Auditing & Logging

Effective security requires visibility into system activity. Squid provides comprehensive logging and auditing capabilities to support security monitoring, incident investigation, and compliance requirements.

Logging Framework Overview

Squid uses a structured logging framework that captures security-relevant events:

┌─────────────────────────────────────────────────────────────────────┐
│                        Log Event Structure                          │
├─────────────────────────────────────────────────────────────────────┤
│  {                                                                   │
│    "time": 1706745600000,                                           │
│    "timeISO": "2024-02-01T00:00:00.000Z",                           │
│    "duration": 1250,                                                │
│    "level": "INFO",                                                 │
│    "method": "getData",                                             │
│    "operation": "API_REQUEST",                                      │
│    "config": "cmdb_ci_server",                                      │
│    "message": "Request completed successfully",                     │
│    "sqlQueries": 45,                                                │
│    "sqlInsertUpdates": 0,                                           │
│    "sqlDeletes": 0,                                                 │
│    ...context properties                                            │
│  }                                                                   │
└─────────────────────────────────────────────────────────────────────┘

Log Levels

Squid supports standard syslog severity levels:

Level	Numeric	Purpose
EMERG	0	System is unusable
ALERT	1	Action must be taken immediately
CRIT	2	Critical conditions
ERR	3	Error conditions
WARNING	4	Warning conditions
NOTICE	5	Normal but significant
INFO	6	Informational messages
DEBUG	7	Debug-level messages

Configuring Log Level

Set the logging level via system property:

Property: x_a46gh_squidx.loglevel
Values: debug, info, warning, error (or numeric 0-7)

Security Logging Recommendations

Environment	Recommended Level	Rationale
Production	INFO or WARNING	Balance visibility and volume
Development	DEBUG	Full detail for troubleshooting
Security Audit	DEBUG (temporary)	Comprehensive capture

Security-Relevant Log Events

Authentication Events

Level: INFO/ERR
Event: Access check
Logged Information:
  - User attempting access
  - Success/failure status
  - Missing role (if failure)

Success:

{
  "level": "INFO",
  "operation": "ACCESS_CHECK",
  "message": "Access granted",
  "user": "squid_service_account"
}

Failure:

{
  "level": "ERR",
  "operation": "ACCESS_CHECK",
  "message": "Access denied - missing rest role",
  "user": "unauthorized_user"
}

Authorization Events

Level: INFO/ERR
Event: Configuration access check
Logged Information:
  - Configuration requested
  - User roles
  - Required roles
  - Match result

Failure:

{
  "level": "ERR",
  "operation": "CONFIG_ACCESS_CHECK",
  "message": "Configuration access denied",
  "config": "cmdb_ci_server",
  "user": "limited_user",
  "requiredRoles": ["defaultAccess"],
  "userRoles": ["custom_role"]
}

Query Validation Events

Level: WARNING/ERR
Event: Query validation
Logged Information:
  - Original query
  - Violation type
  - Operator detected

Forbidden Operator:

{
  "level": "ERR",
  "operation": "QUERY_VALIDATION",
  "message": "Forbidden operator detected",
  "operator": "^NQ",
  "query": "base_name=x^NQbase_company!=y",
  "user": "potential_attacker"
}

Restricted Operator:

{
  "level": "WARNING",
  "operation": "QUERY_VALIDATION",
  "message": "Restricted operator blocked",
  "operator": "LIKE",
  "config": "cmdb_ci_server",
  "user": "api_user"
}

Data Access Events

Level: INFO
Event: Data retrieval
Logged Information:
  - Configuration used
  - Row count returned
  - Query executed
  - Duration
  - SQL query count

{
  "level": "INFO",
  "operation": "DATA_RETRIEVAL",
  "config": "cmdb_ci_server",
  "rowCount": 1500,
  "duration": 2340,
  "sqlQueries": 45,
  "filter": "base_install_status=1"
}

Response Metadata

Every Squid response includes metadata useful for auditing:

{
  "metadata": {
    "powered_by": "arc46.io",
    "git": "squid-1.1.0+45-abc123",
    "build": "2024-02-01T00:00:00.000Z",
    "license_max_entities": "Unlimited",
    "license_valid_till": "2025-12-31T23:59:59.000Z",
    "requested_by": "squid_service_account",
    "request_received": "2024-02-01T12:34:56.789Z",
    "config": "cmdb_ci_server",
    "row_count": 1500,
    "provided_filter": "base_name=webserver*",
    "combined_filter": "base_install_status=1^base_name=webserver*",
    "warnings": []
  }
}

Key Audit Fields

Field	Purpose
`requested_by`	User who made the request
`request_received`	Timestamp of request
`config`	Configuration accessed
`row_count`	Amount of data returned
`provided_filter`	User's query
`combined_filter`	Final executed query
`warnings`	Any security warnings

Debug Flags

For detailed security investigation, Squid provides debug flags:

Flag	Purpose
`DEBUG_CHECK_CONFIG_ACCESS_FLAG`	Log detailed authorization decisions
`DEBUG_QUERY_EXECUTION`	Log query construction
`DEBUG_REFERENCE_RESOLUTION`	Log reference lookups

warning

Debug flags can expose sensitive information. Enable only during active investigation and disable immediately after.

Audit Use Cases

Use Case 1: Investigating Unauthorized Access Attempt

Scenario: Security alert for failed access attempts

Investigation Steps:

Filter logs for operation=ACCESS_CHECK and level=ERR
Identify user and timestamp
Review subsequent attempts
Correlate with other security logs

Log Query Example:

level=ERR AND operation IN (ACCESS_CHECK, CONFIG_ACCESS_CHECK)
AND time > [incident_start] AND time < [incident_end]

Use Case 2: Data Exfiltration Detection

Scenario: Unusual data access patterns

Monitoring Approach:

Baseline normal row_count per configuration
Alert on significant deviations
Monitor for repeated large queries
Track unique user/config combinations

Metrics to Track:

Rows returned per user per day
Unique configurations accessed
Query frequency
After-hours access

Use Case 3: Compliance Audit

Scenario: Demonstrating access controls for compliance

Evidence Collection:

Export logs showing authentication enforcement
Show configuration role requirements
Demonstrate query validation logs
Provide metadata showing audit trail

Use Case 4: Performance Security

Scenario: Detecting potential DoS through expensive queries

Monitoring:

{
  "alert_condition": "duration > 30000 OR sqlQueries > 1000",
  "action": "flag_for_review"
}

Log Retention Recommendations

Log Type	Retention	Rationale
Security events (ERR, CRIT)	1 year	Incident investigation
Access logs (INFO)	90 days	Operational audit
Debug logs	7 days	Troubleshooting only

Integration with SIEM

Squid logs can be integrated with Security Information and Event Management (SIEM) systems:

Log Forwarding

Configure ServiceNow to forward application logs
Parse Squid's structured JSON format
Create correlation rules for security events

Suggested SIEM Rules

Rule	Trigger	Action
Multiple auth failures	5+ failures in 5 minutes	Alert
Forbidden operator detected	Any occurrence	Alert
Large data export	row_count > threshold	Log for review
After-hours access	Access outside business hours	Log for review
New user/config combination	First-time access pattern	Informational

Response Warnings

Squid includes warnings in responses for security-relevant conditions:

{
  "metadata": {
    "warnings": [
      "ACLs are being enforced. Data may be silently omitted.",
      "Restricted operator 'LIKE' is enabled for this configuration.",
      "Large result set may impact performance."
    ]
  }
}

Warning Types

Warning	Meaning	Action
ACL enforcement	Data might be missing	Review ACL configuration
Restricted operators enabled	Performance risk	Monitor query patterns
Configuration errors	Potential misconfiguration	Review configuration

Creating an Audit Dashboard

Recommended metrics for a security dashboard:

Access Metrics

Successful vs failed authentications
Unique users per day
Peak usage times

Configuration Metrics

Most accessed configurations
Configurations with most failures
New configuration access patterns

Query Metrics

Blocked queries (forbidden/restricted)
Average query duration
Large result sets

Anomaly Detection

Deviation from baseline patterns
Unusual user/config combinations
After-hours access

Security Architecture - How security events are generated
Best Practices - Monitoring recommendations
Authentication - Auth event details
Query Security - Query validation events

Logging Framework Overview​

Log Levels​

Configuring Log Level​

Security Logging Recommendations​

Security-Relevant Log Events​

Authentication Events​

Authorization Events​

Query Validation Events​

Data Access Events​

Response Metadata​

Key Audit Fields​

Debug Flags​

Audit Use Cases​

Use Case 1: Investigating Unauthorized Access Attempt​

Use Case 2: Data Exfiltration Detection​

Use Case 3: Compliance Audit​

Use Case 4: Performance Security​

Log Retention Recommendations​

Integration with SIEM​

Log Forwarding​

Suggested SIEM Rules​

Response Warnings​

Warning Types​

Creating an Audit Dashboard​

Access Metrics​

Configuration Metrics​

Query Metrics​

Anomaly Detection​

Related Topics​