Auditing should log the user as an attribute in a PutUserRequest/DeleteUserRequest event #29766
Description
Original comment by @n0othing:
Tested in 5.2.2:
The REST calls:
POST /_xpack/security/user/jacknich
{
"password": EMAIL REDACTED
"roles": [
"admin",
"other_role1"
],
"full_name": "Jack Nicholson",
"email": EMAIL REDACTED
"metadata": {
"intelligence": 7
}
}
DELETE _xpack/security/user/jacknich
The Audit Events:
[2017-03-10T18:06:23,473] [rest] [authentication_success] principal=[elastic], realm=[reserved], uri=[/_xpack/security/user/jacknich], params=[{username=jacknich}]
[2017-03-10T18:06:23,552] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[cluster:admin/xpack/security/user/put], request=[PutUserRequest]
[2017-03-10T18:06:25,349] [rest] [authentication_success] principal=[elastic], realm=[reserved], uri=[/_xpack/security/user/jacknich], params=[{username=jacknich}]
[2017-03-10T18:06:25,351] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[cluster:admin/xpack/security/user/delete], request=[DeleteUserRequest]
By including authentication_success and access_granted events in your audit, you can infer that jacknich was created and deleted. But it'd be much cleaner to log this info in the access_granted event (rough example):
[2017-03-10T18:06:23,552] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[cluster:admin/xpack/security/user/put], request=[PutUserRequest], request_principal=[jacknich]
[2017-03-10T18:06:25,351] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[cluster:admin/xpack/security/user/delete], request=[DeleteUserRequest], request_principal=[jacknich]