docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon buildkite

COMP-264 Updating documentation for audit secret logging (Audit Log section)

Open 123sarahj123 opened this issue 11 months ago • 2 comments

ON HOLD Secrets is currently paused while we the Compute team focuses on Cache Volumes. See our roadmap here.

Description

This PR just focuses on updating the relevant documentation of the audit event types for Audit Secret Logging. Docs: Pipelines -> Security -> Audit Log

A major part of incident investigation for secrets is audit logging. We assume at some point in the future, that the secrets service will be compromised either within a tenant or across all tenants. When an event like this happens it will be important to get a list of the actions the attacker took during the compromise.

Audit events implemented for creating, reading, updating and destroying a secret from actors across the Agent API, Rest API, Web. We want to display relevant information for the user to view the audit logs in the UI.

There is this Linear ticket for creating the public docs for audit secret logging, however that is relying on the Secrets UI and REST API to have been built. This PR just focuses on updating the relevant documentation of the audit event types on the Audit Log section for Audit Secret Logging.

The Audit Secret Logging project has included:

  • Additional audit events that can be queried via GraphQL, as well as a description of Audit Secret Logging on the Audit Log page (Docs: Pipelines -> Security -> Audit Log)
SECRET_CREATED
SECRET_DELETED
SECRET_QUERIED
SECRET_READ
SECRET_UPDATED

These docs are auto-generated and popped up in another PR (Autogenerated GraphQL docs) Also see more in my PR comment below

  • Changes to the GraphQL Schema to include a Secret type
  • Changes to the GraphQL schema to include an AgentAPIContext
  • Changes to the GraphQL schema to include an actor type Agent

Context

BC Post Linear Ticket Linear Project for Audit Secret Logging

123sarahj123 avatar Mar 14 '24 03:03 123sarahj123

Preview URL: https://2716--bk-docs-preview.netlify.app

buildkite-docs-bot avatar Mar 14 '24 03:03 buildkite-docs-bot

I have popped this on the Linear ticket, but will also pop here:

Re technical documentation in the docs. Where should this go? There is security-> secret management There is also security -> audit log (which has the updated states, but do I describe the secret audit logging here and what it contains?)

Also looking at the cookbook documentation I don't think I should add Secrets there (as the cookbook is for common tasks). This sort of links in with the question in the above comment. I need to write about these audit logs specifically for secrets to reassure that they do not contain sensitive information.

GraphQL schema docs has secret included

ENUMS->AuditEventType have the secret events included ✅ ENUMS->AuditActorType has the agent included

ENUMS->AuditSubjectType has SECRET included ✅ Unions->AuditActorNode has Agent ✅ Unions->AuditContext includes AgentAPIContext, and in GraphQL->Objects section

123sarahj123 avatar Mar 14 '24 03:03 123sarahj123