Audit Log: Rebase service audit log (#1218)

jeaaustx · zamiseck · web-flow · commit fc1dcb8f6057 · 2025-03-31T13:29:51.000-05:00
Rebase and squashed all 1110 bmcweb commits to support service audit log. 1110 commits included: ``` 957cc79 Audit Log: Rebase service audit log (#820) 5fd2e37 Audit Log: Correct logging of sessions (#1129) 2cc4e01 Reduce memory usage during Firmware update (#739) ``` Includes restructure of the code to split into audit-events.hpp and audit-events.cpp files. Only the .cpp file will include libaudit.h and will only be built if audit-events is enabled. This allows use of constexpr for calls to auditEvent(). This introduces a new bmcweb meson option, audit-events, which is defaulted to disabled. Recipe changes in GHE openbmc/openbmc enable audit logging. When audit-events is enabled all bmcweb PATCH, POST, PUT, and DELETE events are logged using the Linux kernel auditd subsystem. Additionally, login events coming through bmcweb are also recorded. The body of the events is recorded as well except in the following cases: - /redfish/v1/AccountService/Accounts PATCH/POST events - body is not recorded as it may contain clear text password - /ibm/v1 PATCH/POST/PUT events - body is not recorded as it contains HMC config file binary data - Limit size of body recorded to avoid flooding log or using too much memory. Events are recorded in /var/log/audit/. User type dreport will gather these log files. Tested: - Enabled auditing then initiated a variety of Redfish events using curl. - Confirmed the events were recorded and confirmed the data recorded was accurate. - Confirmed password was not included in audit data recorded. Signed-off-by: Myung Bae <myungbae@us.ibm.com> Signed-off-by: Janet Adkins <janeta@us.ibm.com> Co-authored-by: zamiseck <zimzam17@gmail.com>
diff --git a/config/meson.build b/config/meson.build
@@ -3,6 +3,7 @@
 conf_data = configuration_data()
 
 feature_options = [
+    'audit-events',
     'basic-auth',
     'cookie-auth',
     'experimental-http2',
diff --git a/http/http_connection.hpp b/http/http_connection.hpp
@@ -4,6 +4,7 @@
 #include "bmcweb_config.h"
 
 #include "async_resp.hpp"
+#include "audit_events.hpp"
 #include "authentication.hpp"
 #include "complete_response_fields.hpp"
 #include "forward_unauthorized.hpp"
@@ -489,6 +490,31 @@ class Connection :
         res = std::move(thisRes);
         res.keepAlive(keepAlive);
 
+        if constexpr (BMCWEB_AUDIT_EVENTS)
+        {
+            if (audit::wantAudit(*req))
+            {
+                if (userSession != nullptr)
+                {
+                    bool requestSuccess = false;
+                    // Look for good return codes and if so we know the
+                    // operation passed
+                    if ((res.resultInt() >= 200) && (res.resultInt() < 300))
+                    {
+                        requestSuccess = true;
+                    }
+
+                    audit::auditEvent(*req, userSession->username,
+                                      requestSuccess);
+                }
+                else
+                {
+                    BMCWEB_LOG_DEBUG(
+                        "UserSession is null, not able to log audit event!");
+                }
+            }
+        }
+
         completeResponseFields(accept, res);
         res.addHeader(boost::beast::http::field::date, getCachedDateStr());
 
diff --git a/include/audit_events.hpp b/include/audit_events.hpp
@@ -0,0 +1,53 @@
+#pragma once
+
+#include "http_request.hpp"
+
+#include <boost/beast/http/verb.hpp>
+
+#include <cstring>
+#include <string>
+
+namespace audit
+{
+
+int auditGetFD();
+void auditClose();
+bool auditOpen();
+bool auditReopen();
+void auditSetState(bool enable);
+bool wantDetail(const crow::Request& req);
+bool appendItemToBuf(std::string& strBuf, size_t maxBufSize,
+                     const std::string& item);
+
+/**
+ * @brief Checks if POST request is a user connection event
+ *
+ * Login and Session requests are audited when the authentication is attempted.
+ * This allows failed requests to be audited with the user detail.
+ *
+ * @return True if request is a user connection event
+ */
+inline bool checkPostUser(const crow::Request& req)
+{
+    return (req.target() == "/redfish/v1/SessionService/Sessions") ||
+           (req.target() == "/redfish/v1/SessionService/Sessions/") ||
+           (req.target() == "/login");
+}
+
+/**
+ * @brief Checks if request should be audited after completion
+ * @return  True if request should be audited
+ */
+inline bool wantAudit(const crow::Request& req)
+{
+    return (req.method() == boost::beast::http::verb::patch) ||
+           (req.method() == boost::beast::http::verb::put) ||
+           (req.method() == boost::beast::http::verb::delete_) ||
+           ((req.method() == boost::beast::http::verb::post) &&
+            !checkPostUser(req));
+}
+
+void auditEvent(const crow::Request& req, const std::string& userName,
+                bool success);
+
+} // namespace audit
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
@@ -2,8 +2,11 @@
 // SPDX-FileCopyrightText: Copyright OpenBMC Authors
 #pragma once
 
+#include "bmcweb_config.h"
+
 #include "app.hpp"
 #include "async_resp.hpp"
+#include "audit_events.hpp"
 #include "cookies.hpp"
 #include "http_request.hpp"
 #include "http_response.hpp"
@@ -170,6 +173,10 @@ inline void handleLogin(const crow::Request& req,
         if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
         {
             asyncResp->res.result(boost::beast::http::status::unauthorized);
+            if constexpr (BMCWEB_AUDIT_EVENTS)
+            {
+                audit::auditEvent(req, std::string(username), false);
+            }
         }
         else
         {
@@ -183,6 +190,10 @@ inline void handleLogin(const crow::Request& req,
 
             // if content type is json, assume json token
             asyncResp->res.jsonValue["token"] = session->sessionToken;
+            if constexpr (BMCWEB_AUDIT_EVENTS)
+            {
+                audit::auditEvent(req, std::string(username), true);
+            }
         }
     }
     else
diff --git a/meson.build b/meson.build
@@ -396,6 +396,12 @@ srcfiles_bmcweb = files(
     'src/webserver_run.cpp',
 )
 
+if (get_option('audit-events').allowed())
+    audit_dep = dependency('audit')
+    bmcweb_dependencies += audit_dep
+    srcfiles_bmcweb += files('src/audit_events.cpp')
+endif
+
 bmcweblib = static_library(
     'bmcweblib',
     srcfiles_bmcweb,
@@ -483,6 +489,10 @@ srcfiles_unittest = files(
     'test/redfish-core/lib/update_service_test.cpp',
 )
 
+if (get_option('audit-events').allowed())
+    srcfiles_unittest += files('test/include/audit_events_test.cpp')
+endif
+
 if (get_option('tests').allowed())
     gtest = dependency(
         'gtest_main',
diff --git a/meson.options b/meson.options
@@ -461,6 +461,14 @@ option(
                     behavior changes or be removed at any time.''',
 )
 
+# BMCWEB_AUDIT_EVENTS
+option(
+    'audit-events',
+    type: 'feature',
+    value: 'disabled',
+    description: 'Enable audit events support for bmcweb',
+)
+
 # Insecure options. Every option that starts with a `insecure` flag should
 # not be enabled by default for any platform, unless the author fully comprehends
 # the implications of doing so.In general, enabling these options will cause security
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp
@@ -3,9 +3,12 @@
 // SPDX-FileCopyrightText: Copyright 2018 Intel Corporation
 #pragma once
 
+#include "bmcweb_config.h"
+
 #include "account_service.hpp"
 #include "app.hpp"
 #include "async_resp.hpp"
+#include "audit_events.hpp"
 #include "cookies.hpp"
 #include "dbus_privileges.hpp"
 #include "error_messages.hpp"
@@ -225,6 +228,12 @@ inline void processAfterSessionCreation(
     asyncResp->res.addHeader(
         "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId);
     asyncResp->res.result(boost::beast::http::status::created);
+
+    if constexpr (BMCWEB_AUDIT_EVENTS)
+    {
+        audit::auditEvent(req, session->username, true);
+    }
+
     if (session->isConfigureSelfOnly)
     {
         messages::passwordChangeRequired(
@@ -282,6 +291,10 @@ inline void handleSessionCollectionPost(
     {
         messages::resourceAtUriUnauthorized(asyncResp->res, req.url(),
                                             "Invalid username or password");
+        if constexpr (BMCWEB_AUDIT_EVENTS)
+        {
+            audit::auditEvent(req, std::string(username), false);
+        }
         return;
     }
 
diff --git a/src/audit_events.cpp b/src/audit_events.cpp
diff --git a/test/include/audit_events_test.cpp b/test/include/audit_events_test.cpp
