107 lines
2.6 KiB
JavaScript
107 lines
2.6 KiB
JavaScript
/**
|
|
* Security Audit Logger for Data Retention Access
|
|
* Logs all access attempts to data retention metrics
|
|
*/
|
|
|
|
const fs = require('fs').promises;
|
|
const path = require('path');
|
|
|
|
class DataRetentionAuditLogger {
|
|
constructor() {
|
|
this.logDir = process.env.SECURITY_LOG_DIR || './logs';
|
|
this.logFile = path.join(this.logDir, 'data_retention_access.log');
|
|
}
|
|
|
|
async ensureLogDir() {
|
|
try {
|
|
await fs.mkdir(this.logDir, { recursive: true });
|
|
} catch (error) {
|
|
console.error('Failed to create security log directory:', error);
|
|
}
|
|
}
|
|
|
|
async logAccess(event) {
|
|
try {
|
|
await this.ensureLogDir();
|
|
|
|
const logEntry = {
|
|
timestamp: new Date().toISOString(),
|
|
event: event.type,
|
|
user: {
|
|
id: event.user?.id,
|
|
username: event.user?.username,
|
|
role: event.user?.role
|
|
},
|
|
request: {
|
|
ip: event.ip,
|
|
userAgent: event.userAgent,
|
|
endpoint: event.endpoint,
|
|
method: event.method
|
|
},
|
|
result: event.result,
|
|
error: event.error
|
|
};
|
|
|
|
const logLine = JSON.stringify(logEntry) + '\n';
|
|
await fs.appendFile(this.logFile, logLine, 'utf8');
|
|
|
|
} catch (error) {
|
|
console.error('Failed to write security log:', error);
|
|
}
|
|
}
|
|
|
|
// Log successful access
|
|
async logSuccess(user, req, endpoint) {
|
|
await this.logAccess({
|
|
type: 'DATA_RETENTION_ACCESS_SUCCESS',
|
|
user,
|
|
ip: req.ip,
|
|
userAgent: req.headers['user-agent'],
|
|
endpoint,
|
|
method: req.method,
|
|
result: 'success'
|
|
});
|
|
}
|
|
|
|
// Log authentication failure
|
|
async logAuthFailure(req, endpoint, reason) {
|
|
await this.logAccess({
|
|
type: 'DATA_RETENTION_ACCESS_AUTH_FAILED',
|
|
ip: req.ip,
|
|
userAgent: req.headers['user-agent'],
|
|
endpoint,
|
|
method: req.method,
|
|
result: 'auth_failed',
|
|
error: reason
|
|
});
|
|
}
|
|
|
|
// Log permission denied
|
|
async logPermissionDenied(user, req, endpoint, reason) {
|
|
await this.logAccess({
|
|
type: 'DATA_RETENTION_ACCESS_PERMISSION_DENIED',
|
|
user,
|
|
ip: req.ip,
|
|
userAgent: req.headers['user-agent'],
|
|
endpoint,
|
|
method: req.method,
|
|
result: 'permission_denied',
|
|
error: reason
|
|
});
|
|
}
|
|
|
|
// Log network access denied
|
|
async logNetworkDenied(req, endpoint) {
|
|
await this.logAccess({
|
|
type: 'DATA_RETENTION_ACCESS_NETWORK_DENIED',
|
|
ip: req.ip,
|
|
userAgent: req.headers['user-agent'],
|
|
endpoint,
|
|
method: req.method,
|
|
result: 'network_denied',
|
|
error: 'Access from unauthorized network'
|
|
});
|
|
}
|
|
}
|
|
|
|
module.exports = new DataRetentionAuditLogger(); |