Security Logging Use Cases/Work

• stage: there's the need to easily correlate logs with security incidents
• infra foundations has been taking logstash / logging infrastructure onboard and we can join efforts
• software involved first: phabricator / wikitech / gerrit
  • phab error logs not working ATM https://phabricator.wikimedia.org/T214176
• other scenarios: e.g. gerrit SQL injection
• hard to correlate events e.g. by IP now
• Chase would like to increase ldap verbosity (e.g. for bruteforce attacks, inappropriate use of ldap as authentication backend)

• Filippo: problem, logs are one giant bucket access wise now (NDA)
• Multi tenancy exploration / stretch goal https://phabricator.wikimedia.org/T213902

• When investigating incidents security needs to persist relevant logs outside the retention policy (90d)
  • e.g. different elasticsearch indices with longer retention

• Keith: what would provide the most value next?
  • gerrit + phab + ldap

• Moritz: openldap logging is kinda insane and all-in, we need to gauge logging volume
• Chase: we could filter out uninteresting logs and send to logstash interesting authentication activity
• Keith: "password policy" could be investigated too to log interesting events

• Chase: password policy, there hasn't been one historically

Actions:

• phab error logs investigation https://phabricator.wikimedia.org/T214176
• phab access logs to be added
• gerrit access logs to be added