Create default audit log appender

Author: legrego

x-pack/plugins/security/server/config.test.ts

@@ -10,6 +10,10 @@ jest.mock('crypto', () => ({
   constants: jest.requireActual('crypto').constants,
 }));
 
+jest.mock('@kbn/utils', () => ({
+  getDataPath: () => '/mock/kibana/data/path',
+}));
+
 import { loggingSystemMock } from 'src/core/server/mocks';
 
 import { ConfigSchema, createConfig } from './config';
@@ -1706,6 +1710,50 @@ describe('createConfig()', () => {
     `);
   });
 
+  it('creates a default audit appender when audit logging is enabled', () => {
+    expect(
+      createConfig(
+        ConfigSchema.validate({
+          audit: {
+            enabled: true,
+          },
+        }),
+        loggingSystemMock.create().get(),
+        { isTLSEnabled: true }
+      ).audit.appender
+    ).toMatchInlineSnapshot(`
+      Object {
+        "fileName": "/mock/kibana/data/path/audit.log",
+        "layout": Object {
+          "type": "json",
+        },
+        "policy": Object {
+          "interval": "PT24H",
+          "type": "time-interval",
+        },
+        "strategy": Object {
+          "max": 10,
+          "type": "numeric",
+        },
+        "type": "rolling-file",
+      }
+    `);
+  });
+
+  it('does not create a default audit appender when audit logging is disabled', () => {
+    expect(
+      createConfig(
+        ConfigSchema.validate({
+          audit: {
+            enabled: false,
+          },
+        }),
+        loggingSystemMock.create().get(),
+        { isTLSEnabled: true }
+      ).audit.appender
+    ).toBeUndefined();
+  });
+
   it('accepts an audit appender', () => {
     expect(
       ConfigSchema.validate({
@@ -1744,19 +1792,6 @@ describe('createConfig()', () => {
     ).toThrow('[audit.appender.1.layout]: expected at least one defined value but got [undefined]');
   });
 
-  it('rejects an ignore_filter when no appender is configured', () => {
-    expect(() =>
-      ConfigSchema.validate({
-        audit: {
-          enabled: true,
-          ignore_filters: [{ actions: ['some_action'] }],
-        },
-      })
-    ).toThrow(
-      '[audit]: xpack.security.audit.ignore_filters can only be used with the ECS audit logger. To enable the ECS audit logger, specify where you want to write the audit events using xpack.security.audit.appender.'
-    );
-  });
-
   describe('#getExpirationTimeouts', () => {
     function createMockConfig(config: Record<string, any> = {}) {
       return createConfig(ConfigSchema.validate(config), loggingSystemMock.createLogger(), {

x-pack/plugins/security/server/config.ts

@@ -7,10 +7,12 @@
 
 import crypto from 'crypto';
 import type { Duration } from 'moment';
+import path from 'path';
 
 import type { Type, TypeOf } from '@kbn/config-schema';
 import { schema } from '@kbn/config-schema';
 import { i18n } from '@kbn/i18n';
+import { getDataPath } from '@kbn/utils';
 import type { Logger } from 'src/core/server';
 
 import { config as coreConfig } from '../../../../src/core/server';
@@ -272,30 +274,21 @@ export const ConfigSchema = schema.object({
       schemes: schema.arrayOf(schema.string(), { defaultValue: ['apikey', 'bearer'] }),
     }),
   }),
-  audit: schema.object(
-    {
-      enabled: schema.boolean({ defaultValue: false }),
-      appender: schema.maybe(coreConfig.logging.appenders),
-      ignore_filters: schema.maybe(
-        schema.arrayOf(
-          schema.object({
-            actions: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
-            categories: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
-            types: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
-            outcomes: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
-            spaces: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
-          })
-        )
-      ),
-    },
-    {
-      validate: (auditConfig) => {
-        if (auditConfig.ignore_filters && !auditConfig.appender) {
-          return 'xpack.security.audit.ignore_filters can only be used with the ECS audit logger. To enable the ECS audit logger, specify where you want to write the audit events using xpack.security.audit.appender.';
-        }
-      },
-    }
-  ),
+  audit: schema.object({
+    enabled: schema.boolean({ defaultValue: false }),
+    appender: schema.maybe(coreConfig.logging.appenders),
+    ignore_filters: schema.maybe(
+      schema.arrayOf(
+        schema.object({
+          actions: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+          categories: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+          types: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+          outcomes: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+          spaces: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+        })
+      )
+    ),
+  }),
 });
 
 export function createConfig(
@@ -382,8 +375,32 @@ export function createConfig(
         sortedProviders.filter(({ type, name }) => providers[type]?.[name].showInSelector).length >
           1;
 
+  const auditLoggingEnabled = config.audit.enabled === true;
+  const appender =
+    config.audit.appender ?? auditLoggingEnabled
+      ? {
+          type: 'rolling-file',
+          fileName: path.join(getDataPath(), 'audit.log'),
+          layout: {
+            type: 'json',
+          },
+          policy: {
+            type: 'time-interval',
+            interval: schema.duration().validate('24h'),
+          },
+          strategy: {
+            type: 'numeric',
+            max: 10,
+          },
+        }
+      : undefined;
+
   return {
     ...config,
+    audit: {
+      ...config.audit,
+      appender,
+    },
     authc: {
       selector: { ...config.authc.selector, enabled: isLoginSelectorEnabled },
       providers,