project icon indicating copy to clipboard operation
project copied to clipboard

Published 20 hours ago verified publisher icon mojaloop

Killing the audit process allows auditable activities to be carried out without an audit trail being generated

Open PaulMakinMojaloop opened this issue 9 months ago • 1 comments

Summary: When running vNext, I found that if the audit BC process failed to start, or was directly terminated, I was able to carry out auditable activities (liquidity changes etc) with no entries being made in the audit log. This is a clear security/integrity risk; if an attacker is able to kill the audit process, they could (for example) allow a DFSP to continue transaction even if there is no liquidity available; come settlement time, this presents an existential risk to the scheme operator.

Severity: High

Priority: Critical

Expected Behavior If it is not possible to add an audit log entry, then the associated activity should not be allowed.

Acceptance Criteria

  • [1 ] Scenario: Audit process failure or termination prevents auditable activities
  • Given the audit process fails or is terminated
  • When an auditable activity is attempted
  • Then the activity should not be allowed to proceed

PaulMakinMojaloop avatar May 15 '24 13:05 PaulMakinMojaloop

Thanks @PaulMakinMojaloop , this is critical. I've observed the same as well.

elnyry-sam-k avatar May 17 '24 08:05 elnyry-sam-k

Dear @PaulMakinMojaloop ,

We have already tested the auditing service and discovered that once the auditing service has been restored, the actions that were performed during the downtime are recorded in the audit log.

Scenario 1 Step 1 : Terminate the auditing service image.png image.png

Step 2 : Deposit 1000 MXN to demoWalletLcc image.png

Step 3 : Approve that fund deposit by user account image.png

Result 1 : Any audit log is available since auditing service is down image.png

Step 5 : Auditing service is up image.png

Result 2 : Fund deposit and approval actions appear after the service has been up image.png

Result 3 : Log details in kibana search image.png

Scenario 2 Step 1 : Terminate the auditing service Step 2 : Make transactions image.png image.png image.png

Step 3 : Auditing service is up Result : These transactions appears in kibana after the service has been up image.png

PhyuSinMyat8 avatar Jun 13 '24 10:06 PhyuSinMyat8

Testing Result after termination of Kafka service

State 1: Kafka service is up. image.png

result 1: transaction is successful with 0 error. image.png

State 2: Kakfa service is terminated. image.png

Result 2: transaction is failed with 100% error rate. image.png

Result 3: No participant data available and no deposit activity available after Kafka service termination. image.png

Result 4: All the related services that need to communicate with Kafka that included settlement, participant, quote, transfer, account lookup and such are down. image.png

ei-nghon-phoo avatar Jun 14 '24 05:06 ei-nghon-phoo

test momo

Monicaminzy avatar Jun 14 '24 09:06 Monicaminzy

Confirmed by @PaulMakinMojaloop that we can closed this comment.

JulieG19 avatar Jun 19 '24 10:06 JulieG19