Implement OWASP security logging.

[blackboxsw]

Provide an initial spike for logging OWASP formatted events in cloud-init for discussion. Integration tests will be added upon agreement for security logging procedures.

Proposed Commit Message

    feat: add OWASP security event logging for user creation and system restart
    
    Implement OWASP structured logs in /var/log/cloud-init-security.log.
    
    Add security-related operations performed by cloud-init on behalf
    of user-data or platform meta-data:
    - user creation
    - user password change
    - system restart
    - system shutdown
  
    Default security log file can be changed by setting an alternative value
    for security_log_file in /etc/cloud/cloud.cfg(.d/*.cfg).

Additional Context

A followup PR will provide USER update functionality due to groups: { admingrp: [root, sys]} because this will require a refactor of Distro.create_group for multiple distros

Test Steps

CLOUD_INIT_CLOUD_INIT_OS_IMAGE=resolute tox -e integration-tests -- tests/integration_tests/modules/test_combined.py::TestCombined::test_security_logs

Merge type

• Squash merge using "Proposed Commit Message"
• Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

[blackboxsw]

cc: @dbungert

[holmanb]

Thanks for this @blackboxsw. First pass.

If the goal is for this to be cross-distro, then implementing this in the distro class doesn't seem optimal because distro methods are expected to be (and in this case are) overridden.

Also, is there a reason that the logger package cannot be used? Manually writing to files seems undesirable - I would have expected this to define a custom logger for this purpose.

Thank you for the type annotations. Besides just annotating the types, I'd like to see if we can also avoid unnecessary complexity - something that annotations can assist with. For example rather than checking an Optional parameter for trutheyness, we could instead avoid the possibility of None and pass a falsey value instead.

[holmanb]

Intermixing code of different different purposes like this will lead to difficulty maintaining and auditing the code. I would prefer if we could find a cleaner design.

[blackboxsw]

good point, let's go decorator route instead,

[holmanb]

Decorators didn't address the problem. These decorators are still mixing code of different purposes.

[holmanb]

This conditional is unnecessary.

[holmanb]

unresolved

[blackboxsw]

It is in the event that all filtered_params are empty. We don't want a trailing ":" appended if filtered_params == []

[holmanb]

It is in the event that all filtered_params are empty.

This should never happen. See my comment above.

[blackboxsw]

I believe I have addressed all comments and this is ready for re-review.

[holmanb]

Can we add @final here too?

[blackboxsw]

Also migrated the sec_log_user_created decorator to add_user and add_snap_user as that is actually where a user gets created. Added @final decorators to both of those methods.
Refactored subclasses of add_user behavior into _add_user_preprocess_kwargs, _build_add_user_cmd and _post_add_user methods.

[holmanb]

This is still overridden in a child class.

[blackboxsw]

This is in distros/bsd.py, but bsd directly calls set_passwd for each name in plist_in. So BSD will still be logging separate OWASP events for each user, just as our @sec_log_password_changed_batch will.

As a result, I don't want to decorate chpasswd with @final and I also don't want to decorate cloudinit.distros.bsd.Disto.chpasswd with @sec_log passwd_changed_batch

[holmanb]

This also concerns me - I would rather avoid side-effects in logging libraries. This causes a syscall.

[holmanb]

Also, it seems odd to be manually building building a format for the log here.

Python's builtin logger allows supplying custom Formatter objects - which is where I would expect the format to be defined. The formatter should already have the time and can be configured to the desired format.

[holmanb]

Why does this use kwargs when the keyword names are known?

[holmanb]

Thanks for this @blackboxsw. See the latest feedback.

In general I'd like to see us avoid iterating over interfaces, opening sockets, and calling datetime on a per-log basis - and these kinds of side-effects don't seem well-suited for a system logging library.

The same goes for parsing data from untyped Dicts. A major problem with building a solution that can be maintained is that distro-specific code is doing configuration validation and manipulation - the existing code doesn't have clear separation of concerns.

Also: I'd like to see a sample log produced by this code.

[holmanb]

This no longer has a type annotation. Why did the type signature change?

[blackboxsw]

I should have migrated this annotation to express that we expect no return value. Given that this PR migrates the pre-flight check for pre-existing user outside the Distro.add_user` call, there is no longer a need to check a bool return code from add_user given the simplification to the method.

Now we only call add user if we are sure the user doesn't exist up in create_user.

        pre_existing_user = util.is_user(name)
        if pre_existing_user:
            LOG.info("User %s already exists, skipping.", name)
        else:
            self.add_user(name, **kwargs)

We also don't have any direct callers to Distro.add_user in any cloud-init runtime operations. Any call-sites in upstream are invoked via the Distro.create_user method. This could expose some downstream images with custom private Distro implementations, but that is a highly unlikely scenario as we don't treat cloudinit as a python library supporting direct calls into our python modules and class APIs.

[holmanb]

This is still overridden in a child class.

[holmanb]

This class uses inheritance to define and override default behaviors. It seems unusual to reach for a low-level meta-programming utility rather than using inheritance. Why was this chosen instead?

[blackboxsw]

The intent was to leave us with only one place with sec_log decorators in the parent class and disallow creating the shutdown_command method on subclasses via @final. I'll refactor this to use the same approach we user for add user with _build_shutdown_cmd. I've refactored the validation of the delay value which was duplicated in alpine and pulled it into a pre-flight check in shutdown_command.

[holmanb]

+1

[holmanb]

whitespace

[holmanb]

This seems fishy. Isn't args[1] the password?

[blackboxsw]

Updated the signature to expect known positional args. No more kwargs parsing.

[holmanb]

unresolved

[holmanb]

This doesn't seem ideal. This is interpreting arbitrary untyped data from a dict. This dict interpretation is a long ways from wherever this datastructure is defined, yet it is tightly coupled to the structure where it was defined.

[blackboxsw]

You are right, this feels fragile and is working around the complexity in both add_user and _build_add_user_cmd which both attempt to parse and handle "groups" being passed as an untyped dict config key value from merged user-data. An alternative to keep things closer to where distros processes this config content would be a helper function in cloudinit/distros/init.py which can expose the properly typed groups content in order to ensure the, add_user calls, _build_add_user_cmd and log decorator properly handle this information in the same manner. There is a lot of duplication here in the decorator and in Distro instance methods that we can avoid if all call-sites get a typed response from one place.

[holmanb]

This construct seems confusing, and possibly wrong.

[blackboxsw]

Dropped in favor of known positional arg plist_in

[holmanb]

Decorators didn't address the problem. These decorators are still mixing code of different purposes.

[blackboxsw]

Addressed most review points, still looking at:

1. adding a Distro.extract_group method to extract typed information from opaque kwargs config passed into add_user
2. looking at custom logging formatted to provide the logging timestamp instead of calling datetime directly.

[blackboxsw]

I'm uncertain how we should resolve this concern and also deliver identifiable information within each log to provide breadcrumbs for security log aggregators about the source of the log.

Do you think we may instead want to just extract provided hostname data from the Platform via a call to util.get_hostname_fqdn to avoid using socket.gethostname. Or possibly @lru_cache around get_hostname to avoid recurring cost of a call?

I see our security logs as only being on the order of 10 events per boot vs 100's. So I don't know whether you are concerned about recurring cost, or just that fact that logging reaches out to some other system which could timeout.

It's possible we could drop this key, which places a responsibility on all security log aggregators to identify the source from which all logs originate.

[blackboxsw]

You are right, this feels fragile and is working around the complexity in both add_user and _build_add_user_cmd which both attempt to parse and handle "groups" being passed as an untyped dict config key value from merged user-data. An alternative to keep things closer to where distros processes this config content would be a helper function in cloudinit/distros/init.py which can expose the properly typed groups content in order to ensure the, add_user calls, _build_add_user_cmd and log decorator properly handle this information in the same manner. There is a lot of duplication here in the decorator and in Distro instance methods that we can avoid if all call-sites get a typed response from one place.

[blackboxsw]

It is in the event that all filtered_params are empty. We don't want a trailing ":" appended if filtered_params == []

[blackboxsw]

I should have migrated this annotation to express that we expect no return value. Given that this PR migrates the pre-flight check for pre-existing user outside the Distro.add_user` call, there is no longer a need to check a bool return code from add_user given the simplification to the method.

Now we only call add user if we are sure the user doesn't exist up in create_user.

        pre_existing_user = util.is_user(name)
        if pre_existing_user:
            LOG.info("User %s already exists, skipping.", name)
        else:
            self.add_user(name, **kwargs)

We also don't have any direct callers to Distro.add_user in any cloud-init runtime operations. Any call-sites in upstream are invoked via the Distro.create_user method. This could expose some downstream images with custom private Distro implementations, but that is a highly unlikely scenario as we don't treat cloudinit as a python library supporting direct calls into our python modules and class APIs.

[blackboxsw]

The intent was to leave us with only one place with sec_log decorators in the parent class and disallow creating the shutdown_command method on subclasses via @final. I'll refactor this to use the same approach we user for add user with _build_shutdown_cmd. I've refactored the validation of the delay value which was duplicated in alpine and pulled it into a pre-flight check in shutdown_command.

[blackboxsw]

Dropped cloudinit.netinfo.get_host_ip function to avoid the cost of shelling out to ip addr --json for every security event log. So this comment no longer applies.

This "up" check on the device would have also been a prerequisite to surfacing valid ipv4 settings. I also agree that a down interface will also not have any valid ipv4 of ipv6 addresses, so this check was unnecessary.

Agreed on typing in netinfo, and I think that is already tracked as an existing enhancement #5445 to eventually resolve those issues.

[blackboxsw]

Will address this if we end up adding host_ip info in the future.

[blackboxsw]

OWASP log formats look for identifiable information in the individual logs to ease the burden on aggregators. To avoid calling to socket.gethostname(). We could instead call util.get_hostname_fqdn to get what the IMDS told us the hostname should be (which is run in cloud-init-local stage to grab this data from the IMDS before cloud-init. We could also use @lru_cache to avoid repeated cost for such an operation.

[blackboxsw]

Updated the signature to expect known positional args. No more kwargs parsing.

[blackboxsw]

This is in distros/bsd.py, but bsd directly calls set_passwd for each name in plist_in. So BSD will still be logging separate OWASP events for each user, just as our @sec_log_password_changed_batch will.

As a result, I don't want to decorate chpasswd with @final and I also don't want to decorate cloudinit.distros.bsd.Disto.chpasswd with @sec_log passwd_changed_batch

[holmanb]

According to the type annotation, the filter will never do anything.

[holmanb]

It is in the event that all filtered_params are empty.

This should never happen. See my comment above.

[holmanb]

Can we get a type annotation on plist_in?

[holmanb]

The function that this decorates doesn't have an annotation. Can we add it there too please?

[holmanb]

Why is every event_params getting passed ["cloud-init", ...]? If this is to be added by default, this doesn't seem like the right place for it, since it has to be duplicated at every call site.

[blackboxsw]

Moved into _log_security_event to simplify call-sites.

[holmanb]

Why this change?

[blackboxsw]

Dropped unrelated stay delta from separate PR.

[holmanb]

Files don't log events.

[holmanb]

Please add an annotation for name.

[holmanb]

Why is this level WARN?

[blackboxsw]

It's defined as WARN level on Canonical SSDLC user event guidance

[holmanb]

This happens due to trusted inputs and this will case a WARN on every boot - the typically arguments for "why" to WARN don't seem to apply in this case.

Also, since that is just an example this seems up for interpretation. I think it makes more sense not to warn on every boot.

[holmanb]

Maybe just set it to INFO and include a short comment in case anyone wonders why.

[holmanb]

As mentioned elsewhere, this does both kwarg parsing and manipulation of data types that have nothing to do with logging.

[blackboxsw]

Added both Distro._user_groups_to_list and Distro._get_elevated_roles to perform that processing in Distro and avoid pushing that kwarg handling into log/security_event_log.