Skip to content

Audit trail filtering rules cannot be deleted in the usual way other cluster settings are removed. #68588

New issue
New issue
Closed
#87675
Closed
Audit trail filtering rules cannot be deleted in the usual way other cluster settings are removed.#68588
#87675
Assignees
ywangd
Labels
:Security/AuditX-Pack Audit loggingbug"" muted="" aria-describedby="MDU6TGFiZWwyMzE3Mw==-tooltip :R5b96b:">>bugTeam:SecurityMeta label for security team
@markharwood

Description

@markharwood
markharwood
opened on Feb 5, 2021

A user reported an issue where they wanted to delete an existing audit filter rule by changing the cluster setting to null (the usual way cluster settings are effectively removed).
Unfortunately the net effect was to create a rule that filtered all audit log entries.

I reproduced this by adding this test to LoggingAuditTrailFilterTests

public void testNullPolicyDoesNotMatchEvent() throws Exception { final Logger logger = CapturingLogger.newCapturingLogger(Level.INFO, null); final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); final Settings.Builder settingsBuilder = Settings.builder().put(settings); settingsBuilder.putNull("xpack.security.audit.logfile.events.ignore_filters.userPolicy.users"); final LoggingAuditTrail auditTrail = new LoggingAuditTrail(settingsBuilder.build(), clusterService, logger, threadContext); final User unfilteredUser = new User("Fred"); // Null setting should not match assertFalse("Shouldn't match users wiih a null rule", auditTrail.eventFilterPolicyRegistry.ignorePredicate() .test(new AuditEventMetaInfo(Optional.of(unfilteredUser), Optional.empty(), Optional.empty(), Optional.empty()))); }

Metadata

Metadata

Assignees

Labels

:Security/AuditX-Pack Audit loggingbug"" muted="" aria-describedby="MDU6TGFiZWwyMzE3Mw==-tooltip :Ra5pmb:">>bugTeam:SecurityMeta label for security team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions