Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OpenSearch version 3.3.2 (but we’re going to 3.4 really soon)
Describe the issue:
I’m developing an OpenSearch plugin. One of my requirements is to ensure that audit logs are enabled in OpenSearch (the whole time the cluster is running).
I know that there is a way to configure auditlogs via opensearch.yml and audit.yml and also via REST API. So in my plugin I can check those files but the REST API is a challenge for me. How to ensure nobody disabled audit logs via REST?
Of course I know that I can restrict the access to the endpoint by watching out what kind of users and with what permissions are being created. However I fear it’s not enough.
The other solution I found the other day is _readonly field. If I understand it correctly - this is a way to configure what parameters of an audit configuration cannot be changed. It looks like something I want but I’m not entirely sure how should I use it? The only way I can see now how to use it is: clone whole security plugin, modify static_audit.yml, build the security plugin and then install it in OpenSearch.
Is it the only way to use it?
The solution of the last resort for me is to watch for transport action that updates an audit config and then do GET requests to security API to validate if by any chance audit was disabled. It pains me but what more can I do?
…or maybe there is some other way to achieve what I have in mind?
I’m open to any suggestions, if, by any chance, something could be added to security plugin to achieve what I have in mind I’m open to contributing myself.
Thanks!
Configuration:
Relevant Logs or Screenshots: