19f5e2d83SIvan Mikhaylov# phosphor-audit 29f5e2d83SIvan Mikhaylov 3*f4febd00SPatrick WilliamsAuthor: Ivan Mikhaylov, [i.mikhaylov@yadro.com](mailto:i.mikhaylov@yadro.com) 49f5e2d83SIvan Mikhaylov 5*f4febd00SPatrick WilliamsOther contributors: Alexander Amelkin, 6*f4febd00SPatrick Williams[a.amelkin@yadro.com](mailto:a.amelkin@yadro.com) Alexander Filippov, 7*f4febd00SPatrick Williams[a.filippov@yadro.com](mailto:a.filippov@yadro.com) 89f5e2d83SIvan Mikhaylov 9*f4febd00SPatrick WilliamsCreated: 2019-07-23 109f5e2d83SIvan Mikhaylov 119f5e2d83SIvan Mikhaylov## Problem Description 129f5e2d83SIvan Mikhaylov 139f5e2d83SIvan MikhaylovEnd users of OpenBMC may take actions that change the system state and/or 149f5e2d83SIvan Mikhaylovconfiguration. Such actions may be taken using any of the numerous interfaces 159f5e2d83SIvan Mikhaylovprovided by OpenBMC. That includes RedFish, IPMI, ssh or serial console shell, 169f5e2d83SIvan Mikhaylovand other interfaces, including the future ones. 179f5e2d83SIvan Mikhaylov 189f5e2d83SIvan MikhaylovConsequences of those actions may sometimes be harmful and an investigation may 199f5e2d83SIvan Mikhaylovbe conducted in order to find out the person responsible for the unwelcome 209f5e2d83SIvan Mikhaylovchanges. Currently, most changes leave no trace in OpenBMC logs, which hampers 219f5e2d83SIvan Mikhaylovthe aforementioned investigation. 229f5e2d83SIvan Mikhaylov 23*f4febd00SPatrick WilliamsIt is required to develop a mechanism that would allow for tracking such user 24*f4febd00SPatrick Williamsactivity, logging it, and taking certain actions if necessary. 259f5e2d83SIvan Mikhaylov 269f5e2d83SIvan Mikhaylov## Background and References 279f5e2d83SIvan Mikhaylov 289f5e2d83SIvan MikhaylovYADRO had an internal solution for the problem. It was only applicable to an 299f5e2d83SIvan Mikhaylovoutdated version of OpenBMC and needed a redesign. There was also a parallel 309f5e2d83SIvan Mikhayloveffort by IBM that can be found here: 310ee8da09SNodeMan97[REST and Redfish Traffic Logging](https://gerrit.openbmc.org/c/openbmc/bmcweb/+/22699) 329f5e2d83SIvan Mikhaylov 339f5e2d83SIvan Mikhaylov## Assumptions 349f5e2d83SIvan Mikhaylov 359f5e2d83SIvan MikhaylovThis design assumes that an end user is never given a direct access to the 369f5e2d83SIvan Mikhaylovsystem shell. The shell allows for direct manipulation of user database 379f5e2d83SIvan Mikhaylov(add/remove users, change passwords) and system configuration (network scripts, 389f5e2d83SIvan Mikhaylovetc.), and it doesn't seem feasible to track such user actions taken within the 399f5e2d83SIvan Mikhaylovshell. This design assumes that all user interaction with OpenBMC is limited to 409f5e2d83SIvan Mikhaylovcontrolled interfaces served by other Phosphor OpenBMC components interacting 419f5e2d83SIvan Mikhaylovvia D-Bus. 429f5e2d83SIvan Mikhaylov 439f5e2d83SIvan Mikhaylov## Requirements 449f5e2d83SIvan Mikhaylov 45*f4febd00SPatrick Williams- Provide a unified method of logging user actions independent of the user 469f5e2d83SIvan Mikhaylov interface, where possible user actions are: 47*f4febd00SPatrick Williams - Redfish/REST PUT/POST/DELETE/PATCH 48*f4febd00SPatrick Williams - IPMI 49*f4febd00SPatrick Williams - PAM 50*f4febd00SPatrick Williams - PLDM 51*f4febd00SPatrick Williams - Any other suitable service 52*f4febd00SPatrick Williams- Provide a way to configure system response actions taken upon certain user 539f5e2d83SIvan Mikhaylov actions, where possible response actions are: 54*f4febd00SPatrick Williams - Log an event 55*f4febd00SPatrick Williams - Notify an administrator or an arbitrary notification receiver 56*f4febd00SPatrick Williams - Run an arbitrary command 57*f4febd00SPatrick Williams- Provide a way to configure notification receivers: 58*f4febd00SPatrick Williams - E-mail 59*f4febd00SPatrick Williams - SNMP 60*f4febd00SPatrick Williams - Instant messengers 61*f4febd00SPatrick Williams - D-Bus 629f5e2d83SIvan Mikhaylov 639f5e2d83SIvan Mikhaylov## Proposed Design 649f5e2d83SIvan Mikhaylov 65*f4febd00SPatrick WilliamsThe main idea is to catch D-Bus requests sent by user interfaces, then handle 66*f4febd00SPatrick Williamsthe request according to the configuration. In future, support for flexible 67*f4febd00SPatrick Williamspolicies may be implemented that would allow for better flexibility in handling 68*f4febd00SPatrick Williamsand tracking. 699f5e2d83SIvan Mikhaylov 709f5e2d83SIvan MikhaylovThe phosphor-audit service represents a service that provides user activity 719f5e2d83SIvan Mikhaylovtracking and corresponding action taking in response of user actions. 729f5e2d83SIvan Mikhaylov 739f5e2d83SIvan MikhaylovThe key benefit of using phosphor-audit is that all action handling will be kept 749f5e2d83SIvan Mikhaylovinside this project instead of spreading it across multiple dedicated interface 759f5e2d83SIvan Mikhaylovservices with a risk of missing a handler for some action in one of them and 769f5e2d83SIvan Mikhaylovbloating the codebase. 779f5e2d83SIvan Mikhaylov 789f5e2d83SIvan MikhaylovThe component diagram below shows the example of service overview. 799f5e2d83SIvan Mikhaylov 809f5e2d83SIvan Mikhaylov```ascii 819f5e2d83SIvan Mikhaylov +----------------+ audit event +-----------------+ 829f5e2d83SIvan Mikhaylov | IPMI NET +-----------+ | action | 839f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 849f5e2d83SIvan Mikhaylov | | | logging | | 859f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 869f5e2d83SIvan Mikhaylov | IPMI HOST +-----------+ +--------------+ | | 879f5e2d83SIvan Mikhaylov +----------------+ | | audit | | +-------------+ | 889f5e2d83SIvan Mikhaylov +----->+ service +----->| | command | | 899f5e2d83SIvan Mikhaylov +----------------+ | | | | +-------------+ | 909f5e2d83SIvan Mikhaylov | RedFish/REST +-----------+ +--------------+ | | 919f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 929f5e2d83SIvan Mikhaylov | | | notify | | 939f5e2d83SIvan Mikhaylov +----------------+ | | +-------------+ | 949f5e2d83SIvan Mikhaylov | any service +-----------+ | | 959f5e2d83SIvan Mikhaylov +----------------+ | +-------------+ | 969f5e2d83SIvan Mikhaylov | | ... | | 979f5e2d83SIvan Mikhaylov | +-------------+ | 989f5e2d83SIvan Mikhaylov +-----------------+ 999f5e2d83SIvan Mikhaylov``` 1009f5e2d83SIvan Mikhaylov 1019f5e2d83SIvan MikhaylovThe audit event from diagram generated by an application to track user activity. 1029f5e2d83SIvan MikhaylovThe application sends 'signal' to audit service via D-Bus. What is happening 1039f5e2d83SIvan Mikhaylovnext in audit service's handler depends on user requirements and needs. It is 1049f5e2d83SIvan Mikhaylovpossible to just store logs, run arbitrary command or notify someone in handler 1059f5e2d83SIvan Mikhaylovor we can do all of the above and all of this can be optional. 1069f5e2d83SIvan Mikhaylov 1079f5e2d83SIvan Mikhaylov**Audit event call** 1089f5e2d83SIvan Mikhaylov 1099f5e2d83SIvan MikhaylovAudit event call performs preprocessing of incoming data at application side 1109f5e2d83SIvan Mikhaylovbefore sending it to the audit service, if the request is filtered out, it will 1119f5e2d83SIvan Mikhaylovbe dropped at this moment and will no longer be processed. After the filter 1129f5e2d83SIvan Mikhaylovcheck, the audit event call sends the data through D-Bus to the audit service 1139f5e2d83SIvan Mikhaylovwhich makes a decision regarding next steps. Also, it caches list of possible 114*f4febd00SPatrick Williamscommands (blacklist or whitelist) and status of its service (disabled or 115*f4febd00SPatrick Williamsenabled). If the service in undefined state, the call checks if service alive or 116*f4febd00SPatrick Williamsnot. 1179f5e2d83SIvan Mikhaylov 1189f5e2d83SIvan Mikhaylov> `audit_event(type, rc, request, user, host, data)` 119*f4febd00SPatrick Williams> 120*f4febd00SPatrick Williams> - type - type of event source : IPMI, REST, PAM, etc. 121*f4febd00SPatrick Williams> - rc - return code of the handler event (status, rc, etc.) 122*f4febd00SPatrick Williams> - request - a generalized identifier of the event, e.g. ipmi command 1239f5e2d83SIvan Mikhaylov> (cmd/netfn/lun), web path, or anything else that can describe the event. 124*f4febd00SPatrick Williams> - user - the user account on behalf of which the event was processed. depends 125*f4febd00SPatrick Williams> on context, NA/None in case of user inaccessibility. 126*f4febd00SPatrick Williams> - source - identifier of the host that the event has originated from. This can 1279f5e2d83SIvan Mikhaylov> be literally "host" for events originating from the local host (via locally 1289f5e2d83SIvan Mikhaylov> connected IPMI), or an IP address or a hostname of a remote host. 129*f4febd00SPatrick Williams> - data - any supplementary data that can help better identify the event (e.g., 130*f4febd00SPatrick Williams> some first bytes of the IPMI command data). 1319f5e2d83SIvan Mikhaylov 1329f5e2d83SIvan MikhaylovService itself can control flow of events with configuration on its side. 1339f5e2d83SIvan Mikhaylov 1349f5e2d83SIvan MikhaylovPseudocode for example: 1359f5e2d83SIvan Mikhaylov 1369f5e2d83SIvan Mikhaylov audit_event(NET_IPMI, "access denied"(rc=-1), "ipmi cmd", "qwerty223", 1379f5e2d83SIvan Mikhaylov "192.168.0.1", <some additional data if needed>) 1389f5e2d83SIvan Mikhaylov audit_event(REST, "login successful"(rc=200), "rest login", 1399f5e2d83SIvan Mikhaylov "qwerty223", "192.168.0.1", NULL) 1409f5e2d83SIvan Mikhaylov audit_event(HOST_IPMI, "shutting down the host"(rc=0), "host poweroff", 1419f5e2d83SIvan Mikhaylov NULL, NULL, NULL) 1429f5e2d83SIvan Mikhaylov 143*f4febd00SPatrick Williams`audit_event(blob_data)` Blob can be described as structure: 1449f5e2d83SIvan Mikhaylov 1459f5e2d83SIvan Mikhaylov struct blob_audit 1469f5e2d83SIvan Mikhaylov { 1479f5e2d83SIvan Mikhaylov uint8_t type; 1489f5e2d83SIvan Mikhaylov int32_t rc; 1499f5e2d83SIvan Mikhaylov uint32_t request_id; 1509f5e2d83SIvan Mikhaylov char *user; 1519f5e2d83SIvan Mikhaylov sockaddr_in6 *addr; 1529f5e2d83SIvan Mikhaylov struct iovec *data; 1539f5e2d83SIvan Mikhaylov } 1549f5e2d83SIvan Mikhaylov 1559f5e2d83SIvan MikhaylovWhen the call reaches the server destination via D-Bus, the server already knows 1569f5e2d83SIvan Mikhaylovthat the call should be processed via predefined list of actions which are set 1579f5e2d83SIvan Mikhaylovin the server configuration. 1589f5e2d83SIvan Mikhaylov 1599f5e2d83SIvan MikhaylovStep by step execution of call: 160*f4febd00SPatrick Williams 161*f4febd00SPatrick Williams- client's layer 1629f5e2d83SIvan Mikhaylov 1. checks if audit is enabled for such service 163*f4febd00SPatrick Williams 2. checks if audit event should be whitelisted or blacklisted at the audit 164*f4febd00SPatrick Williams service side for preventing spamming of unneeded events to audit service 1659f5e2d83SIvan Mikhaylov 3. send the data to the audit service via D-Bus 166*f4febd00SPatrick Williams- server's layer 1679f5e2d83SIvan Mikhaylov 1. accept D-Bus request 1689f5e2d83SIvan Mikhaylov 2. goes through list of actions for each services 1699f5e2d83SIvan Mikhaylov 1709f5e2d83SIvan MikhaylovHow the checks will be processed at client's layer: 171*f4febd00SPatrick Williams 1729f5e2d83SIvan Mikhaylov1. check the status of service and cache that value 173*f4febd00SPatrick Williams2. check the list of possible actions which should be logged and cache them 174*f4febd00SPatrick Williams also 175*f4febd00SPatrick Williams3. listen on 'propertiesChanged' event in case of changing list or status of 176*f4febd00SPatrick Williams service 1779f5e2d83SIvan Mikhaylov 1789f5e2d83SIvan Mikhaylov## Service configuration 1799f5e2d83SIvan Mikhaylov 180*f4febd00SPatrick WilliamsThe configuration structure can be described as tree with set of options, as 181*f4febd00SPatrick Williamsexample of structure: 1829f5e2d83SIvan Mikhaylov 1839f5e2d83SIvan Mikhaylov``` 1849f5e2d83SIvan Mikhaylov[IPMI] 1859f5e2d83SIvan Mikhaylov [Enabled] 1869f5e2d83SIvan Mikhaylov [Whitelist] 1879f5e2d83SIvan Mikhaylov [Cmd 0x01] ["reset request"] 1889f5e2d83SIvan Mikhaylov [Cmd 0x02] ["hello world"] 1899f5e2d83SIvan Mikhaylov [Cmd 0x03] ["goodbye cruel world"] 1909f5e2d83SIvan Mikhaylov [Actions] 1919f5e2d83SIvan Mikhaylov [Notify type1] [Recipient] 1929f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 1939f5e2d83SIvan Mikhaylov [Notify type3] [Recipient] 1949f5e2d83SIvan Mikhaylov [Logging type] [Options] 1959f5e2d83SIvan Mikhaylov [Exec] [ExternalCommand] 1969f5e2d83SIvan Mikhaylov[REST] 1979f5e2d83SIvan Mikhaylov [Disabled] 1989f5e2d83SIvan Mikhaylov [Blacklist] 1999f5e2d83SIvan Mikhaylov [Path1] [Options] 2009f5e2d83SIvan Mikhaylov [Path2] [Options] 2019f5e2d83SIvan Mikhaylov [Actions] 2029f5e2d83SIvan Mikhaylov [Notify type2] [Recipient] 2039f5e2d83SIvan Mikhaylov [Logging type] [Options] 2049f5e2d83SIvan Mikhaylov``` 2059f5e2d83SIvan Mikhaylov 2069f5e2d83SIvan MikhaylovOptions can be updated via D-Bus properties. The audit service listens changes 2079f5e2d83SIvan Mikhaylovon configuration file and emit 'PropertiesChanged' signal with changed details. 2089f5e2d83SIvan Mikhaylov 209*f4febd00SPatrick Williams- The whitelisting and blacklisting 2109f5e2d83SIvan Mikhaylov 211*f4febd00SPatrick Williams> Possible list of requests which have to be filtered and processed. 'Whitelist' 212*f4febd00SPatrick Williams> filters possible requests which can be processed. 'Blacklist' blocks only 213*f4febd00SPatrick Williams> exact requests. 2149f5e2d83SIvan Mikhaylov 215*f4febd00SPatrick Williams- Enable/disable the event processing for directed services, where the directed 2169f5e2d83SIvan Mikhaylov service is any suitable services which can use audit service. 2179f5e2d83SIvan Mikhaylov 218*f4febd00SPatrick Williams> Each audit processing type can be disabled or enabled at runtime via config 219*f4febd00SPatrick Williams> file or D-Bus property. 2209f5e2d83SIvan Mikhaylov 221*f4febd00SPatrick Williams- Notification setup via SNMP/E-mail/Instant messengers/D-Bus 2229f5e2d83SIvan Mikhaylov 2239f5e2d83SIvan Mikhaylov> The end recipient notification system with different transports. 2249f5e2d83SIvan Mikhaylov 225*f4febd00SPatrick Williams- Logging 2269f5e2d83SIvan Mikhaylov 2279f5e2d83SIvan Mikhaylov> phosphor-logging, journald or anything else suitable for. 2289f5e2d83SIvan Mikhaylov 229*f4febd00SPatrick Williams- User actions 2309f5e2d83SIvan Mikhaylov 2319f5e2d83SIvan Mikhaylov> Running a command as consequenced action. 2329f5e2d83SIvan Mikhaylov 2339f5e2d83SIvan Mikhaylov## Workflow 2349f5e2d83SIvan Mikhaylov 2359f5e2d83SIvan MikhaylovAn example of possible flow: 2369f5e2d83SIvan Mikhaylov 2379f5e2d83SIvan Mikhaylov```ascii 2389f5e2d83SIvan Mikhaylov +----------------+ 2399f5e2d83SIvan Mikhaylov | NET IPMI | 2409f5e2d83SIvan Mikhaylov | REQUEST | 2419f5e2d83SIvan Mikhaylov +----------------+ 2429f5e2d83SIvan Mikhaylov | 2439f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2449f5e2d83SIvan Mikhaylov | +-------v--------+ IPMI | 2459f5e2d83SIvan Mikhaylov | | NET IPMI | | 2469f5e2d83SIvan Mikhaylov | +----------------+ | 2479f5e2d83SIvan Mikhaylov | | | 2489f5e2d83SIvan Mikhaylov | +-------v--------+ +---------------------------+ | 2499f5e2d83SIvan Mikhaylov | | rc = handle() +------->| audit_event<NET_IPMI>() | | 2509f5e2d83SIvan Mikhaylov | +----------------+ +---------------------------+ | 2519f5e2d83SIvan Mikhaylov | | | | 2529f5e2d83SIvan Mikhaylov | | | | 2539f5e2d83SIvan Mikhaylov | +-------v--------+ | | 2549f5e2d83SIvan Mikhaylov | | Processing | | | 2559f5e2d83SIvan Mikhaylov | | further | | | 2569f5e2d83SIvan Mikhaylov | +----------------+ | | 2579f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2589f5e2d83SIvan Mikhaylov | 2599f5e2d83SIvan Mikhaylov | 2609f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2619f5e2d83SIvan Mikhaylov | +-----------------------------+ | 2629f5e2d83SIvan Mikhaylov | | Audit Service | 2639f5e2d83SIvan Mikhaylov | | | 2649f5e2d83SIvan Mikhaylov | | | 2659f5e2d83SIvan Mikhaylov | | | 2669f5e2d83SIvan Mikhaylov | +-----v------+ | 2679f5e2d83SIvan Mikhaylov | NO | Is logging | YES | 2689f5e2d83SIvan Mikhaylov | +------+ enabled +--------------------+ | 2699f5e2d83SIvan Mikhaylov | | | for type? | | | 2709f5e2d83SIvan Mikhaylov | | +------------+ +-------v-----+ | 2719f5e2d83SIvan Mikhaylov | | NO | Is request | YES | 2729f5e2d83SIvan Mikhaylov | | +--------+ type +--------+ | 2739f5e2d83SIvan Mikhaylov | | | | filtered? | | | 2749f5e2d83SIvan Mikhaylov | | | +-------------+ | | 2759f5e2d83SIvan Mikhaylov | | | | | 2769f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2779f5e2d83SIvan Mikhaylov | | | Notify | | | 2789f5e2d83SIvan Mikhaylov | | | Administrator | | | 2799f5e2d83SIvan Mikhaylov | | +---------------+ | | 2809f5e2d83SIvan Mikhaylov | | | | | 2819f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2829f5e2d83SIvan Mikhaylov | | | Log Event | | | 2839f5e2d83SIvan Mikhaylov | | +---------------+ | | 2849f5e2d83SIvan Mikhaylov | | | | | 2859f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2869f5e2d83SIvan Mikhaylov | | | User | | | 2879f5e2d83SIvan Mikhaylov | | | actions | | | 2889f5e2d83SIvan Mikhaylov | | +---------------+ | | 2899f5e2d83SIvan Mikhaylov | | | | | 2909f5e2d83SIvan Mikhaylov | | +-------v-------+ | | 2919f5e2d83SIvan Mikhaylov | +-------------->| End |<----------------------+ | 2929f5e2d83SIvan Mikhaylov | +---------------+ | 2939f5e2d83SIvan Mikhaylov | | 2949f5e2d83SIvan Mikhaylov +--------------------------------------------------------------------------+ 2959f5e2d83SIvan Mikhaylov``` 2969f5e2d83SIvan Mikhaylov 2979f5e2d83SIvan Mikhaylov## Notification mechanisms 2989f5e2d83SIvan Mikhaylov 299*f4febd00SPatrick WilliamsThe unified model for reporting accidents to the end user, where the transport 300*f4febd00SPatrick Williamscan be: 3019f5e2d83SIvan Mikhaylov 302*f4febd00SPatrick Williams- E-mail 3039f5e2d83SIvan Mikhaylov 304*f4febd00SPatrick Williams > Sending a note to directed recipient which set in configuration via sendmail 305*f4febd00SPatrick Williams > or anything else. 3069f5e2d83SIvan Mikhaylov 307*f4febd00SPatrick Williams- SNMP 3089f5e2d83SIvan Mikhaylov 3099f5e2d83SIvan Mikhaylov > Sending a notification via SNMP trap messages to directed recipient which 3109f5e2d83SIvan Mikhaylov > set in configuration. 3119f5e2d83SIvan Mikhaylov 312*f4febd00SPatrick Williams- Instant messengers 3139f5e2d83SIvan Mikhaylov 3149f5e2d83SIvan Mikhaylov > Sending a notification to directed recipient which set in configuration via 3159f5e2d83SIvan Mikhaylov > jabber/sametime/gtalk/etc. 3169f5e2d83SIvan Mikhaylov 317*f4febd00SPatrick Williams- D-Bus 3189f5e2d83SIvan Mikhaylov 3199f5e2d83SIvan Mikhaylov > Notify the other service which set in configuration via 'method_call' or 3209f5e2d83SIvan Mikhaylov > 'signal'. 3219f5e2d83SIvan Mikhaylov 3229f5e2d83SIvan MikhaylovNotifications will be skipped in case if there is no any of above configuration 3239f5e2d83SIvan Mikhaylovrules is set inside configuration. It is possible to pick up rules at runtime. 3249f5e2d83SIvan Mikhaylov 3259f5e2d83SIvan Mikhaylov## User Actions 3269f5e2d83SIvan Mikhaylov 327*f4febd00SPatrick Williams- Exec application via 'system' call. 328*f4febd00SPatrick Williams- The code for directed handling type inside handler itself. As example for 'net 329*f4febd00SPatrick Williams ipmi' in case of unsuccessful user login inside handler: 330*f4febd00SPatrick Williams - Sends a notification to administrator. 331*f4febd00SPatrick Williams - echo heartbeat > /sys/class/leds/alarm_red/trigger 3329f5e2d83SIvan Mikhaylov 3339f5e2d83SIvan Mikhaylov## Alternatives Considered 3349f5e2d83SIvan Mikhaylov 335*f4febd00SPatrick WilliamsProcessing user requests in each dedicated interface service and logging them 336*f4febd00SPatrick Williamsseparately for each of the interfaces. Scattered handling looks like an 337*f4febd00SPatrick Williamserror-prone and rigid approach. 3389f5e2d83SIvan Mikhaylov 3399f5e2d83SIvan Mikhaylov## Impacts 3409f5e2d83SIvan Mikhaylov 3419f5e2d83SIvan MikhaylovImproves system manageability and security. 3429f5e2d83SIvan Mikhaylov 3439f5e2d83SIvan MikhaylovImpacts when phosphor-audit is not enabled: 344*f4febd00SPatrick Williams 3459f5e2d83SIvan Mikhaylov- Many services will have slightly larger code size and longer CPU path length 3469f5e2d83SIvan Mikhaylov due to invocations of audit_event(). 3479f5e2d83SIvan Mikhaylov- Increased D-Bus traffic. 3489f5e2d83SIvan Mikhaylov 349*f4febd00SPatrick WilliamsImpacts when phosphor-audit is enabled: All of the above, plus: 350*f4febd00SPatrick Williams 3519f5e2d83SIvan Mikhaylov- Additional BMC processor time needed to handle audit events. 3529f5e2d83SIvan Mikhaylov- Additional BMC flash storage needed to store logged events. 3539f5e2d83SIvan Mikhaylov- Additional outbound network traffic to notify users. 3549f5e2d83SIvan Mikhaylov- Additional space for notification libraries. 3559f5e2d83SIvan Mikhaylov 3569f5e2d83SIvan Mikhaylov## Testing 3579f5e2d83SIvan Mikhaylov 3589f5e2d83SIvan Mikhaylov`dbus-send` as command-line tool for generating audit events. 3599f5e2d83SIvan Mikhaylov 3609f5e2d83SIvan MikhaylovScenarios: 361*f4febd00SPatrick Williams 362*f4febd00SPatrick Williams- For each supported service (such as Redfish, net IPMI, host IPMI, PLDM), 363*f4febd00SPatrick Williams create audit events, and validate they get logged. 3649f5e2d83SIvan Mikhaylov- Ensure message-type and request-type filtering works as expected. 3659f5e2d83SIvan Mikhaylov- Ensure basic notification actions work as expected (log, command, notify). 366*f4febd00SPatrick Williams- When continuously generating audit-events, change the phosphor-audit service's 367*f4febd00SPatrick Williams configuration, and validate no audit events are lost, and the new 368*f4febd00SPatrick Williams configuration takes effect. 369