328004d679
#9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
11 KiB
Audit Activities
Fleet logs the following information for administrative actions (in JSON):
created_at: Timestamp of the event.id: Unique ID of the generated event in Fleet.actor_full_name: Author user name (missing if the user was deleted).actor_id: Unique ID of the author in Fleet (missing if the user was deleted).actor_gravatar: Gravatar URL of the author (missing if the user was deleted).actor_email: E-mail of the author (missing if the user was deleted).type: Type of the activity (see all types below).details: Specific details depending on the type of activity (see details for each activity type below).
Example:
{
"created_at": "2022-12-20T14:54:17Z",
"id": 6,
"actor_full_name": "Gandalf",
"actor_id": 2,
"actor_gravatar": "foo@example.com",
"actor_email": "foo@example.com",
"type": "edited_saved_query",
"details":{
"query_id": 42,
"query_name": "Some query name"
}
}
List of activities and their specific details
Type created_pack
Generated when creating scheduled query packs.
This activity contains the following fields:
- "pack_id": the id of the created pack.
- "pack_name": the name of the created pack.
Example
{
"pack_id": 123,
"pack_name": "foo"
}
Type edited_pack
Generated when editing scheduled query packs.
This activity contains the following fields:
- "pack_id": the id of the edited pack.
- "pack_name": the name of the edited pack.
Example
{
"pack_id": 123,
"pack_name": "foo"
}
Type deleted_pack
Generated when deleting scheduled query packs.
This activity contains the following fields:
- "pack_name": the name of the created pack.
Example
{
"pack_name": "foo"
}
Type applied_spec_pack
Generated when applying a scheduled query pack spec.
This activity does not contain any detail fields.
Type created_policy
Generated when creating policies.
This activity contains the following fields:
- "policy_id": the ID of the created policy.
- "policy_name": the name of the created policy.
Example
{
"policy_id": 123,
"policy_name": "foo"
}
Type edited_policy
Generated when editing policies.
This activity contains the following fields:
- "policy_id": the ID of the edited policy.
- "policy_name": the name of the edited policy.
Example
{
"policy_id": 123,
"policy_name": "foo"
}
Type deleted_policy
Generated when deleting policies.
This activity contains the following fields:
- "policy_id": the ID of the deleted policy.
- "policy_name": the name of the deleted policy.
Example
{
"policy_id": 123,
"policy_name": "foo"
}
Type applied_spec_policy
Generated when applying policy specs.
This activity contains a field "policies" where each item is a policy spec with the following fields:
- "name": Name of the applied policy.
- "query": SQL query of the policy.
- "description": Description of the policy.
- "critical": Marks the policy as high impact.
- "resolution": Describes how to solve a failing policy.
- "team": Name of the team this policy belongs to.
- "platform": Comma-separated string to indicate the target platforms.
Example
{
"policies": [
{
"name":"Gatekeeper enabled (macOS)",
"query":"SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
"critical":false,
"platform":"darwin",
"resolution":"To enable Gatekeeper, on the failing device [...]",
"description":"Checks to make sure that the Gatekeeper feature is [...]"
},
{
"name":"Full disk encryption enabled (Windows)",
"query":"SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1;",
"critical":false,
"platform":"windows",
"resolution":"To get additional information, run the following osquery [...]",
"description":"Checks to make sure that full disk encryption is enabled on Windows devices."
}
]
}
Type created_saved_query
Generated when creating a new query.
This activity contains the following fields:
- "query_id": the ID of the created query.
- "query_name": the name of the created query.
Example
{
"query_id": 123,
"query_name": "foo"
}
Type edited_saved_query
Generated when editing a saved query.
This activity contains the following fields:
- "query_id": the ID of the query being edited.
- "query_name": the name of the query being edited.
Example
{
"query_id": 123,
"query_name": "foo"
}
Type deleted_saved_query
Generated when deleting a saved query.
This activity contains the following fields:
- "query_name": the name of the query being deleted.
Example
{
"query_name": "foo"
}
Type deleted_multiple_saved_query
Generated when deleting multiple saved queries.
This activity contains the following fields:
- "query_ids": list of IDs of the deleted saved queries.
Example
{
"query_ids": [1, 42, 100]
}
Type applied_spec_saved_query
Generated when applying a query spec.
This activity contains a field "specs" where each item is a query spec with the following fields:
- "name": Name of the query.
- "description": Description of the query.
- "query": SQL query.
Example
{
"specs": [
{
"name":"Get OpenSSL versions",
"query":"SELECT name AS name, version AS version, 'deb_packages' AS source FROM [...]",
"description":"Retrieves the OpenSSL version."
}
]
}
Type created_team
Generated when creating teams.
This activity contains the following fields:
- "team_id": unique ID of the created team.
- "team_name": the name of the created team.
Example
{
"team_id": 123,
"team_name": "foo"
}
Type deleted_team
Generated when deleting teams.
This activity contains the following fields:
- "team_id": unique ID of the deleted team.
- "team_name": the name of the deleted team.
Example
{
"team_id": 123,
"team_name": "foo"
}
Type applied_spec_team
Generated when applying team specs.
This activity contains a field "teams" where each item contains the team details with the following fields:
- "id": Unique ID of the team.
- "name": Name of the team.
Example
{
"teams": [
{
"id": 123,
"name": "foo"
}
]
}
Type edited_agent_options
Generated when agent options are edited (either globally or for a team).
This activity contains the following fields:
- "global": "true" if the user updated the global agent options, "false" if the agent options of a team were updated.
- "team_id": unique ID of the team for which the agent options were updated (null if global is true).
- "team_name": the name of the team for which the agent options were updated (null if global is true).
Example
{
"team_id": 123,
"team_name": "foo",
"global": false
}
Type live_query
Generated when running live queries.
This activity contains the following fields:
- "targets_count": Number of hosts where the live query was targeted to run.
- "query_sql": The SQL query to run on hosts.
- "query_name": Name of the query (this field is not set if this was not a saved query).
Example
{
"targets_count": 5000,
"query_sql": "SELECT * from osquery_info;",
"query_name": "foo"
}
Type user_added_by_sso
Generated when new users are added via SSO JIT provisioning
This activity does not contain any detail fields.
Type user_logged_in
Generated when users successfully log in to Fleet.
This activity contains the following fields:
- "public_ip": Public IP of the login request.
Example
{
"public_ip": "168.226.215.82"
}
Type user_failed_login
Generated when users try to log in to Fleet and fail.
This activity contains the following fields:
- "email": The email used in the login request.
- "public_ip": Public IP of the login request.
Example
{
"email": "foo@example.com",
"public_ip": "168.226.215.82"
}
Type created_user
Generated when a user is created.
This activity contains the following fields:
- "user_id": Unique ID of the created user in Fleet.
- "user_name": Name of the created user.
- "user_email": E-mail of the created user.
Example
{
"user_id": 42,
"user_name": "Foo",
"user_email": "foo@example.com"
}
Type deleted_user
Generated when a user is deleted.
This activity contains the following fields:
- "user_id": Unique ID of the deleted user in Fleet.
- "user_name": Name of the deleted user.
- "user_email": E-mail of the deleted user.
Example
{
"user_id": 42,
"user_name": "Foo",
"user_email": "foo@example.com"
}
Type changed_user_global_role
Generated when user global roles are changed.
This activity contains the following fields:
- "user_id": Unique ID of the edited user in Fleet.
- "user_name": Name of the edited user.
- "user_email": E-mail of the edited user.
- "role": New global role of the edited user.
Example
{
"user_id": 42,
"user_name": "Foo",
"user_email": "foo@example.com",
"role": "Observer"
}
Type deleted_user_global_role
Generated when user global roles are deleted.
This activity contains the following fields:
- "user_id": Unique ID of the edited user in Fleet.
- "user_name": Name of the edited user.
- "user_email": E-mail of the edited user.
- "role": Deleted global role of the edited user.
Example
{
"user_id": 43,
"user_name": "Foo",
"user_email": "foo@example.com",
"role": "Maintainer"
}
Type changed_user_team_role
Generated when user team roles are changed.
This activity contains the following fields:
- "user_id": Unique ID of the edited user in Fleet.
- "user_name": Name of the edited user.
- "user_email": E-mail of the edited user.
- "role": Team role set to the edited user.
- "team_id": Unique ID of the team of the changed role.
- "team_name": Name of the team of the changed role.
Example
{
"user_id": 43,
"user_name": "Foo",
"user_email": "foo@example.com",
"role": "Maintainer",
"team_id": 5,
"team_name": "Bar"
}
Type deleted_user_team_role
Generated when user team roles are deleted.
This activity contains the following fields:
- "user_id": Unique ID of the edited user in Fleet.
- "user_name": Name of the edited user.
- "user_email": E-mail of the edited user.
- "role": Team role deleted from the edited user.
- "team_id": Unique ID of the team of the deleted role.
- "team_name": Name of the team of the deleted role.
Example
{
"user_id": 44,
"user_name": "Foo",
"user_email": "foo@example.com",
"role": "Observer",
"team_id": 2,
"team_name": "Zoo"
}
Type mdm_enrolled
Generated when a host is enrolled in Fleet's MDM.
This activity contains the following fields:
- "host_serial": Serial number of the host.
- "installed_from_dep": Whether the host was enrolled via DEP.
Example
{
"host_serial": "C08VQ2AXHT96",
"installed_from_dep": true
}
Type mdm_unenrolled
Generated when a host is unenrolled from Fleet's MDM.
This activity contains the following fields:
- "host_serial": Serial number of the host.
- "installed_from_dep": Whether the host was enrolled via DEP.
Example
{
"host_serial": "C08VQ2AXHT96",
"installed_from_dep": true
}