feat: owasp security event logging for user, password, and shutdown#6852
feat: owasp security event logging for user, password, and shutdown#6852blackboxsw wants to merge 5 commits intocanonical:mainfrom
Conversation
holmanb
left a comment
holmanb
left a comment
There was a problem hiding this comment.
I see a logging-related test failure in CI.
blackboxsw
force-pushed
the
owasp-log-module
branch
2 times, most recently
from
ba0554e to
2a4f66d
Compare
There was a problem hiding this comment.
Pull request overview
Introduces a SECURITY log level and OWASP-aligned security event logging scaffolding, emitting JSON Lines to a dedicated security log file.
Changes:
- Added SECURITY log level support, SECURITY-only file handler setup, and JSON Lines
SecurityFormatterwith ISO-8601 timestamps. - Added
cloudinit/log/security_event_log.pywith OWASP event type/level enums and decorators for common security events. - Expanded unit tests for SECURITY logging behavior and added tests for
Distro._get_elevated_roles.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
cloudinit/log/loggers.py |
Adds SECURITY level, filters, formatter, and security file handler setup; wires security logging into existing logging setup paths. |
cloudinit/log/security_event_log.py |
New OWASP security event logging helper module and decorators. |
cloudinit/distros/__init__.py |
Adds _get_elevated_roles helper used by security decorators. |
tests/unittests/test_log.py |
Adds unit tests for SECURITY log level, JSON-lines formatting, filters, and setup behavior. |
tests/unittests/distros/test__init__.py |
Adds unit tests for _get_elevated_roles. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
holmanb
left a comment
holmanb
left a comment
There was a problem hiding this comment.
I left some comments of my own. My biggest concern is still that this is tightly coupling together code that is not related. In cloudinit.log.security_event_log there is currently code that strongly depends on the behavior of code in other parts of the project - and changing the behavior of that other code could cause this to log the wrong thing. However, I'd still like to see this become easier to audit and maintain before we merge it.
I do think that this is improving. This makes better use of Python logging builtins and existing infrastructure than before, complexity is decreasing, and typing is getting clearer and better. Lets keep iterating and see how we can make this better.
| event_type=OWASPEventType.USER_CREATED, | ||
| # Treat INFO level as this is prescribed provisioning at launch | ||
| level=OWASPEventLevel.INFO, |
There was a problem hiding this comment.
These also seem like tight coupling between an external logging module and an implementation detail of cloud-init's code.
| "event": event_str, | ||
| "level": str(level.value), | ||
| "description": description, | ||
| "hostname": util.get_hostname(), |
There was a problem hiding this comment.
Since the purpose of this is to identify the where the event occured if logs are streamed somewhere, this fails to solve the intended problem: hostname changes partway through boot.
There was a problem hiding this comment.
hostname is set by cloud-init very early in boot - init-local calls update_hostname even before some platforms make an early dhcpcd request
The current set of logged operations do not happen until well after that:
- add user operations in init-network stage (cc_user_groups) is ordered after cc_set_hostname, cc_update_hostname =
- cc_set_passwords is also ordered after set_hostname/update_hostname operations
- system reboot don't happen until the end of cloud_final stage.
I don't think this concern is applicable for the types of logs we are currently generating.
blackboxsw
force-pushed
the
owasp-log-module
branch
from
64ae5d7 to
e63bcf7
Compare
|
Thank you for the thorough reviews here @holmanb. I believe I have addressed all comments from you and copilot. |
blackboxsw
force-pushed
the
owasp-log-module
branch
3 times, most recently
from
3fd3025 to
b58b57c
Compare
|
Known failure in CI on Alpine/edge. Fix proposed here: #6864 |
…vents Add a security event logging module following the OWASP Logging Vocabulary Cheat Sheet. Events are emitted as JSON Lines on a new SECURITY log level which is routed to a separate log file (default: /var/log/cloud-init-security.log). Add cloudinit/log/security_event_log.py which provides: - OWASPEventType / OWASPEventLevel enums for standardized event strings - Four decorators to be consumer by Distro methods: sec_log_user_created, sec_log_password_changed, sec_log_password_changed_batch, sec_log_system_shutdown cloudinit/log/loggers.py now has a custom SecurityFormatter that injects an ISO-8601 timestamp into log records.
blackboxsw
force-pushed
the
owasp-log-module
branch
from
f149af6 to
2c97da1
Compare
|
@holmanb Rebased against main to get alpine workflow fix. |
Proposed Commit Message
Additional Context
Separated from #6801 to limit complexity of the PR. Will recreate
Test Steps
Merge type