Working in the Federal Government space, FISMA security control are required. One of those currently missing in SonarQube is a user audit trail. We’d like see security events such as user logon/logoff, roles created or modified and user/role changes for example in an audit trail with timestamps.
We’ve seen requests before for change audit-trailing but this is the first request I’ve see for login/out. Can you help me understand the reasoning behind that?
There are a number of important reasons for this request but two of the most important are:
- If we are investigating an actual or potential intrusion it is critical that we can track who logged, when and from where. Such attacks generally come from multiple vectors across the enterprise simultaneously. The ability to correlate access attempts across the enterprise is critical to understanding the nature of the attack as well as understanding its impact.
- Information System Security Officers (ISSOs) are responsible for a monthly audit of users in all applications. Part of this is verifying who has administrative rights but it also includes disabling accounts that are not actively using the system.
Have you had a chance to poke around with the
sonar.web.accessLogs.pattern system property, and the information it can provide in
access.log ? Check out this other discussion where it was mentioned for example:
Granted it’s about tracking activity at the log level, but it might certainly let you to detect specific requests/events, and I guess dedicated tools exist to monitor/aggregate such logging formatted information.