How to improve SonarQube audit

Hodykinia · January 18, 2021, 12:14pm

We’re currently enjoying working with a SonarQube instance to perform our source code analysis. However, we have a strict company policy concerning information security events that ought to be gathered for all our systems including SonarQube. It dictates that every such event should be properly logged and ought to include the following information: the action that was performed (e.g. a user was added to a group), the user who performed this action (e.g. who added the abovementioned user to that group), IP address from where the action was performed, the results of the action if they were different from the description of the action itself, the time when it was done as well as the object that was tempered with (e.g. what user was added to what group).

Unfortunately, we discovered that our current log file does not meet the requirements stated by the company policy, the fact that may have severe ramifications in terms maintaining all items in our software inventory list.
How we can add this information to any of the SonarQube log files?

I also include an example of a log file that we have now.

195.26.180.43 - - [20/Nov/2020:17:23:24 +0300] “POST /sonar/api/user_groups/delete HTTP/1.1” 204 - “http://172.29.39.63:9000/sonar/admin/groups” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0” “AXXmBDHhUSMRG7ZZAAAu”

195.26.180.43 - - [20/Nov/2020:17:22:59 +0300] “POST /sonar/api/user_groups/create HTTP/1.1” 200 - “http://172.29.39.63:9000/sonar/admin/groups” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0” “AXXmBDHhUSMRG7ZZAAAt”

The log files we used:
/var/log/sonar/access.log;
/var/log/sonar/web.log.

SonarQube version: Enterprise Edition 8.4.2

Jeff_Zapotoczny · January 18, 2021, 9:26pm

Hi Igor, welcome to the SonarSource Community!

The access.log file’s output is configurable. Have a look in your sonar.properties file and search for the property sonar.web.accessLogs.pattern - there is documentation in the comments to tell you what’s possible. You’ll be able to add IP address and user info there if you wish.

If you’re using a Docker container to run SonarQube, the equivalent can be accomplished with an environment variable.

Svetlana · January 20, 2021, 1:19pm

Hi Jeff!

Thank you for your reply! We’re working on this project together with Igor. Please don’t get confused, we are going to take turns replying.

We tried setting the property that you’ve mentioned as follows. sonar.web.accessLogs.pattern=%i{X-Forwarded-For} %l %u [%t] %s %b “%reqAttribute{LOGIN}” %m “%requestContent” “%i{Referer}” “%i{User-Agent}”

This is what we saw in our log file after deleting a user.
195.26.180.104 - - [20/Jan/2021:01:48:55 +0300] 200 - “-” POST “login=admin&password=admin” “https://172.29.39.63/sonar/sessions/new” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0”
195.26.180.104 - - [20/Jan/2021:01:51:03 +0300] 200 - “admin” POST “login=test” “https://172.29.39.63/sonar/admin/users” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0”

As you can see, firstly, the log file contains a password which is a severe violation of our company policy. Secondly, this entry is simple not informative as I cannot tell neither what happed nor who did it.
Is there any way we can configure it differently?