No awareness of code leaks? Code security audit builds the security defense line for enterprise core assets

Table of contents

a sleepless night

Source code hosting: the most vulnerable fortress to be breached from within

Audit events to build the “last line of defense” for source code security protection

Three elements of source code hosting audit events

The value of source code hosting audit events

Jihu GitLab audit event function

Features of Jihu GitLab audit event function

Use of GitLab audit event function

The canary of source code hosting: Jihu GitLab audit event flow

---

a sleepless night

"Ding ding ding, ding ding ding", a burst of urgent WeChat messages woke up Xiao An, who was sleeping soundly. Xiao An subconsciously picked up the mobile phone beside the pillow and took a look. At 3:30 in the morning, the screen of the mobile phone was full of The source code hosting server sent an alarm. He quickly checked the alarm details. The content was: User: Xiaolan, IP: 192.168.0.100, cloning the xx warehouse.

Multiple alarms showed that Xiaolan was cloning the company's internal project warehouse in large numbers. At first, Xiao An thought that the source code warehouse had been maliciously attacked, but after taking a closer look at the user information, it was obvious that he was an insider of the company, and only the warehouse related to the AI ​​medical care recently developed by the company was cloned. Other product lines were not cloned. Xiao An believed that the source code warehouse was under malicious attack. Internal personnel within the company will not conduct product research and development in the middle of the night.

There was no time to think about it. In order to ensure the security of the company's code, Xiaoan included the IP and user name in the blacklist of the code warehouse management. The alarm stopped abruptly and there were no other abnormalities in the code hosting server logs. Xiao An's hanging heart finally fell to the ground. With doubts, Xiao An squinted for a while, waiting to go to work.

When he went to work the next day, Xiao An told the other members of the SRE team what happened last night, and mentioned the user ID by the way. One of his colleagues said that the ID was from a core R&D team, and he had been responsible for the company's innovation project AI. Regarding medical research and development work, I heard that some time ago, a start-up company gave me a package that was difficult to refuse, so I have been processing my resignation recently. Xiao An felt that the matter was not simple, so he immediately reported the situation to the safety and compliance manager. The safety compliance manager took this matter very seriously and immediately communicated with the head of R&D.

It was later learned that Xiaolan was about to join a start-up company. He wanted to bring some of the algorithm codes he had written with him, and this was also a condition for his high salary, so Xiaolan used his skills to use his skills at night when everyone fell asleep. The authorized account cloned the past code. Unexpectedly, the account was suddenly blocked shortly after the cloning started and no operations could be performed.

During the monthly security compliance review, Xiao An was praised by the security compliance manager for his keen sense of security and timely stop-loss measures. Xiao An said shyly: It was all the security audit of the source code hosting platform that helped . busy.

Source code hosting: the most vulnerable fortress to be breached from within

The situation encountered by Xiaoan Company above is a very common source code leakage incident in the field of software research and development. Nowadays, with the gradual deepening of the digital transformation of enterprises, software has become an important fulcrum to support the digital transformation of enterprises, and the source code as the raw material of software has naturally become the core asset of the enterprise. The leakage or damage of the source code means that the enterprise Damage to core assets.

However, corporate source code leaks occur frequently. For example, in 2018, a source code leak occurred at a well-known internationally renowned electronics consumer manufacturer. The cause was that an intern took away part of the source code when he left his job and then used it to I shared it with a friend who was doing security research, and then the friend uploaded the code to the GitHub warehouse, which eventually led to the leakage of the source code, affecting a large number of users who used the company's electronic products; for another example, in 2022, a serious accident occurred at a well-known international automobile manufacturer. Data leakage accident, as many as 300,000 customer data were leaked, which contained a large amount of personal sensitive information. Afterwards, analysis revealed that the cause of the data leakage was that a subcontractor accidentally uploaded code to a public warehouse, and these codes contained important sensitive information, thus affecting all customers who signed up for a certain manufacturer’s App between 2017 and 2022.

Source code security protection is an important topic, and multiple means are needed to build a three-dimensional protection mechanism, such as user login authentication and authorization (before the event), user access rights control (in the process), and security audit (after the event). For the above code leakage incidents, if you make good use of the audit event function of source code hosting, you can avoid them.

Audit events to build the “last line of defense” for source code security protection

The so-called audit events are to track important events and prevent non-compliant operations in a timely manner through the analysis of event operation behaviors, ultimately ensuring the security of transaction subjects .

For source code hosting, audit events mainly track the operations of the source code hosting platform, such as user additions and deletions, code warehouse permissions and access, etc., in order to promptly discover non-compliant operations and avoid source code leakage.

Three elements of source code hosting audit events

The key elements of audit events for source code hosting are the three "W's":

• Who : The operating subject of the event. Mainly refers to users who operate source code;

• When : The time when the event occurred. Mainly refers to the specific time when users perform certain operations on the source code hosting platform;

• What : What specific operations the operator performed. It mainly refers to some specific operations on the code warehouse, such as code cloning, pushing and pulling, changes in the visibility of the warehouse and user addition and deletion, etc.

The value of source code hosting audit events

Audit events are an important part of building a security protection network for source code hosting platforms. A complete audit event has the following values:

• Nip problems in the bud and stop losses in time : By analyzing user behavior, we can promptly discover non-compliant operations, such as cloning a large number of code warehouses in a short period of time, changing private warehouses to public warehouses, etc., and then take corresponding measures to prevent non-compliance. The specified operation corresponds to the further operation of the source code to avoid leakage or damage of the source code;

• Find the true cause of the incident and quickly locate it : If the source code is leaked or damaged, you can use audit events to trace back the incident, find suspicious people and suspicious operations in past audit events, and then quickly find the incident through troubleshooting the real reason why it happened;

• Establish a safety alarm to avoid future troubles : A complete safety audit process can tell internal personnel that any non-compliant operations will be discovered. If the company's safety compliance red line is touched, the company will be punished accordingly, allowing all company personnel to form a safety compliance awareness of regulations and jointly protect the safety of the company’s core assets.

Jihu GitLab audit event function

As an integrated DevSecOps platform, GitLab has a complete audit event system, from instance level to group level to project level, and covers user management, authentication and authorization, project management, code writing, CI/CD, etc. As of version 16.2, Jihu GitLab has a total of 132 audit events, and some audit events are still under active development.

Features of Jihu GitLab audit event function

The GiFox GitLab audit event function is one of the key features of GiFox GitLab's security compliance capabilities. It is a paid function (only available in professional and above versions) and has the following characteristics:

• Out-of-the-box : The GitLab audit event function is available out-of-the-box. Users do not need to perform additional configuration. They only need to import the paid version license to start using it. In the corresponding path, they can view the information related to instances, groups and projects. audit events;

• Rich events : Jihu GitLab audit events cover a wide range and contain rich types of audit events. As shown in the figure above, as of version 16.2, there are 132 available audit events, which can establish a very complete audit protection system;

• Iterative updates : Jihu GitLab adopts a monthly release mechanism to continuously iteratively update the audit event function. According to statistics, in the releases (12 versions) in the past year, there were about 13+ audit events related Major improvements released, further improving the functionality of audit events;

Use of GitLab audit event function

For instance-level audit events, you can view them through Management Center → Monitoring → Audit Events . For example, you can see events such as SSH key addition, personal access token creation, group/project creation, and deletion in instance-level audit events.

Audit events will clearly record the event's operation subject (Author), operation content (Action), operation time (Date), operation source IP address and other information.

Likewise, events related to group operations can be viewed via Groups → Security → Audit Events :

Since GitLab groups can be nested, the audit event information of subgroups can be viewed in the same way.

View events related to project operations via Project → Security → Audit Events :

In addition, the audit event report can also be exported and then sent to auditors, who can filter the report to view the corresponding audit event details.

For information about all types of JiHu GitLab audit events (instance level, group level, project level, others), you can check the JiHu GitLab audit event official documentation .

Audit events can record various user operations on the source code hosting platform, but do not have the alarm function for abnormal behavior (configurable), so that when abnormal behavior occurs, you can quickly operate and stop losses in time. To this end, Jihu GitLab provides a security audit event stream function, which sends audit events to a third party and cooperates with the third party's event analysis + alarm function to achieve alarms for abnormal behaviors.

Audit events streaming is a flagship feature.

The canary of source code hosting: Jihu GitLab audit event flow

The audit event stream function of Jihu GitLab can send the audit event stream to an external streaming data system (which can accept and process data in JSON format), and then the streaming data system analyzes, stores, visualizes, and alerts the data .

External streaming data systems can be set up for GitLab instances, groups, and subgroups. Operation events for instances, groups/subgroups, and projects will be sent to the configured external streaming data system in the form of event streams. In addition to the above audit events, the audit event stream also includes information about Git operations, such as code cloning (SSH or HTTPS)/push, warehouse fork, MR creation, etc., and the function of the audit event stream will follow the version Continuous iteration of updates.

For more information about Jihu GitLab audit event flow, you can view the Jihu GitLab official documentation .

The use of Jihu GitLab audit event stream requires first configuring the external stream data system. In terms of instance-level configuration, it can be completed through Management Center → Monitoring → Audit Events → Event Stream → Add Stream Destination :

The JiFox GitLab audit event streaming service will push audit event information to the configured service. In terms of cloning a warehouse, if an authorized user clones a warehouse, the external streaming data system will receive the following JSON information:

{
  "id": "5e194963-79bc-43ce-99f3-4190ff105b23",
  "author_id": 1,
  "entity_id": 6,
  "entity_type": "Project",
  "details": {
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 6,
    "target_type": "Project",
    "target_details": "jh-gitlab-audit-events",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "xiaomage/jh-gitlab-audit-events"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "xiaomage/jh-gitlab-audit-events",
  "target_details": "jh-gitlab-audit-events",
  "created_at": "2023-08-24T02:38:24.945Z",
  "target_type": "Project",
  "target_id": 6,
  "event_type": "repository_git_operation"
}

The above information shows the operator information (author_name), execution action (details.action), operation warehouse (details.entity_path or target_details), operation date (created_at), IP (details.ip_address or ip_address) and other information. The above information can be stored, analyzed, visualized and alerted to close the event audit loop. The following takes EFK (elasticsearch, filebeat, kibana) as an example to demonstrate the entire process.

Configure filebeat with an external streaming data system to directly accept the audit event stream information from Jihu GitLab, then filebeat processes the data and stores it in elasticsearch, then uses kibana's visualization capabilities to implement visual processing of audit event information, and finally uses kibana The alert function implements alerts for abnormal operations (sending emails, slack messages, or pushing to other systems).

Audit event information that can be seen in kibana, such as password changes, warehouse visibility changes (from public to private or vice versa), project deletions, etc.:

If the corresponding alert is configured, when an operation occurs or exceeds a certain threshold, an alarm will be triggered and relevant personnel will be notified for further processing. For example, when a project is frequently cloned by a certain person within a certain period of time, an alarm can be triggered and an alarm email can be sent to the specified mailbox:

Or send it to an IM system such as DingTalk:

Source code, as the core asset of an enterprise, should be taken seriously and a comprehensive security protection system needs to be built. Security auditing is an important means to ensure that the core assets of the code are leaked. Jihu GitLab audit events and audit event streams can form a closed loop of code security audit, allowing users to "live in the sun" when operating source code warehouses, and timely discover violations and abnormal operations to avoid damage to the core assets of the enterprise.