Security logging feature for Contrail

The security log should contain the min of the following fields (wherever technically feasible)

    1. Event type.
    2. Date/time.
    3. Protocol.
    4. Service or program used for access.
    5. Success/failure.
    6. Login ID — Where the Login ID is defined on the system/application/authentication server;
        otherwise, the field should contain 'unknown', in order to protect authentication credentials
        accidentally entered at the Login ID prompt from appearing in the security audit log. Where the
        administrator chooses, the field may contain the actual invalid Login ID if a match results from an
        automated check of the Login ID against a pre-determined list of strings likely to be used by an a
        attacker as potential Login Ids. The list must not contain strings that comply with password rules.
    7. Source IP Address.

The security log must log the following events at a min (based on technical feasibility):

    1. Successful and unsuccessful login attempts and Logoffs.
    2. Successful and unsuccessful changes to a privilege level.
    3. Starting and stopping of security logging.
    4. Creating, removing, or changing the inherent privilege level of users.
    5. Connections to a network listener of the resource.
    6. Log should also contain the role(s) the user was using as well as which tenant they were in
        when they performed the action.

The security logs have the following strict requirements:

    1. Log retention for 180 days.
    2. Logs should be synced to UTC and have UTC time stamps.
    3. Should not contain passwords even if encrypted, security keys or company propriety information.
    4. Must be protected from modifications and unauthorized viewing.
    5. All resources to which access is controlled, including but not limited to applications and
        operating systems must have the capability of generating security audit logs.