yahoo-eng-team team mailing list archive

[Nate Johnston <1628627@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

In the FWaaS service, create the ability for administrators to engage an
'audit trail' feature.  The audit trail would notate every change to
firewalls that causes a security change.  The output would be to the
notification queue.

Audit notations should contain all information necessary to process
them.  For example, an audit notation that says "user abcde1234
permitted port 22 traffic from firewall group A to firewall group B" is
not enough information.  In order to determine what needs to be scanned,
the consumer of the audit would need to subsequently query FWaaS to
determine the membership of the 2 firewall groups cited.  Notations
should carry enough information so that no subsequent querying is
required for processing.

The notification should encompass all of:

- Who: Identity of the user initiating the change.
- What: The information on what was changed.  Should include port information, whether access was permitted or disallowed, etc.
- Where: A list of all affected ports/IP addresses/instances, grouped by connection origin/destination.  This could be abbreviated to indicate an entire tenant if that is the target.  
- When: Timestamp indicating when the change was initiated.

Use case: This would allow a customer's security group to subscribe to a
collated feed of all security events in order to detect those events
that should trigger an audit or vulnerability scan.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1628627

Title:
  In FWaaS, when someone makes a change to a firewall rule we know, Who,
  What, When, and Where

Status in neutron:
  New

Bug description:
  In the FWaaS service, create the ability for administrators to engage
  an 'audit trail' feature.  The audit trail would notate every change
  to firewalls that causes a security change.  The output would be to
  the notification queue.

  Audit notations should contain all information necessary to process
  them.  For example, an audit notation that says "user abcde1234
  permitted port 22 traffic from firewall group A to firewall group B"
  is not enough information.  In order to determine what needs to be
  scanned, the consumer of the audit would need to subsequently query
  FWaaS to determine the membership of the 2 firewall groups cited.
  Notations should carry enough information so that no subsequent
  querying is required for processing.

  The notification should encompass all of:

  - Who: Identity of the user initiating the change.
  - What: The information on what was changed.  Should include port information, whether access was permitted or disallowed, etc.
  - Where: A list of all affected ports/IP addresses/instances, grouped by connection origin/destination.  This could be abbreviated to indicate an entire tenant if that is the target.  
  - When: Timestamp indicating when the change was initiated.

  Use case: This would allow a customer's security group to subscribe to
  a collated feed of all security events in order to detect those events
  that should trigger an audit or vulnerability scan.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1628627/+subscriptions