Alert to customer SOC when ACL processing stops

[wilsonmar]

Please have Consul emit a log entry when ACL processing is stopped. This is one of several other conditions which require a security log output for SOC operations. Others conditions include the Consul Agent configuration file containing settings which turn off TLS verification:

  verify_incoming = false
  verify_outgoing = false
  verify_server_hostname = false

Feature Description

Most large enterprises have a SOC (Security Operations Center) that runs 24x7 to monitor and respond to anomalous issues identified by various monitoring systems. When, in production, processing (enforcement) of ACLs is turned off, that's something they should know about right away. This is both for customers and Consul HCP Operations.

This feature may be a utility like Terraform Sentinel/OPA/TfSec which analyzes configuration settings and issues alerts. This would provide the alerts to be identified under a different security context, in case of compromised access to the Consul server.

This issue concerns ensuring that there are procedures and systems available to prove that the above works for dev, QA, pre-sales engineers, etc. within HashiCorp, and that proven instructions and training are given to customers on this topic.

Use Case(s)

This is one of several conditions in answer to the question "Are accountable parties immediately notified about anomalies and failures?" which is item LOG-13.2 - Failures and Anomalies Reporting - in the CAIQ v4 which HashiCorp customers must fill out to provide their auditors. See https://cloudsecurityalliance.org/download/artifacts/star-level-1-security-questionnaire-caiq-v4/
BTW the CAIQ (Consensus Assessment Initiative Questionnaire) is called "consensus" because it was defined for use by all cloud service providers and the Q&A is applicable to 40 audit programs (SOC2, ISO 27000, FedRamp, etc.). A public example draft for Consul is at https://wilsonmar.github.io/CAIQ4.0.1.consul/