Layer7 API Management

Expand all | Collapse all

Basic auditing of policy change details, can't get the who/where/what

Jump to Best Answer
  • 1.  Basic auditing of policy change details, can't get the who/where/what

    Posted 07-19-2019 05:56 PM

    Can anyone provide an example of a log sink that can audit the most basic of details needed for security investigations / real-time monitoring of changes?  I'm having a heck of a time getting what should be a simple thing to give me what I need.

    All I need to be able to get into a log is (not this format but this info that is)

    Admin Username=Blah From IP xxx.xxx.xxx.xxx changed Policy or config XYZ 

    Seems like the bare minimum information we need for auditing. But getting that in the API GW doesn't seem to work - unless i'm missing something....All I ever get is just that A policy was changed but not by which admin or what IP they came from.

    My current sink properties:
    Severity=ALL
    Category=Audits
    Category=Gateway Log

    Global properties:
    audit.messageThreshold=INFO
    audit.detailThreshold=INFO

    But all it tells me is like this:

    2019-07-19T16:38:22.277-0500 INFO 415 com.l7tech.server.admin: Policy #somePolicy (Policy for service #someServiceID, MyService) updated (changed xml)

    2019-07-19T16:51:38.788-0500 INFO 651 com.l7tech.server.admin: SinkConfiguration #0000000000000000fffffffffffffcd6 (ssg) updated (changed severity)

    So I have no idea which admin made the change (who) or where it came from or anything useful other than it changed.

    The intent is that during security investigations we know who changes what. And also real-time monitoring in our logging solution(s) to alert if changes occur to certain policies by any account or IP NOT in a valid white list of allowed accounts/networks outside of planned migration windows.



  • 2.  RE: Basic auditing of policy change details, can't get the who/where/what
    Best Answer

    Posted 07-22-2019 04:14 PM
    Hi.

    This information is easier to retrieve from Audit.
    One option is to create an audit log sink and add some logic to collect the data.
    E.g.: 


    The snippet below produces the exemple from image.
    <?xml version="1.0" encoding="UTF-8"?>
    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
        <wsp:All wsp:Usage="Required">
            <wsp:OneOrMore wsp:Usage="Required">
                <wsp:All wsp:Usage="Required">
                    <L7p:ComparisonAssertion>
                        <L7p:CaseSensitive booleanValue="false"/>
                        <L7p:Expression1 stringValue="${audit.type}"/>
                        <L7p:Operator operatorNull="null"/>
                        <L7p:Predicates predicates="included">
                            <L7p:item dataType="included">
                                <L7p:Type variableDataType="string"/>
                            </L7p:item>
                            <L7p:item binary="included">
                                <L7p:CaseSensitive booleanValue="false"/>
                                <L7p:RightValue stringValue="admin"/>
                            </L7p:item>
                        </L7p:Predicates>
                    </L7p:ComparisonAssertion>
                    <L7p:AuditDetailAssertion>
                        <L7p:CustomLoggerSuffix stringValue="admin.activity"/>
                        <L7p:Detail stringValue="User ${audit.user.name} executed action ${audit.action} in entity name ${audit.name} of type ${audit.entity.class}."/>
                        <L7p:LoggingOnly booleanValue="true"/>
                    </L7p:AuditDetailAssertion>
                    <L7p:assertionComment>
                        <L7p:Properties mapValue="included">
                            <L7p:entry>
                                <L7p:key stringValue="LEFT.COMMENT"/>
                                <L7p:value stringValue="ADMIN ACTIVITY"/>
                            </L7p:entry>
                        </L7p:Properties>
                    </L7p:assertionComment>
                </wsp:All>
                <L7p:TrueAssertion/>
            </wsp:OneOrMore>
        </wsp:All>
    </wsp:Policy>


    ------------------------------
    Sr. Consultant Services
    HCL Enterprise Studio
    ------------------------------



  • 3.  RE: Basic auditing of policy change details, can't get the who/where/what

    Posted 07-23-2019 09:41 AM
    Thanks, I'll look into that approach.