Audit event export#

Package Security Manager can be configured to automatically generate and export a list of events from the system to external storage, such as an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, or to a valid network storage location.

Anaconda records the following events for export, organized by type:

Event types
artifact
  • artifact_copied

  • artifact_downloaded

  • artifact_generated

  • artifact_metadata_updated

  • artifact_registered

  • artifact_removed

  • artifact_skipped

  • artifact_view_refreshed

authentication
  • auto_role_added

  • auto_role_deleted

  • auto_role_updated

build
  • build_channel_cve_notification

channel
  • channel_created

  • channel_cve_count_update

  • channel_deleted

  • channel_group_added

  • channel_group_deleted

  • channel_refresh_complete

  • channel_reindex

  • channel_unfrozen

  • channel_updated

cve
  • cve_deleted

  • cve_update_finished

  • cve_updated

group
  • group_user_added

  • group_user_deleted

mirror
  • mirror_deleted

  • mirror_registered

  • mirror_updated

mirroring
  • mirroring_completed

  • mirroring_failed

  • mirroring_started

  • mirroring_stopped

report
  • report_generated

sbom
  • sbom_deleted

  • sbom_updated

user
  • user_token_created

  • user_token_metadata_updated

  • user_token_revoked

  • user_token_updated

To establish a background job to generate and export a chronological recording of events that have occurred within the system:

  1. Open a terminal and connect to your instance of Package Security Manager.

  2. Open your installer directory, where the docker-compose.yml file is located, by running the command:

    # Replace <INSTALLER> with the name of your installer directory
    cd <INSTALLER>.
    
  3. Open your docker-compose.yml file using your preferred file editor.

  4. Find the repo_worker: section of the file.

  5. Add the following variables to the repo_worker: environment: section:

    Variable

    Description

    REPO_ENABLE_GENERATE_AUDIT_REPORTS=true

    Required. Enables the background job to operate.

    REPO_SCHEDULE_AUDIT_REPORT_CRON=<CRON>

    Required. Sets the frequency of the job. Replace <CRON> with a valid CRON expression.

    REPO_AUDIT_REPORT_FS=<PARENT_DIRECTORY>

    Required. Replace <PARENT_DIRECTORY> with an S3 bucket location or a valid file directory path, like file://{BASE_PATH}/statedir/audit-logs

    REPO_AUDIT_REPORT_DOWNLOAD_AS=<FORMAT>

    Optional. Can set the output for the report as either csv or json. If this value is not provided, the report will default to csv format.

    REPO_CONFIGURE_AUDIT_EVENT_TYPES=<TYPE>,<TYPE>

    Optional. Specifies that the job only generates and exports these value types in the report. Replace <TYPE> with event types as described above. Separate types with a comma. You can include as many event types as you require. If this variable is not provided, you will generate a report for all events.

    REPO_AUDIT_REPORT_FS_KMS_ID=<KMS_ID>

    As necessary. Replace <KMS_ID> with your S3 bucket KMS ID, if it has one.

  6. Restart the repo_worker container by running the following command:

    docker compose up --detach
    

Note

If you are using the REPO_CONFIGURE_AUDIT_EVENT_TYPES= variable, the report will include the artifact_downloaded events even if you do not include it.