Skip to content

MFA Auth Audit Events #36953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Joerger merged 6 commits into from
Jan 23, 2024
Merged

MFA Auth Audit Events #36953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0ad3e38
Add mfa events to events.proto.
Joerger Jan 19, 2024
1a084f4
Emit CreateMFAAuthChallenge event.
Joerger Jan 19, 2024
d2aa8fb
Emit ValidateMFAAuthResponse event.
Joerger Jan 19, 2024
b269cc4
Make Client changes to display MFA auth audit events in the WebUI.
Joerger Jan 20, 2024
e9499fa
Fix unit test.
Joerger Jan 22, 2024
b3c6cf9
Merge branch 'master' into joerger/mfa-audit-events
Joerger Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions api/proto/teleport/legacy/types/events/events.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1231,6 +1231,64 @@ message UserLogin {
repeated string AppliedLoginRules = 9 [(gogoproto.jsontag) = "applied_login_rules,omitempty"];
}

// CreateMFAAuthChallenge records the creation of an MFA auth challenge.
message CreateMFAAuthChallenge {
// Metadata is a common event metadata.
Metadata Metadata = 1 [
(gogoproto.nullable) = false,
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];

// User is a common user event metadata.
UserMetadata User = 2 [
(gogoproto.nullable) = false,
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];

// Scope is the authorization scope for this MFA challenge.
// Only applies to WebAuthn challenges.
string ChallengeScope = 3 [(gogoproto.jsontag) = "challenge_scope"];

// ChallengeAllowReuse defines whether the MFA challenge allows reuse.
bool ChallengeAllowReuse = 4 [(gogoproto.jsontag) = "challenge_allow_reuse"];
}

// ValidateMFAAuthResponse records the validation of an MFA auth callenge response.
message ValidateMFAAuthResponse {
// Metadata is a common event metadata.
Metadata Metadata = 1 [
(gogoproto.nullable) = false,
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];

// User is a common user event metadata.
UserMetadata User = 2 [
(gogoproto.nullable) = false,
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];

// Status contains common command or operation status fields
Status Status = 3 [
(gogoproto.nullable) = false,
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];

// MFADevice is the MFA device used.
MFADeviceMetadata MFADevice = 4 [(gogoproto.jsontag) = "mfa_device,omitempty"];

// ChallengeScope is the authorization scope of the MFA challenge used for authentication.
// Only applies to WebAuthn challenges.
string ChallengeScope = 5 [(gogoproto.jsontag) = "challenge_scope"];

// ChallengeAllowReuse defines whether the MFA challenge used for authentication can be reused.
bool ChallengeAllowReuse = 6 [(gogoproto.jsontag) = "challenge_allow_reuse"];
}

// ResourceMetadata is a common resource metadata
message ResourceMetadata {
// ResourceName is a resource name
Expand Down Expand Up @@ -3863,6 +3921,8 @@ message OneOf {
events.BotCreate BotCreate = 143;
events.BotDelete BotDelete = 144;
events.BotUpdate BotUpdate = 145;
events.CreateMFAAuthChallenge CreateMFAAuthChallenge = 146;
events.ValidateMFAAuthResponse ValidateMFAAuthResponse = 147;
}
}

Expand Down
Loading