Email and username in audit logs

Boundary
1

Hey folks!
I’m trying to get username and email in boundary audit logs in cleartext. But still have no success in that.
The manual says we need to apply the following config for the sink :

    audit_config {
      audit_filter_overrides {
        sensitive = ""
      }

but when I make set this audit_filter_overrides, wanted fields just disappear from the logfile.

And when I set sensitive to “encrypt” or “hmac-sha256” or “redact” these fields appear in the logfile in encrypted or hmac or [REDACTED] from.
So please advice me how to get username and email in cleartext in logs. Otherwise there is not much sense in them. Because the main purpose of audit logs is to get info about who did what and when

the boundary version is 0.14.1

the hole config of the events is the following:

events {
  audit_enabled        = true
  observations_enabled = true
  sysevents_enabled    = false

  sink {
    name = "session-sink"
    description = "Authorize session requests and services sent to a file"
    event_types = ["audit"]
    format = "cloudevents-json"
    allow_filters = [
      "\"/data/request_info/path\" contains \":authorize-session\"",
      "\"/data/request_info/method\" contains \"SessionService\"",
    ]
    file {
      path = "/var/log/boundary"
      file_name = "sessions.log"
    }
    audit_config {
      audit_filter_overrides {
        sensitive = ""
      }
    }
  }

  sink {
    name = "auth-sink"
    description = "Authentications sent to a file"
    event_types = ["observation"]
    format = "cloudevents-json"
    allow_filters = [
      "\"/data/request_info/path\" contains \":authenticate\""
    ]
    file {
      path = "/var/log/boundary"
      file_name = "auth.log"
    }
    audit_config {
      audit_filter_overrides {
        sensitive = ""
      }
    }
  }

  sink {
    name        = "controller-audit-sink"
    description = "Audit sent to a file"
    event_types = ["audit"]
    format      = "cloudevents-json"

    file {
      path      = "/var/log/boundary"
      file_name = "controller.log"


    }

    audit_config {
      audit_filter_overrides {
        sensitive = ""
      }
    }
 }
}
2

Anyone, please, need help with the subject!

3

Can you tell me what API calls you’re making where you expect the username/email address in the audit events. I think, most audit events will include an auth element that includes a user_info element that includes an id. This can be used to identify the user making the request.

4

example
"auth": { "auth_token_id": "", "user_info": { "id": "u_SFOmBCamez" },

5

I don’t think you need to override any of the audit_filter_overrides to get the user id in the audit events since IDs are considered public information.

6

@jimlambrt huge thanks for the response!

I see user.id in logs, but to use it in for example SIEM, I have to have some kind of a lookup mechanism to get user name out of id. Don’t you agree that this is a kind of unnecessary redundancy?
I’d just like to parse the user out of json, agree that login is not some kind of critical info one would like to keep secret!
IMHO At least this should be an optional protection.

here is the log entry sample, you can see hmacked email and name fields in the end:

{
  "id": "sXPIY266Ip",
  "source": "https://hashicorp.com/boundary/ip-10-51-59-211/controller",
  "specversion": "1.0",
  "type": "audit",
  "data": {
    "id": "e_5EpbGsLoAC",
    "version": "v0.1",
    "type": "APIRequest",
    "timestamp": "2023-11-17T21:54:42.006022699Z",
    "request_info": {
      "id": "gtraceid_f5oHiCmV95vQIFvh42n8",
      "method": "POST",
      "path": "/v1/targets/ttcp_nVo991UMAC:authorize-session",
      "public_id": "at_mWRt2Oxwf1",
      "client_ip": "10.51.44.9"
    },
    "auth": {
      "auth_token_id": "",
      "user_info": {
        "id": "u_Qifo7VLXaA"
      },
      "grants_info": {
        "grants": [
          {
            "grant": "id=*;type=auth-token;actions=delete:self,list,read:self",
            "scope_id": "o_lZWMJEQLsp",
            "role_id": "r_DgDNiaOdUE"
          },
          {
            "grant": "id={{.Account.Id}};actions=change-password,read",
            "scope_id": "o_lZWMJEQLsp",
            "role_id": "r_DgDNiaOdUE"
          },
          {
            "grant": "id=*;type=auth-method;actions=authenticate,list",
            "scope_id": "o_lZWMJEQLsp",
            "role_id": "r_DgDNiaOdUE"
          },
          {
            "grant": "id=*;type=scope;actions=list,no-op",
            "scope_id": "o_lZWMJEQLsp",
            "role_id": "r_DgDNiaOdUE"
          },
          {
            "grant": "id=*;type=auth-token;actions=delete:self,list,read:self",
            "scope_id": "global",
            "role_id": "r_KufxUF92sB"
          },
          {
            "grant": "id={{.Account.Id}};actions=change-password,read",
            "scope_id": "global",
            "role_id": "r_KufxUF92sB"
          },
          {
            "grant": "id=*;type=auth-method;actions=authenticate,list",
            "scope_id": "global",
            "role_id": "r_KufxUF92sB"
          },
          {
            "grant": "id=*;type=scope;actions=list,no-op",
            "scope_id": "global",
            "role_id": "r_KufxUF92sB"
          },
          {
            "grant": "id=*;type=*;actions=*",
            "scope_id": "p_sAGW7vWFyY",
            "role_id": "r_LCMX9naxC8"
          },
          {
            "grant": "id=*;type=auth-token;actions=delete:self,list,read:self",
            "scope_id": "o_pWWNCucFng",
            "role_id": "r_LHGs1Ui6ig"
          },
          {
            "grant": "id={{.Account.Id}};actions=change-password,read",
            "scope_id": "o_pWWNCucFng",
            "role_id": "r_LHGs1Ui6ig"
          },
          {
            "grant": "id=*;type=auth-method;actions=authenticate,list",
            "scope_id": "o_pWWNCucFng",
            "role_id": "r_LHGs1Ui6ig"
          },
          {
            "grant": "id=*;type=scope;actions=list,no-op",
            "scope_id": "o_pWWNCucFng",
            "role_id": "r_LHGs1Ui6ig"
          },
          {
            "grant": "id=*;type=*;actions=*",
            "scope_id": "p_Qoo5Z3kCZO",
            "role_id": "r_kN3RinVV0z"
          }
        ]
      },
      "email": "hmac-sha256:e4ylJumhSMHf3p9fFo5Q5HMMH8i_9rkD8Af_18k79mA",
      "name": "hmac-sha256:e4ylJumhSMHf3p9fFo5Q5HMMH8i_9rkD8Af_18k79mA"
    },
    "request": {
      "details": {
        "id": "ttcp_nVo991UMAC"
      }
    }
7

I was able to successfully see sensitive and secret data without HMAC’ing or encryption in my audit events.

Here’s an example and you’ll notice the login-name and password are present in plaintext.

{
  "id": "vw4zLCXeZ8",
  "source": "https://hashicorp.com/boundary/jimlambrt-HHPX413XJQ/controller",
  "specversion": "1.0",
  "type": "audit",
  "data": {
    "id": "e_oZCdWi6sgC",
    "version": "v0.1",
    "type": "APIRequest",
    "timestamp": "2023-11-22T12:00:25.970279-05:00",
    "request_info": {
      "id": "gtraceid_6iP99nvacAqFNHfjz10J",
      "method": "POST",
      "path": "/v1/auth-methods/ampw_gpFz8g0n9n:authenticate",
      "client_ip": "127.0.0.1"
    },
    "auth": {
      "auth_token_id": "",
      "user_info": {
        "id": "u_anon"
      },
      "grants_info": {
        "grants": [
          {
            "grant": "id=*;type=scope;actions=list,no-op",
            "scope_id": "global",
            "role_id": "r_TkU6LWR0UW"
          },
          {
            "grant": "id=*;type=auth-method;actions=authenticate,list",
            "scope_id": "global",
            "role_id": "r_TkU6LWR0UW"
          },
          {
            "grant": "id={{.Account.Id}};actions=change-password,read",
            "scope_id": "global",
            "role_id": "r_TkU6LWR0UW"
          },
          {
            "grant": "id=*;type=auth-token;actions=delete:self,list,read:self",
            "scope_id": "global",
            "role_id": "r_TkU6LWR0UW"
          },
          {
            "grant": "id=*;type=scope;actions=list,no-op",
            "scope_id": "o_VJHJTvJwGv",
            "role_id": "r_ux6bqoRsZV"
          },
          {
            "grant": "id=*;type=auth-method;actions=authenticate,list",
            "scope_id": "o_VJHJTvJwGv",
            "role_id": "r_ux6bqoRsZV"
          },
          {
            "grant": "id={{.Account.Id}};actions=change-password,read",
            "scope_id": "o_VJHJTvJwGv",
            "role_id": "r_ux6bqoRsZV"
          },
          {
            "grant": "id=*;type=auth-token;actions=delete:self,list,read:self",
            "scope_id": "o_VJHJTvJwGv",
            "role_id": "r_ux6bqoRsZV"
          }
        ]
      }
    },
    "request": {
      "details": {
        "auth_method_id": "ampw_gpFz8g0n9n",
        "Attrs": {
          "PasswordLoginAttributes": {
            "login_name": "admin",
            "password": "mLQOLY7Zdcn2z7Mx1Gv2"
          }
        },
        "command": "login"
      }
    },
    "response": {
      "status_code": 200,
      "details": {
        "Attrs": {
          "AuthTokenResponse": {
            "id": "at_qDyJlUws7n",
            "scope": {
              "id": "global",
              "type": "global"
            },
            "token": "at_qDyJlUws7n_s14E8jKapy9faYqTQaEE8zY5EqhEhV9FjzUPHmAsHAKf5WH8JcMvtrPpU4pZw3CzoQLQ1rWHrBmNaRzJTNNaFrcaWNJjvhy5e7hPCbaaEf5LiAY9dH3yB5",
            "user_id": "u_SFOmBCamez",
            "auth_method_id": "ampw_gpFz8g0n9n",
            "account_id": "acctpw_oPlHrYQr7t",
            "created_time": {
              "seconds": 1700672425,
              "nanos": 446339000
            },
            "updated_time": {
              "seconds": 1700672425,
              "nanos": 446339000
            },
            "approximate_last_used_time": {
              "seconds": 1700672425,
              "nanos": 446339000
            },
            "expiration_time": {
              "seconds": 1701277225
            }
          }
        },
        "command": "login"
      }
    }
  },
  "datacontentype": "application/cloudevents",
  "time": "2023-11-22T12:00:25.970312-05:00",
  "serialized": "eyJpZCI6InZ3NHpMQ1hlWjgiLCJzb3VyY2UiOiJodHRwczovL2hhc2hpY29ycC5jb20vYm91bmRhcnkvamltbGFtYnJ0LUhIUFg0MTNYSlEvY29udHJvbGxlciIsInNwZWN2ZXJzaW9uIjoiMS4wIiwidHlwZSI6ImF1ZGl0IiwiZGF0YSI6eyJpZCI6ImVfb1pDZFdpNnNnQyIsInZlcnNpb24iOiJ2MC4xIiwidHlwZSI6IkFQSVJlcXVlc3QiLCJ0aW1lc3RhbXAiOiIyMDIzLTExLTIyVDEyOjAwOjI1Ljk3MDI3OS0wNTowMCIsInJlcXVlc3RfaW5mbyI6eyJpZCI6Imd0cmFjZWlkXzZpUDk5bnZhY0FxRk5IZmp6MTBKIiwibWV0aG9kIjoiUE9TVCIsInBhdGgiOiIvdjEvYXV0aC1tZXRob2RzL2FtcHdfZ3BGejhnMG45bjphdXRoZW50aWNhdGUiLCJjbGllbnRfaXAiOiIxMjcuMC4wLjEifSwiYXV0aCI6eyJhdXRoX3Rva2VuX2lkIjoiIiwidXNlcl9pbmZvIjp7ImlkIjoidV9hbm9uIn0sImdyYW50c19pbmZvIjp7ImdyYW50cyI6W3siZ3JhbnQiOiJpZD0qO3R5cGU9c2NvcGU7YWN0aW9ucz1saXN0LG5vLW9wIiwic2NvcGVfaWQiOiJnbG9iYWwiLCJyb2xlX2lkIjoicl9Ua1U2TFdSMFVXIn0seyJncmFudCI6ImlkPSo7dHlwZT1hdXRoLW1ldGhvZDthY3Rpb25zPWF1dGhlbnRpY2F0ZSxsaXN0Iiwic2NvcGVfaWQiOiJnbG9iYWwiLCJyb2xlX2lkIjoicl9Ua1U2TFdSMFVXIn0seyJncmFudCI6ImlkPXt7LkFjY291bnQuSWR9fTthY3Rpb25zPWNoYW5nZS1wYXNzd29yZCxyZWFkIiwic2NvcGVfaWQiOiJnbG9iYWwiLCJyb2xlX2lkIjoicl9Ua1U2TFdSMFVXIn0seyJncmFudCI6ImlkPSo7dHlwZT1hdXRoLXRva2VuO2FjdGlvbnM9ZGVsZXRlOnNlbGYsbGlzdCxyZWFkOnNlbGYiLCJzY29wZV9pZCI6Imdsb2JhbCIsInJvbGVfaWQiOiJyX1RrVTZMV1IwVVcifSx7ImdyYW50IjoiaWQ9Kjt0eXBlPXNjb3BlO2FjdGlvbnM9bGlzdCxuby1vcCIsInNjb3BlX2lkIjoib19WSkhKVHZKd0d2Iiwicm9sZV9pZCI6InJfdXg2YnFvUnNaViJ9LHsiZ3JhbnQiOiJpZD0qO3R5cGU9YXV0aC1tZXRob2Q7YWN0aW9ucz1hdXRoZW50aWNhdGUsbGlzdCIsInNjb3BlX2lkIjoib19WSkhKVHZKd0d2Iiwicm9sZV9pZCI6InJfdXg2YnFvUnNaViJ9LHsiZ3JhbnQiOiJpZD17ey5BY2NvdW50LklkfX07YWN0aW9ucz1jaGFuZ2UtcGFzc3dvcmQscmVhZCIsInNjb3BlX2lkIjoib19WSkhKVHZKd0d2Iiwicm9sZV9pZCI6InJfdXg2YnFvUnNaViJ9LHsiZ3JhbnQiOiJpZD0qO3R5cGU9YXV0aC10b2tlbjthY3Rpb25zPWRlbGV0ZTpzZWxmLGxpc3QscmVhZDpzZWxmIiwic2NvcGVfaWQiOiJvX1ZKSEpUdkp3R3YiLCJyb2xlX2lkIjoicl91eDZicW9Sc1pWIn1dfX0sInJlcXVlc3QiOnsiZGV0YWlscyI6eyJhdXRoX21ldGhvZF9pZCI6ImFtcHdfZ3BGejhnMG45biIsIkF0dHJzIjp7IlBhc3N3b3JkTG9naW5BdHRyaWJ1dGVzIjp7ImxvZ2luX25hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoibUxRT0xZN1pkY24yejdNeDFHdjIifX0sImNvbW1hbmQiOiJsb2dpbiJ9fSwicmVzcG9uc2UiOnsic3RhdHVzX2NvZGUiOjIwMCwiZGV0YWlscyI6eyJBdHRycyI6eyJBdXRoVG9rZW5SZXNwb25zZSI6eyJpZCI6ImF0X3FEeUpsVXdzN24iLCJzY29wZSI6eyJpZCI6Imdsb2JhbCIsInR5cGUiOiJnbG9iYWwifSwidG9rZW4iOiJhdF9xRHlKbFV3czduX3MxNEU4akthcHk5ZmFZcVRRYUVFOHpZNUVxaEVoVjlGanpVUEhtQXNIQUtmNVdIOEpjTXZ0clBwVTRwWnczQ3pvUUxRMXJXSHJCbU5hUnpKVE5OYUZyY2FXTkpqdmh5NWU3aFBDYmFhRWY1TGlBWTlkSDN5QjUiLCJ1c2VyX2lkIjoidV9TRk9tQkNhbWV6IiwiYXV0aF9tZXRob2RfaWQiOiJhbXB3X2dwRno4ZzBuOW4iLCJhY2NvdW50X2lkIjoiYWNjdHB3X29QbEhyWVFyN3QiLCJjcmVhdGVkX3RpbWUiOnsic2Vjb25kcyI6MTcwMDY3MjQyNSwibmFub3MiOjQ0NjMzOTAwMH0sInVwZGF0ZWRfdGltZSI6eyJzZWNvbmRzIjoxNzAwNjcyNDI1LCJuYW5vcyI6NDQ2MzM5MDAwfSwiYXBwcm94aW1hdGVfbGFzdF91c2VkX3RpbWUiOnsic2Vjb25kcyI6MTcwMDY3MjQyNSwibmFub3MiOjQ0NjMzOTAwMH0sImV4cGlyYXRpb25fdGltZSI6eyJzZWNvbmRzIjoxNzAxMjc3MjI1fX19LCJjb21tYW5kIjoibG9naW4ifX19LCJkYXRhY29udGVudHlwZSI6ImFwcGxpY2F0aW9uL2Nsb3VkZXZlbnRzIiwidGltZSI6IjIwMjMtMTEtMjJUMTI6MDA6MjUuOTcwMzEyLTA1OjAwIn0K",
  "serialized_hmac": "hmac-sha256:lzYMnMtwDNA16EAyNGRTZ-ykOxFEJXFjZFw8Z7mMEzk"
}
8

My event config:

events {
  audit_enabled = true
  observations_enabled = false
  sysevents_enabled = true
  telemetry_enabled = false
  sink "stderr" {
    name = "all-events"
    description = "All events sent to stderr"
    event_types = ["*"]
    format = "cloudevents-json"
    audit_config {
      audit_filter_overrides {
        sensitive = ""
        secret = ""
      }
    }
  }
}
9

Currently, we don’t look up additional user info (name, email, sub, etc) for every request’s audit event. It’s something we can consider adding though, with the appropriate bits to mask it by default.

Would you mind adding an issue for this feature? Issues · hashicorp/boundary · GitHub
Feel free to tag me in the issue.

10

Thanks you @jimlambrt, by now I believe I’d go with creating lookup table of the following format:

boundary_id|full name|email

And I would need to schedule it’s update. So I need boundary service account to get this info via controller API.
Should I create boundary user account for SEIM process or there is some other mechanisms like special service token in boundary?

11