Skip to main content

Audit Logging

All authenticated operations that are performed through the REST API are logged in an audit trail log called system:audit-trail-log, while all unauthenticated operations are logged to system:unauthenticated-audit-trail-log. Each audit log entry contains a number of fields (some of which are optional).

  • When it occurred
  • The name of the tenant
  • The user that performed the operation
  • The token that was used to authenticate
  • The site where the operation was performed
  • The host where the operation was performed
  • The client IP address
  • The agent that performed the operation
  • The HTTP method, i.e. GET, POST, DELETE etc
  • The path on which operation was performed
  • The HTTP status, i.e. was it successful or not
  • The HTTP request parameters

It may look like this

{
  "occurred-at": "2021-08-24T07:10:03.330Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:2t+/fHZrxaIuH6HAfjPKxPOyoRurN8VzFqLlV1uTmaU=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "topdc",
  "host": "topdc-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "POST",
  "path": "/v1/config/strongbox/vaults/foo/secrets",
  "status": 201,
  "status-info": "Created",
  "request-parameters": {
    "name": "sbox:hashed:v1:IEKFE1i8iL29EAXoaoSYSSIM0YfViihd50YuxepBknE=",
    "data": {
      "baz": "sbox:hashed:v1:mtJLNZmPchVdTnMaqor2yFcFl92BWLR+eJjfLfd5SO4=",
      "bax": "sbox:hashed:v1:lptj6FlLKGBYDguEqynzpXDx8x3wiPb9R+C81lVLkvc="
      },
    "allow-image-access": [
      "sbox:hashed:v1:x72q/KYBPj0JbGLveUqnv/MPmZelIjmCW7gB4gopvhM="
    ]
  }
}

Note that sensitive values are hashed using an HMAC. These values are identified by a sbox:hashed: prefix. The audit log is a regular Volga topic that is available at the Control Tower.

Inspect audit logs

To view the audit trail log use the volga streaming api.

supctl do volga topics system:audit-trail-log consume --data-only

May return something like this:

{
  "occurred-at": "2021-08-24T08:31:00.491Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:8QfurDZazoukKdsFAbd1r9DKrY0IpfzAjWM8vwjfsT8=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "udc2",
  "host": "udc2-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "POST",
  "path": "/v1/login",
  "status": 200,
  "status-info": "OK",
  "request-parameters": {
    "username": "joe@popcorn-systems.com",
    "password": "sbox:hashed:v1:Lt/c2/SnUqJOMbJsapNJbipsIjS9V/b1IedyrjBeepM="
  }
}

{
  "occurred-at": "2021-08-24T08:31:00.562Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:8QfurDZazoukKdsFAbd1r9DKrY0IpfzAjWM8vwjfsT8=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "udc2",
  "host": "udc2-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "GET",
  "path": "/v1/state/strongbox/vaults/new2/secrets/my-new-new-secret",
  "status": 200,
  "status-info": "OK"
}

Blocking a bad actor

The accessor entry can be used to immediately block access for a bad actor.

supctl do strongbox token revoke accessor "02d1aab2-916e-4b4b-87b4-0714374ee21b"

Search for secrets in audit logs

To search for a known sensitive value, first calculate the HMAC using the strongbox audit hmac endpoint.

supctl do strongbox audit hmac --no-base64-encoded verysecret
hmac: sbox:hashed:v1:Lt/c2/SnUqJOMbJsapNJbipsIjS9V/b1IedyrjBeepM=

Then you can search for this string in the audit trail log.