Audit trail

Audit trail for private resources.

As an adminstrator
I want to be able to see who has accessed private data
so that I can be sure that only authorized people have seen that data

Rationale

Part of being serious about security is understanding that sometimes mistakes will happen, and we need to do whatever we can to limit the damage of these mistakes. If ever we suspect someone of gaining access to a restricted resource, we need to determine how much the confidentiality and integrity of this resource has been compromised. A key first step is to see who has read from and who has written to the resource.

Stakeholders

• Launchpad developers, especially maintenance team and folk who have handled security issues in the past
• LOSAs
• GSAs?
• Launchpad technical architect

Constraints

• Someone needs to be able to see who has accessed a given thing
• Must be able to get this log in a time of panic
• Does not have to be on the web UI
• Must be restricted to administrators and owners of private resources
• Must function for resources that have been or currently are public
• Must be able to give who has accessed a single resource
• Must not be restricted to web application access, must include
  • web service / API
  • librarian access
  • codehosting
    • SSH server
    • Loggerhead
    • Web access
    • Anonymous smart server
  • PPAs
  • and access to anything in the web application

• Must not be a Big Brother spying on people thing

Subfeatures

This is a sub-feature of LEP/PermissionsAndNotifications

Workflows

Who stole the cookies from the cookie jar?

A branch containing proprietary code has been accidentally marked as public. The owner of the branch contacts us through email or IRC and asks us to make sure the branch is private and see if anyone has looked at the branch. Someone from Canonical (a LOSA?) performs an action (visits a web page? runs a script?) that gets a log of all the times when someone has accessed that branch. The log includes who accessed it (where known), how (read or write), when (timestamp) and from where (IP address) over the time period requested by the Canonical operator.

The operator examines the log and reports back to the owner on the branch if any unauthorized or suspicious looking activity occurs in the requested time frame.

Success

When we can get access logs on any resource in Launchpad without having to think hard about how to do it. The tough ones will be branches (many methods of access) and projects (so much associated with them).

Thoughts?

• flacoste & jml think that the best solution is an admin script.

• What about currency of data? : how fresh does the report need to be ?-- RobertCollins

• We probably don't log usernames in logs, and will need to across the site. -- RobertCollins

• Do we need change audits, or just access? The use case given is unclear -- RobertCollins