Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: e05d83f7a8
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
auditing
/
ignore-policy.asciidoc

ignore-policy.asciidoc 3.9 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. [role="xpack"]
    2. 

  2. [[audit-log-ignore-policy]]
    3. 

  3. === Logfile audit events ignore policies
    4. 

  4. 

  5. The comprehensive audit trail is necessary to ensure accountability. It offers tremendous
    6. 

  6. value during incident response and can even be required for demonstrating compliance.
    7. 

  7. 

  8. The drawback of an audited system is represented by the inevitable performance penalty incurred.
    9. 

  9. In all truth, the audit trail spends _I/O ops_ that are not available anymore for the user's queries.
    10. 

  10. Sometimes the verbosity of the audit trail may become a problem that the event type restrictions,
    11. 

  11. <<audit-log-settings, defined by `include` and `exclude`>>, will not alleviate.
    12. 

  12. 

  13. *Audit events ignore policies* are a finer way to tune the verbosity of the audit trail.
    14. 

  14. These policies define rules that match audit events which will be _ignored_ (read as: not printed).
    15. 

  15. Rules match on the values of attributes of audit events and complement the `include` or `exclude` method.
    16. 

  16. Imagine the corpus of audit events and the policies chopping off unwanted events.
    17. 

  17. With a sole exception, all audit events are subject to the ignore policies.
    18. 

  18. The exception are events of type `security_config_change`, which cannot be filtered out,
    19. 

  19. unless excluded altogether.
    20. 

  20. 

  21. IMPORTANT: When utilizing audit events ignore policies you are acknowledging potential
    22. 

  22. accountability gaps that could render illegitimate actions undetectable.
    23. 

  23. Please take time to review these policies whenever your system architecture changes.
    24. 

  24. 

  25. A policy is a named set of filter rules. Each filter rule applies to a single event attribute,
    26. 

  26. one of the `users`, `realms`, `roles` or `indices` attributes. The filter rule defines
    27. 

  27. a list of <<regexp-syntax,Lucene regexp>>, *any* of which has to match the value of the audit
    28. 

  28. event attribute for the rule to match.
    29. 

  29. A policy matches an event if *all* the rules comprising it match the event.
    30. 

  30. An audit event is ignored, therefore not printed, if it matches *any* policy. All other
    31. 

  31. non-matching events are printed as usual.
    32. 

  32. 

  33. All policies are defined under the `xpack.security.audit.logfile.events.ignore_filters`
    34. 

  34. settings namespace. For example, the following policy named _example1_ matches
    35. 

  35. events from the _kibana_system_ or _admin_user_ principals that operate over indices of the
    36. 

  36. wildcard form _app-logs*_:
    37. 

  37. 

  38. [source,yaml]
    39. 

  39. ----------------------------
    40. 

  40. xpack.security.audit.logfile.events.ignore_filters:
    41. 

  41.   example1:
    42. 

  42.     users: ["kibana_system", "admin_user"]
    43. 

  43.     indices: ["app-logs*"]
    44. 

  44. ----------------------------
    45. 

  45. 

  46. An audit event generated by the _kibana_system_ user and operating over multiple indices
    47. 

  47. , some of which do not match the indices wildcard, will not match.
    48. 

  48. As expected, operations generated by all other users (even operating only on indices that
    49. 

  49. match the _indices_ filter) will not match this policy either.
    50. 

  50. 

  51. Audit events of different types may have <<audit-event-attributes, different attributes>>.
    52. 

  52. If an event does not contain an attribute for which some policy defines filters, the
    53. 

  53. event will not match the policy.
    54. 

  54. For example, the following policy will never match `authentication_success` or
    55. 

  55. `authentication_failed` events, irrespective of the user's roles, because these
    56. 

  56. event schemas do not contain the `role` attribute:
    57. 

  57. 

  58. [source,yaml]
    59. 

  59. ----------------------------
    60. 

  60. xpack.security.audit.logfile.events.ignore_filters:
    61. 

  61.   example2:
    62. 

  62.     roles: ["admin", "ops_admin_*"]
    63. 

  63. ----------------------------
    64. 

  64. 

  65. Likewise, any events of users with multiple roles, some of which do not match the
    66. 

  66. regexps will not match this policy.
    67. 

  67. 

  68. For completeness, although practical use cases should be sparse, a filter can match
    69. 

  69. a missing attribute of an event, using the empty string ("") or the empty list ([]).
    70. 

  70. For example, the following policy will match events that do not have the `indices`
    71. 

  71. attribute (`anonymous_access_denied`, `authentication_success` and other types) as well
    72. 

  72. as events over the _next_ index.
    73. 

  73. 

  74. [source,yaml]
    75. 

  75. ----------------------------
    76. 

  76. xpack.security.audit.logfile.events.ignore_filters:
    77. 

  77.   example3:
    78. 

  78.     indices: ["next", ""]
    79. 

  79. ----------------------------
    80.