Skip to content

Add createSubmit to audit trail filter pattern #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bquenin wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add createSubmit to audit trail filter pattern #39

bquenin wants to merge 1 commit into from
+114 −1

Conversation

@bquenin
Copy link

@bquenin bquenin commented Dec 17, 2025

Summary

The WebPostAccessLogger filter pattern was missing createSubmit, which meant that credential creation events (and other resource creation via createSubmit endpoints) were not being logged to the audit trail in Splunk.

Problem

When auditing Jenkins activity via Splunk, credential updates and deletions were properly logged, but credential creations were silently ignored:

Action Before After
configSubmit ✅ logged ✅ logged
updateSubmit ✅ logged ✅ logged
doDelete ✅ logged ✅ logged
createSubmit NOT logged ✅ logged

This is a security gap - there was no way to audit who created a credential from the audit trail.

Fix

Added createSubmit to the FILTER_PATTERN regex in WebPostAccessLogger.java.

Testing

  • Added comprehensive unit tests for the filter pattern (WebPostAccessLoggerTest.java)
  • Changed pattern visibility from private to package-visible to allow tests to reference the actual pattern (avoiding duplication)
  • All 9 tests pass

Verification

This issue was discovered and verified on a production Jenkins controller by:

  1. Creating a test credential → No audit event logged (only updated credentials.xml by SYSTEM)
  2. Updating the credential → Audit event properly logged with user attribution
  3. Deleting the credential → Audit event properly logged with user attribution

Add createSubmit to audit trail filter pattern
d4ffb05 
The WebPostAccessLogger filter pattern was missing 'createSubmit', which meant
that credential creation events (and other resource creation via createSubmit)
were not being logged to the audit trail.

This fix adds 'createSubmit' to the FILTER_PATTERN regex, ensuring that
resource creation events are properly audited alongside updates and deletions.

Before this fix:
- configSubmit: ✓ logged
- updateSubmit: ✓ logged
- doDelete: ✓ logged
- createSubmit: ✗ NOT logged

After this fix:
- configSubmit: ✓ logged
- createSubmit: ✓ logged
- updateSubmit: ✓ logged
- doDelete: ✓ logged

Also adds unit tests for the filter pattern matching behavior. The pattern
visibility was changed from private to package-visible to allow tests to
reference the actual pattern rather than duplicating it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bquenin