Skip to content

Instantly share code, notes, and snippets.

@infamousjoeg

infamousjoeg/conjur-securelogs.md

Last active April 10, 2018 13:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save infamousjoeg/f0e3b6bdfc3412ff0deb71da4ffa37ea to your computer and use it in GitHub Desktop.
Save infamousjoeg/f0e3b6bdfc3412ff0deb71da4ffa37ea to your computer and use it in GitHub Desktop.
Download ZIP
CyberArk Conjur - Secure Logs (Audit)
Raw
conjur-securelogs.md

CyberArk Conjur - Secure Logs

All of the audit data recorded by CyberArk Conjur is kept within the Conjur Master and is immutable. You may utilize the Conjur UI, Conjur CLI, or syslog to SIEM to view audit data.

Audit Logs via CLI

# View the last 10 audit events for the variable 'dev/mongo/password'
$ conjur audit resource -s -l 10  variable:dev/mongo/password
[2015-12-04 22:09:19 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-12-01 12:20:34 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-30 19:21:14 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-30 15:15:22 UTC] conjur:host:dev/redis001 checked that they can
execute conjur:variable:dev/mongo/password (false)
[2015-11-29 22:22:21 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-27 21:52:02 UTC] conjur:user:alice checked that they can
update conjur:variable:dev/mongo/password (true)
[2015-11-25 15:41:29 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-22 04:28:51 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-21 19:36:28 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-21 16:38:57 UTC] conjur:host:dev/mongo001 checked that they can
execute conjur:variable:dev/mongo/password (true)
[2015-11-20 16:52:02 UTC] conjur:user:dennis checked that they can
read conjur:variable:dev/mongo/password (false)

Audit via syslog (Shipping Logs)

On a Conjur appliance by default a tailer is set up that prints all the messages to /var/log/conjur/audit.messages. Logrotate is set up so that the file gets rotated daily (the service restarted as appropriate). This is already set up if running the Conjur AMI.

If running Conjur as a Docker container, volume mount the directory /var/log/conjur to the host like so:

$ docker run -d --restart always \
  --name conjur-solo \
  -p "443:443" -p "636:636" -p "5432:5432" -p "5433:5433" \
  -v /var/log/conjur:/var/log/conjur \
  conjur-appliance:4.9-stable

Pointing log aggregation tooling to that file will send Conjur audit events as easily-searchable JSON to the service. Note that the log file can be mounted anywhere on the host running the Conjur container.

The Conjur appliance contains a service named audit-tail, a small utility which connects to a local Conjur database and follows the audit tail, printing out messages in JSON format to stdout or file as they appear. It is designed to be robust enough to remember its place in the database and don't lose messages even if it is terminated. The output are JSON objects representing individual audit messages, separated by newlines. Note the whole output file is not a well-formed JSON document.

Custom Audit Events

Since automatically recorded audit trails include only generalized data, they can be limited in scope. To accommodate additional information about application workflow, custom events can be inserted into the audit log as well, using the Conjur API. A custom event might be used, for instance, to track the beginning and end of rotation operations or to record the results of an LDAP synchronization.

Custom audit events are sent as JSON documents with these fields:

action — the only mandatory field; the remaining fields are recommended facility — class of audit events role — role which performed an action reported resource_id — resource on which action was performed allowed — action success (typically true/false) audit_message — brief description of an event, if needed error — error message in case of error timestamp — if provided, it should be in standard ISO format: "yyyy-MM-ddTHH:mm.ssZ"

Example

{
  "action": "launch",
  "facility": "infra",
  "role": "demo:chatbot:hubot",
  "resource_id": "demo:host:dev/frontend/web003",
  "audit_message": "hubot launched host dev/frontend/web003",
  "allowed": true
}

A JSON document can include a single object or an array of objects. All important information about send request itself (such as Conjur identity, IP, and timestamp) is preserved in the event, as well as anything provided by client.

Custom events appear in the output of a Conjur resource if any of the following are true:

field resource_id is set to <resource-id> array resources includes <resource-id>

Custom events appear in the output of a Conjur role if any of the following are true:

field role is explicitly set to <role-id> array roles includes <role-id> ID of the actor submitting an event is <role-id>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment