Security/logging
< Security
Security Logging Use Cases/Work
01/22/2019
- stage: there's the need to easily correlate logs with security incidents
- infra foundations has been taking logstash / logging infrastructure onboard and we can join efforts
- software involved first: phabricator / wikitech / gerrit
- phab error logs not working ATM https://phabricator.wikimedia.org/T214176
- other scenarios: e.g. gerrit SQL injection
- hard to correlate events e.g. by IP now
- Chase would like to increase ldap verbosity (e.g. for bruteforce attacks, inappropriate use of ldap as authentication backend)
- Filippo: problem, logs are one giant bucket access wise now (NDA)
- Multi tenancy exploration / stretch goal https://phabricator.wikimedia.org/T213902
- When investigating incidents security needs to persist relevant logs outside the retention policy (90d)
- e.g. different elasticsearch indices with longer retention
- Keith: what would provide the most value next?
- gerrit + phab + ldap
- Moritz: openldap logging is kinda insane and all-in, we need to gauge logging volume
- Chase: we could filter out uninteresting logs and send to logstash interesting authentication activity
- Keith: "password policy" could be investigated too to log interesting events
- Chase: password policy, there hasn't been one historically
Actions:
- phab error logs investigation https://phabricator.wikimedia.org/T214176
- phab access logs to be added
- gerrit access logs to be added