neutron

In FWaaS, when someone makes a change to a firewall rule we know, Who, What, When, and Where

Bug #1628627 reported by Nate Johnston
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Wishlist
Unassigned

Bug Description

In the FWaaS service, create the ability for administrators to engage an 'audit trail' feature. The audit trail would notate every change to firewalls that causes a security change. The output would be to the notification queue.

Audit notations should contain all information necessary to process them. For example, an audit notation that says "user abcde1234 permitted port 22 traffic from firewall group A to firewall group B" is not enough information. In order to determine what needs to be scanned, the consumer of the audit would need to subsequently query FWaaS to determine the membership of the 2 firewall groups cited. Notations should carry enough information so that no subsequent querying is required for processing.

The notification should encompass all of:

- Who: Identity of the user initiating the change.
- What: The information on what was changed. Should include port information, whether access was permitted or disallowed, etc.
- Where: A list of all affected ports/IP addresses/instances, grouped by connection origin/destination. This could be abbreviated to indicate an entire tenant if that is the target.
- When: Timestamp indicating when the change was initiated.

Use case: This would allow a customer's security group to subscribe to a collated feed of all security events in order to detect those events that should trigger an audit or vulnerability scan.

Revision history for this message
Travis Truman (travis-truman) wrote :

Presumably, the deletion of firewalls would also cause a notification to be emitted. That's not explicit above, but I believe implied.

Revision history for this message
Nate Johnston (nate-johnston) wrote :

@travis: Yes, this would apply for any change, which should encompass the full spectrum of create/update/delete.

Ihar Hrachyshka (ihar-hrachyshka)
Changed in neutron:
importance: Undecided → Wishlist
status: New → Confirmed
tags: added: rfe
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Doesn't base neutron API router already issue notifications for all resource changes?

Revision history for this message
Kevin Benton (kevinbenton) wrote :

@Ihar, I think this point wouldn't be included in the API notification because it sounds calculated.

"- Where: A list of all affected ports/IP addresses/instances, grouped by connection origin/destination. This could be abbreviated to indicate an entire tenant if that is the target."

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This makes sense to me.

Changed in neutron:
status: Confirmed → Triaged
Revision history for this message
Kevin Benton (kevinbenton) wrote :

Moving to rfe-postponed for now unless we have a volunteer to implement the feature in FWaaS.

tags: added: rfe-postponed
removed: rfe
Reedip (reedip-banerjee-deactivatedaccount)
Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/452372

Changed in neutron:
assignee: Reedip (reedip-banerjee) → zhaobo (zhaobo6)
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: zhaobo (zhaobo6) → Reedip (reedip-banerjee)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Reedip (reedip-banerjee) → Miguel Lavalle (minsel)
Miguel Lavalle (minsel)
Changed in neutron:
assignee: Miguel Lavalle (minsel) → zhaobo (zhaobo6)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: zhaobo (zhaobo6) → Reedip (reedip-banerjee)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Reedip (reedip-banerjee) → zhaobo (zhaobo6)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/452372
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: zhaobo (zhaobo6) → Reedip (reedip-banerjee)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-specs (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/461657
Reason: According to what we agreed during Shanghai PTG, I abandon this patch for now due to no activity. If You would be interested in continue work on this, feel free to restore the patch.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Reedip (reedip-banerjee) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/452372
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.