Add basic audit component to logger

Logs already: - Share events - Authentication events - User management events - File action events
8 years ago · aa831252b3
parent edf62eb41a
commit aa831252b3
7 changed files with 693 additions and 0 deletions
--- a/apps/admin_audit/actions/action.php
+++ b/apps/admin_audit/actions/action.php
@ -0,0 +1,76 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Admin_Audit\Actions;
+
+use OCP\ILogger;
+
+class Action {
+	/** @var ILogger */
+	private $logger;
+
+	/**
+	 * @param ILogger $logger
+	 */
+	public function __construct(ILogger $logger) {
+		$this->logger = $logger;
+	}
+
+	/**
+	 * Log a single action with a log level of info
+	 *
+	 * @param string $text
+	 * @param array $params
+	 * @param array $elements
+	 */
+	public function log($text,
+						array $params,
+						array $elements) {
+		foreach($elements as $element) {
+			if(!isset($params[$element])) {
+				$this->logger->critical(
+					sprintf(
+						'$params["'.$element.'"] was missing. Transferred value: %s',
+						print_r($params, true)
+					)
+				);
+				return;
+			}
+		}
+
+		$replaceArray = [];
+		foreach($elements as $element) {
+			if($params[$element] instanceof \DateTime) {
+				$params[$element] = $params[$element]->format('Y-m-d H:i:s');
+			}
+			$replaceArray[] = $params[$element];
+		}
+
+		$this->logger->info(
+			vsprintf(
+				$text,
+				$replaceArray
+			),
+			[
+				'app' => 'admin_audit'
+			]
+		);
+	}
+}
--- a/apps/admin_audit/actions/auth.php
+++ b/apps/admin_audit/actions/auth.php
@ -0,0 +1,56 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Admin_Audit\Actions;
+
+/**
+ * Class Auth logs all auth related actions
+ *
+ * @package OCA\Admin_Audit\Actions
+ */
+class Auth extends Action {
+	public function loginAttempt(array $params) {
+		$this->log(
+			'Login attempt: "%s"',
+			$params,
+			[
+				'uid',
+			]
+		);
+	}
+
+	public function loginSuccessful(array $params) {
+		$this->log(
+			'Login successful: "%s"',
+			$params,
+			[
+				'uid',
+			]
+		);
+	}
+
+	public function logout(array $params) {
+		$this->log(
+			'Logout occurred',
+			[],
+			[]
+		);
+	}
+}
--- a/apps/admin_audit/actions/files.php
+++ b/apps/admin_audit/actions/files.php
@ -0,0 +1,135 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Admin_Audit\Actions;
+
+/**
+ * Class Files logs the actions to files
+ *
+ * @package OCA\Admin_Audit\Actions
+ */
+class Files extends Action {
+	/**
+	 * Logs file read actions
+	 *
+	 * @param array $params
+	 */
+	public function read(array $params) {
+		$this->log(
+			'File accessed: "%s"',
+			$params,
+			[
+				'path',
+			]
+		);
+	}
+
+	/**
+	 * Logs rename actions of files
+	 *
+	 * @param array $params
+	 */
+	public function rename(array $params) {
+		$this->log(
+			'File renamed: "%s" to "%s"',
+			$params,
+			[
+				'oldpath',
+				'newpath',
+			]
+		);
+	}
+
+	/**
+	 * Logs creation of files
+	 *
+	 * @param array $params
+	 */
+	public function create(array $params) {
+		$this->log(
+			'File created: "%s"',
+			$params,
+			[
+				'path',
+			]
+		);
+	}
+
+	/**
+	 * Logs copying of files
+	 *
+	 * @param array $params
+	 */
+	public function copy(array $params) {
+		$this->log(
+			'File copied: "%s" to "%s"',
+			$params,
+			[
+				'oldpath',
+				'newpath',
+			]
+		);
+	}
+
+	/**
+	 * Logs writing of files
+	 *
+	 * @param array $params
+	 */
+	public function write(array $params) {
+		$this->log(
+			'File written to: "%s"',
+			$params,
+			[
+				'path',
+			]
+		);
+	}
+
+	/**
+	 * Logs update of files
+	 *
+	 * @param array $params
+	 */
+	public function update(array $params) {
+		$this->log(
+			'File updated: "%s"',
+			$params,
+			[
+				'path',
+			]
+		);
+	}
+
+	/**
+	 * Logs deletions of files
+	 *
+	 * @param array $params
+	 */
+	public function delete(array $params) {
+		$this->log(
+			'File deleted: "%s"',
+			$params,
+			[
+				'path',
+			]
+		);
+	}
+}
--- a/apps/admin_audit/actions/sharing.php
+++ b/apps/admin_audit/actions/sharing.php
@ -0,0 +1,189 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Admin_Audit\Actions;
+use OCP\Share;
+
+/**
+ * Class Sharing logs the sharing actions
+ *
+ * @package OCA\Admin_Audit\Actions
+ */
+class Sharing extends Action {
+	/**
+	 * Logs sharing of data
+	 *
+	 * @param array $params
+	 */
+	public function shared(array $params) {
+		if($params['shareType'] === Share::SHARE_TYPE_LINK) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been shared via link with permissions "%s" (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'itemTarget',
+					'itemSource',
+					'permissions',
+					'id',
+				]
+			);
+		} elseif($params['shareType'] === Share::SHARE_TYPE_USER) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been shared to the user "%s" with permissions "%s"  (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'itemTarget',
+					'itemSource',
+					'shareWith',
+					'permissions',
+					'id',
+				]
+			);
+		} elseif($params['shareType'] === Share::SHARE_TYPE_GROUP) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been shared to the group "%s" with permissions "%s"  (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'itemTarget',
+					'itemSource',
+					'shareWith',
+					'permissions',
+					'id',
+				]
+			);
+		}
+	}
+
+	/**
+	 * Logs unsharing of data
+	 *
+	 * @param array $params
+	 */
+	public function unshare(array $params) {
+		if($params['shareType'] === Share::SHARE_TYPE_LINK) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been unshared (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'fileTarget',
+					'itemSource',
+					'id',
+				]
+			);
+		} elseif($params['shareType'] === Share::SHARE_TYPE_USER) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been unshared from the user "%s" (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'fileTarget',
+					'itemSource',
+					'shareWith',
+					'id',
+				]
+			);
+		} elseif($params['shareType'] === Share::SHARE_TYPE_GROUP) {
+			$this->log(
+				'The %s "%s" with ID "%s" has been unshared from the group "%s" (Share ID: %s)',
+				$params,
+				[
+					'itemType',
+					'fileTarget',
+					'itemSource',
+					'shareWith',
+					'id',
+				]
+			);
+		}
+	}
+
+	/**
+	 * Logs the updating of permission changes for shares
+	 *
+	 * @param array $params
+	 */
+	public function updatePermissions(array $params) {
+		$this->log(
+			'The permissions of the shared %s "%s" with ID "%s" have been changed to "%s"',
+			$params,
+			[
+				'itemType',
+				'path',
+				'itemSource',
+				'permissions',
+			]
+		);
+	}
+
+	/**
+	 * Logs the password changes for a share
+	 *
+	 * @param array $params
+	 */
+	public function updatePassword(array $params) {
+		$this->log(
+			'The password of the publicly shared %s "%s" with ID "%s" has been changed',
+			$params,
+			[
+				'itemType',
+				'token',
+				'itemSource',
+			]
+		);
+	}
+
+	/**
+	 * Logs the expiration date changes for a share
+	 *
+	 * @param array $params
+	 */
+	public function updateExpirationDate(array $params) {
+		$this->log(
+			'The expiration date of the publicly shared %s with ID "%s" has been changed to "%s"',
+			$params,
+			[
+				'itemType',
+				'itemSource',
+				'date',
+			]
+		);
+	}
+
+	/**
+	 * Logs access of shared files
+	 *
+	 * @param array $params
+	 */
+	public function shareAccessed(array $params) {
+		$this->log(
+			'The shared %s with the token "%s" by "%s" has been accessed.',
+			$params,
+			[
+				'itemType',
+				'token',
+				'uidOwner',
+			]
+		);
+	}
+}
--- a/apps/admin_audit/actions/usermanagement.php
+++ b/apps/admin_audit/actions/usermanagement.php
@ -0,0 +1,77 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Admin_Audit\Actions;
+
+/**
+ * Class UserManagement logs all user management related actions.
+ *
+ * @package OCA\Admin_Audit\Actions
+ */
+class UserManagement extends Action {
+	/**
+	 * Log creation of users
+	 *
+	 * @param array $params
+	 */
+	public function create(array $params) {
+		$this->log(
+			'User created: "%s"',
+			$params,
+			[
+				'uid',
+			]
+		);
+	}
+
+	/**
+	 * Log deletion of users
+	 *
+	 * @param array $params
+	 */
+	public function delete(array $params) {
+		$this->log(
+			'User deleted: "%s"',
+			$params,
+			[
+				'uid',
+			]
+		);
+	}
+
+	/**
+	 * Logs changing of the user scope
+	 *
+	 * @param \OCP\IUser $user
+	 */
+	public function setPassword(\OCP\IUser $user) {
+		if($user->getBackendClassName() === 'Database') {
+			$this->log(
+				'Password of user "%s" has been changed',
+				[
+					'user' => $user->getUID(),
+				],
+				[
+					'user',
+				]
+			);
+		}
+	}
+}
--- a/apps/admin_audit/appinfo/app.php
+++ b/apps/admin_audit/appinfo/app.php
@ -0,0 +1,142 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+$logger = \OC::$server->getLogger();
+
+logUserManagement(
+	$logger,
+	\OC::$server->getUserSession()
+);
+logFileActions($logger);
+logAuthEvents($logger);
+logShareEvents($logger);
+
+/**
+ * Logs sharing events
+ *
+ * @param \OCP\ILogger $logger
+ */
+function logShareEvents($logger) {
+	$shareActions = new \OCA\Admin_Audit\Actions\Sharing(
+		$logger
+	);
+
+	OCP\Util::connectHook('OCP\Share', 'post_shared', $shareActions, 'shared');
+	OCP\Util::connectHook('OCP\Share', 'post_unshare', $shareActions, 'unshare');
+	OCP\Util::connectHook('OCP\Share', 'post_update_permissions', $shareActions, 'updatePermissions');
+	OCP\Util::connectHook('OCP\Share', 'post_update_password', $shareActions, 'updatePassword');
+	OCP\Util::connectHook('OCP\Share', 'post_set_expiration_date', $shareActions, 'updateExpirationDate');
+	OCP\Util::connectHook('OCP\Share', 'share_link_access', $shareActions, 'shareAccessed');
+}
+
+/**
+ * Log authentication event related actions
+ *
+ * @param \OCP\ILogger $logger
+ */
+function logAuthEvents($logger) {
+	$authActions = new \OCA\Admin_Audit\Actions\Auth(
+		$logger
+	);
+	OCP\Util::connectHook('OC_User', 'pre_login', $authActions, 'loginAttempt');
+	OCP\Util::connectHook('OC_User', 'post_login', $authActions, 'loginSuccessful');
+	OCP\Util::connectHook('OC_User', 'logout', $authActions, 'logout');
+}
+
+/**
+ * Log user management related actions
+ *
+ * @param \OCP\ILogger $logger
+ * @param \OC\User\Session $userSession
+ */
+function logUserManagement($logger, $userSession) {
+	$userActions = new \OCA\Admin_Audit\Actions\UserManagement(
+		$logger
+	);
+
+	OCP\Util::connectHook(
+		'OC_User',
+		'post_createUser',
+		$userActions,
+		'create'
+	);
+	OCP\Util::connectHook(
+		'OC_User',
+		'post_deleteUser',
+		$userActions,
+		'delete'
+	);
+	$userSession->listen('\OC\User', 'postSetPassword', [$userActions, 'setPassword']);
+}
+
+/**
+ * Log file related actions
+ *
+ * @param \OCP\ILogger $logger
+ */
+function logFileActions($logger) {
+	$fileActions = new \OCA\Admin_Audit\Actions\Files(
+		$logger
+	);
+
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_post_rename,
+		$fileActions,
+		'rename'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_post_create,
+		$fileActions,
+		'create'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_post_copy,
+		$fileActions,
+		'copy'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_post_write,
+		$fileActions,
+		'write'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_post_update,
+		$fileActions,
+		'update'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_read,
+		$fileActions,
+		'read'
+	);
+	OCP\Util::connectHook(
+		OC\Files\Filesystem::CLASSNAME,
+		OC\Files\Filesystem::signal_delete,
+		$fileActions,
+		'delete'
+	);
+}
--- a/apps/admin_audit/appinfo/info.xml
+++ b/apps/admin_audit/appinfo/info.xml
@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<info>
+	<id>admin_audit</id>
+	<name>Auditing / Logging</name>
+	<description>Provides logging abilities for Nextcloud such as logging file
+				accesses or otherwise sensitive actions.
+	</description>
+	<licence>AGPL</licence>
+	<author>Nextcloud</author>
+	<version>1.0.0</version>
+	<dependencies>
+		<owncloud min-version="9.0" max-version="9.1" />
+	</dependencies>
+	<types>
+		<logging/>
+	</types>
+	<default_enable/>
+</info>