Security : Prevent admin user to alter security_auditlog indices

Hello there,

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
I’m using a 2.16 version of Opensearch / Opensearch Dashboards with security audit log enabled.

Describe the issue:
I would like to use security auditlogs indices to catch any time a user tries to update / delete a document.
It works perfectly fine but I noticed the admin user can alter the audit logs… and event delete it if he wanted

Configuration:
Is it possible to prevent admin user to alter security_auditlog indices?

Best regards,

Hi @vincent2mots ,

The admin user has all_access role. The admin user can read, edit or delete a document in any index except .opendistro_security index:

It’s possible to send the audit logs to the external OpenSearch cluster as per the documentation below. In this case, the admin user of the main OpenSearch cluster will not have access to edit audit logs:

1 Like

Thanks @Eugene7 !