov [Blacklist] 2019f5e2d83SIvan Mikhaylov [Path1] [Options] 2029f5e2d83SIvan Mikhaylov [Path2] [Options] 2039f5e2d83SIvan Mikhaylov [Actions] 2049f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 2059f5e2d83SIvan Mikhaylov [Logging type] [Options] 2069f5e2d83SIvan Mikhaylov``` 2079f5e2d83SIvan Mikhaylov 2089f5e2d83SIvan MikhaylovOptions can be updated via D-Bus properties. The audit service listens changes 2099f5e2d83SIvan Mikhaylovon configuration file and emit 'PropertiesChanged' signal with changed details. 2109f5e2d83SIvan Mikhaylov 2119f5e2d83SIvan Mikhaylov* The whitelisting and blacklisting 2129f5e2d83SIvan Mikhaylov 2139f5e2d83SIvan Mikhaylov > Possible list of requests which have to be filtered and processed. 2149f5e2d83SIvan Mikhaylov > 'Whitelist' filters possible requests which can be processed. 2159f5e2d83SIvan Mikhaylov > 'Blacklist' blocks only exact requests. 2169f5e2d83SIvan Mikhaylov 2179f5e2d83SIvan Mikhaylov* Enable/disable the event processing for directed services, where the directed 2189f5e2d83SIvan Mikhaylov service is any suitable services which can use audit service. 2199f5e2d83SIvan Mikhaylov 2209f5e2d83SIvan Mikhaylov > Each audit processing type can be disabled or enabled at runtime via 2219f5e2d83SIvan Mikhaylov > config file or D-Bus property. 2229f5e2d83SIvan Mikhaylov 2239f5e2d83SIvan Mikhaylov* Notification setup via SNMP/E-mail/Instant messengers/D-Bus 2249f5e2d83SIvan Mikhaylov 2259f5e2d83SIvan Mikhaylov > The end recipient notification system with different transports. 2269f5e2d83SIvan Mikhaylov 2279f5e2d83SIvan Mikhaylov* Logging 2289f5e2d83SIvan Mikhaylov 2299f5e2d83SIvan Mikhaylov > phosphor-logging, journald or anything else suitable for. 2309f5e2d83SIvan Mikhaylov 2319f5e2d83SIvan Mikhaylov* User actions 2329f5e2d83SIvan Mikhaylov 2339f5e2d83SIvan Mikhaylov > Running a command as consequenced action. 2349f5e2d83SIvan Mikhaylov 2359f5e2d83SIvan Mikhaylov## Workflow 2369f5e2d83SIvan Mikhaylov 2379f5e2d83SIvan MikhaylovAn example of possible flow: 2389f5e2d83SIvan Mikhaylov 2399f5e2d83SIvan Mikhaylov```ascii 2409f5e2d83SIvan Mikhaylov +----------------+ 2419f5e2d83SIvan Mikhaylov | NET IPMI | 2429f5e2d83SIvan Mikhaylov | REQUEST | 2439f5e2d83SIvan Mikhaylov +----------------+ 2449f5e2d83SIvan Mikhaylov | 2459f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2469f5e2d83SIvan Mikhaylov | +-------v--------+ IPMI | 2479f5e2d83SIvan Mikhaylov | | NET IPMI | | 2489f5e2d83SIvan Mikhaylov | +----------------+ | 2499f5e2d83SIvan Mikhaylov | | | 2509f5e2d83SIvan Mikhaylov | +-------v--------+ +---------------------------+ | 2519f5e2d83SIvan Mikhaylov | | rc = handle() +------->| audit_event<NET_IPMI>() | | 2529f5e2d83SIvan Mikhaylov | +----------------+ +---------------------------+ | 2539f5e2d83SIvan Mikhaylov | | | | 2549f5e2d83SIvan Mikhaylov | | | | 2559f5e2d83SIvan Mikhaylov | +-------v--------+ | | 2569f5e2d83SIvan Mikhaylov | | Processing | | | 2579f5e2d83SIvan Mikhaylov | | further | | | 2589f5e2d83SIvan Mikhaylov | +----------------+ | | 2599f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2609f5e2d83SIvan Mikhaylov | 2619f5e2d83SIvan Mikhaylov | 2629f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2639f5e2d83SIvan Mikhaylov | +-----------------------------+ | 2649f5e2d83SIvan Mikhaylov | | Audit Service | 2659f5e2d83SIvan Mikhaylov | | | 2669f5e2d83SIvan Mikhaylov | | | 2679f5e2d83SIvan Mikhaylov | | | 2689f5e2d83SIvan Mikhaylov | +-----v------+ | 2699f5e2d83SIvan Mikhaylov | NO | Is logging | YES | 2709f5e2d83SIvan Mikhaylov | +------+ enabled +--------------------+ | 2719f5e2d83SIvan Mikhaylov | | | for type? | | | 2729f5e2d83SIvan Mikhaylov | | +------------+ +-------v-----+ | 2739f5e2d83SIvan Mikhaylov | | NO | Is request | YES | 2749f5e2d83SIvan Mikhaylov | | +--------+ type +--------+ | 2759f5e2d83SIvan Mikhaylov | | | | filtered? | | | 2769f5e2d83SIvan Mikhaylov | | | +-------------+ | | 2779f5e2d83SIvan Mikhaylov | | | | | 2789f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2799f5e2d83SIvan Mikhaylov | | | Notify | | | 2809f5e2d83SIvan Mikhaylov | | | Administrator | | | 2819f5e2d83SIvan Mikhaylov | | +---------------+ | | 2829f5e2d83SIvan Mikhaylov | | | | | 2839f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2849f5e2d83SIvan Mikhaylov | | | Log Event | | | 2859f5e2d83SIvan Mikhaylov | | +---------------+ | | 2869f5e2d83SIvan Mikhaylov | | | | | 2879f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2889f5e2d83SIvan Mikhaylov | | | User | | | 2899f5e2d83SIvan Mikhaylov | | | actions | | | 2909f5e2d83SIvan Mikhaylov | | +---------------+ | | 2919f5e2d83SIvan Mikhaylov | | | | | 2929f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2939f5e2d83SIvan Mikhaylov | +-------------->| End |<----------------------+ | 2949f5e2d83SIvan Mikhaylov | +---------------+ | 2959f5e2d83SIvan Mikhaylov | | 2969f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2979f5e2d83SIvan Mikhaylov``` 2989f5e2d83SIvan Mikhaylov 2999f5e2d83SIvan Mikhaylov## Notification mechanisms 3009f5e2d83SIvan Mikhaylov 3019f5e2d83SIvan MikhaylovThe unified model for reporting accidents to the end user, where the transport can be: 3029f5e2d83SIvan Mikhaylov 3039f5e2d83SIvan Mikhaylov* E-mail 3049f5e2d83SIvan Mikhaylov 3059f5e2d83SIvan Mikhaylov > Sending a note to directed recipient which set in configuration via 3069f5e2d83SIvan Mikhaylov > sendmail or anything else. 3079f5e2d83SIvan Mikhaylov 3089f5e2d83SIvan Mikhaylov* SNMP 3099f5e2d83SIvan Mikhaylov 3109f5e2d83SIvan Mikhaylov > Sending a notification via SNMP trap messages to directed recipient which 3119f5e2d83SIvan Mikhaylov > set in configuration. 3129f5e2d83SIvan Mikhaylov 3139f5e2d83SIvan Mikhaylov* Instant messengers 3149f5e2d83SIvan Mikhaylov 3159f5e2d83SIvan Mikhaylov > Sending a notification to directed recipient which set in configuration via 3169f5e2d83SIvan Mikhaylov > jabber/sametime/gtalk/etc. 3179f5e2d83SIvan Mikhaylov 3189f5e2d83SIvan Mikhaylov* D-Bus 3199f5e2d83SIvan Mikhaylov 3209f5e2d83SIvan Mikhaylov > Notify the other service which set in configuration via 'method_call' or 3219f5e2d83SIvan Mikhaylov > 'signal'. 3229f5e2d83SIvan Mikhaylov 3239f5e2d83SIvan MikhaylovNotifications will be skipped in case if there is no any of above configuration 3249f5e2d83SIvan Mikhaylovrules is set inside configuration. It is possible to pick up rules at runtime. 3259f5e2d83SIvan Mikhaylov 3269f5e2d83SIvan Mikhaylov## User Actions 3279f5e2d83SIvan Mikhaylov 3289f5e2d83SIvan Mikhaylov * Exec application via 'system' call. 3299f5e2d83SIvan Mikhaylov * The code for directed handling type inside handler itself. 330*146f9098SGeorge Keishing As example for 'net ipmi' in case of unsuccessful user login inside handler: 3319f5e2d83SIvan Mikhaylov * Sends a notification to administrator. 3329f5e2d83SIvan Mikhaylov * echo heartbeat > /sys/class/leds/alarm_red/trigger 3339f5e2d83SIvan Mikhaylov 3349f5e2d83SIvan Mikhaylov## Alternatives Considered 3359f5e2d83SIvan Mikhaylov 3369f5e2d83SIvan MikhaylovProcessing user requests in each dedicated interface service and logging 3379f5e2d83SIvan Mikhaylovthem separately for each of the interfaces. Scattered handling looks like 3389f5e2d83SIvan Mikhaylovan error-prone and rigid approach. 3399f5e2d83SIvan Mikhaylov 3409f5e2d83SIvan Mikhaylov## Impacts 3419f5e2d83SIvan Mikhaylov 3429f5e2d83SIvan MikhaylovImproves system manageability and security. 3439f5e2d83SIvan Mikhaylov 3449f5e2d83SIvan MikhaylovImpacts when phosphor-audit is not enabled: 3459f5e2d83SIvan Mikhaylov - Many services will have slightly larger code size and longer CPU path length 3469f5e2d83SIvan Mikhaylov due to invocations of audit_event(). 3479f5e2d83SIvan Mikhaylov - Increased D-Bus traffic. 3489f5e2d83SIvan Mikhaylov 3499f5e2d83SIvan MikhaylovImpacts when phosphor-audit is enabled: 3509f5e2d83SIvan MikhaylovAll of the above, plus: 3519f5e2d83SIvan Mikhaylov - Additional BMC processor time needed to handle audit events. 3529f5e2d83SIvan Mikhaylov - Additional BMC flash storage needed to store logged events. 3539f5e2d83SIvan Mikhaylov - Additional outbound network traffic to notify users. 3549f5e2d83SIvan Mikhaylov - Additional space for notification libraries. 3559f5e2d83SIvan Mikhaylov 3569f5e2d83SIvan Mikhaylov## Testing 3579f5e2d83SIvan Mikhaylov 3589f5e2d83SIvan Mikhaylov`dbus-send` as command-line tool for generating audit events. 3599f5e2d83SIvan Mikhaylov 3609f5e2d83SIvan MikhaylovScenarios: 3619f5e2d83SIvan Mikhaylov - For each supported service (such as Redfish, net IPMI, host IPMI, PLDM), create audit events, and validate they get logged. 3629f5e2d83SIvan Mikhaylov - Ensure message-type and request-type filtering works as expected. 3639f5e2d83SIvan Mikhaylov - Ensure basic notification actions work as expected (log, command, notify). 3649f5e2d83SIvan Mikhaylov - When continuously generating audit-events, change the phosphor-audit service's configuration, and validate no audit events are lost, and the new configuration takes effect. 365