Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Add a change audit log for app and server changes #258

Open
4 tasks
michiels opened this issue Nov 21, 2018 · 6 comments
Open
4 tasks

Feature request: Add a change audit log for app and server changes #258

michiels opened this issue Nov 21, 2018 · 6 comments

Comments

@michiels
Copy link
Member

For security and collaboration with other team members, it would be great if all changes to servers/apps made would trigger entries in some kind of activity/change audit log. This so that you can always trace back what happened to a server or an app over time. This is beneficial for security (spotting weird behavior) but also makes collaboration in a team easier, as you'll now who changed what on a server. Basically automating and providing automated infrastructure CMDB functionality.

An audit log could be as simple as a GitHub-issue style activity log for things like:

  • Domain added or removed
  • ENV var added or removed
  • Service linked/installed
  • SSL certificate added

etc.

It's important that we create event logs for most important security and app environment changes first. Things like adding/removing apps and servers could be a bonus.

We could expand this feature with allowing an email notification (digest) to be sent out to all users of the Intercity instance so changes in configurations are automatically logged and notified.

Most important events to log:

  • Deploy key added and removed
  • Domain added and removed
  • ENV var added and removed
  • SSL certificate added and removed
@michiels
Copy link
Member Author

We could use a gem like https://github.com/chaps-io/public_activity, but usually rolling a simple own Event/Activity log is easier to build and maintain due to the trivial nature.

@michiels
Copy link
Member Author

Quickly brainstorming, could have something like:

class Event < ApplicationRecord
  belongs_to :actor, class_name: "User"
end

class ServerEvent < Event
  belongs_to :server

  enum { deploy_key_added: 0, deploy_key_added: 1 }
end

class AppEvent < Event
  belongs_to :app
  
  enum { domain_added: 0, domain_removed: 1, env_var_added: 2, ... }
end

Bonus points if we add a "command execution" log to each event so you can see what the command execution was on the server and even log errors or success state for each command.

@jvanbaarsen
Copy link
Contributor

@michiels Do we actually want to have the events specified up front? What do you think about a "normal" logbook type thing? Maybe with a couple of categories, i.e:
"[Server] - Michiel added SSH key"
"[App] - Joshua enabled backups for AppY"

@michiels
Copy link
Member Author

@jvanbaarsen that's a good point, it would make the system more freeform. However, then we cannot add icons or for example filtering from one event dashboard.

@jvanbaarsen
Copy link
Contributor

This is how GH does it:
image

So you could still filter on the category type. I think with the following categories you have plenty of freedom:

  • Security
  • Add-ons
  • Server
  • App

@michiels
Copy link
Member Author

@jvanbaarsen I'd say you also want to filter on ENV vars added and Deploy Keys added/removed. As these are security auditing features we'd like to have. But yeah having a category "Security" or "Authorizations" is also fine. That would basically be the same as I suggested with the enums, but with a few more generic labels that communicate the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants