Skip to content
This repository has been archived by the owner on Nov 21, 2017. It is now read-only.

Audit Records

Jump to bottom
polastre edited this page Oct 21, 2014 · 2 revisions

Using Audit Records

Activities invokes by users or applications can be logged for audit purposes by MyUSA.

Creating an Audit Record

Audit entries are stored with a UserAction model.

There are two ways to create an audit record:

  1. Add audit_on to any model. Typically you will want to trigger an audit record by setting hooks for after_update, after_create, and before_destroy.

Example: audit_on :after_create, action: 'action_descriptor'

  1. Manually by creating a UserAction record. You should specify at least the action and user. Optionally, include the record being audited, and any data hash you'd like to store.

Example: UserAction.create(action: 'foo', user: user, record: record, data: { :foo => 'bar' })

The UserAction Model

The following is stored by the model and specified when created if not using a helper:

  • user (user_id)
  • record (relation to another record in the system)
  • data (hash/array object serialized to json)
  • action

These attributes are automatically added to every UserAction record:

  • remote ip
  • created at

A record can be created without a user, for cases where the user is not known. For example, an audit record of a failed login attempt. These records will still have the IP address and auit time.

Here are some helper queries for UserAction:

  • :for (user)
  • :successful_authentication
  • :failed_authentication
  • :admin_action

Current Audit Records

Audit records held by MyUSA:

  • successful_authentication for login, OAuth, and 2FA
  • failed_authentication for login, OAuth, and 2FA
  • create for when applications are created
  • destroy for users
  • grant for approving applications
  • issue for providing the token to the application
  • revoke when the user revokes access to the application
  • api_access for profiles, tasks and notifications
  • api_write for tasks and notifications
  • admin_action for any rails controller that requires administrative privileges (require_admin!)

Audit Internals

Sweeper observes rails controllers (via ActionController::Base) and sets local sweeper variables that can be used for the UserAction model when created.

Example: audit_on :after_create, action: 'issue' automatically sets the user to be the current logged in user, and the record to be the model with the trigger.

Issues to be filed

  • audit destroy for application
  • audit invalid/revoked API access by an application
  • admin_action has resource assigned to audit records
Clone this wiki locally