The audit feature keeps track of all configuration changes as well as file uploads, CVE status information and much more. The idea of this audit trail is to clearly show which user has done what and when. The changes are reported with a time stamp, a commit comment and information about who committed it. This is a very important security feature and all CIOs or CISOs should demand this. Indications are there that this will eventually be made mandatory in different regulations as also being discussed here.
We believe that new regulation will mandate audit functionality for critical edge device infrastructure
qbee has already implemented audit functions to improve security and give CIOs and CISOs a strategic advantage when irregularirties need to be investigated.
Let's dive into the UI:
On the right hand side simple tags are used to make it quick and easy to scan through a large number of audit log entries.
In addition to the paginated list there are a few search and filter options. These include a date picker, text search of commit messages, search by committer or commit id, sort by functionality. In addition it is possible to deselect CVE information, group changes or file uploads. Together this gives a very granular way of exploring the audit trail.
The audit trail will help you to identify which changes have been done to the system and who did them. On the surface the trail will give you general information about what happened. For each item a drilldown can be performed to see additional information.
Clicking on a tile in the audit trail opens additional information. First of all it is possible to see what changes have been applied by clicking on "Click to see" under changes. The result can look as follows and shows the detailed configuration as json:
Clicking on "show configuration diff" expands a detailed insight into what changed. Old state is displayed in red while the new configuration is displayed in green:
Clicking on "Show reports" will show which device that have reacted to this. Here it can also be followed which device has already received a new configuration. A typical output will look as follows: