Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log all invocations of the tap feature to the audit log #143

Open
briansmith opened this issue Jan 12, 2018 · 2 comments
Open

Log all invocations of the tap feature to the audit log #143

briansmith opened this issue Jan 12, 2018 · 2 comments
Labels
area/security area/tap priority/P1 Planned for Release

Comments

@briansmith
Copy link
Contributor

Since tap is a security-sensitive feature, we should log uses of tap to the audit log. Given the "secure by default" design goal, this auditing should be enabled in the default configuration. We should use Kubernetes' standard configuration mechanisms (see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) to control (e.g. allow disabling) of auditing for the tap feature.
@briansmith
Copy link
Contributor Author

All attempts to use the tap feature should be logged in the audit log. The audit log entries must include, at least the start/end time, user, and the arguments used for the tap. We probably need at least two entries: one for when the tap started and one for when the tap ended. We may also want to include the users's source IP address and/or any other tracing information we can collect.

@briansmith
Copy link
Contributor Author

When each proxy is tapped, the proxy should also log the start and end of the tap. That is, both the controller and each proxy involved in the tap should independently log the start and end of the tap.

@briansmith briansmith mentioned this issue Feb 8, 2018
Closed
5 tasks
@olix0r olix0r added the priority/P2 Nice-to-have for Release label Mar 13, 2018
@olix0r olix0r added this to the 0.4.0 milestone Mar 13, 2018
@olix0r olix0r removed this from the 0.4.0 milestone Apr 10, 2018
@stale stale bot added the wontfix label Oct 7, 2018
@linkerd linkerd deleted a comment from stale bot Oct 9, 2018
khappucino pushed a commit to Nordstrom/linkerd2 that referenced this issue Mar 5, 2019
@seanmonstar
Dockerfile: copy all lib crates before fetching dependencies (linkerd…
edd124f 
…#143)

Signed-off-by: Sean McArthur <sean@buoyant.io>
@grampelberg grampelberg added priority/P1 Planned for Release area/tap and removed priority/P2 Nice-to-have for Release labels Dec 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security area/tap priority/P1 Planned for Release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@klingerf @briansmith @grampelberg @olix0r