Add security_audit feature

CHANGELOG.rst

@@ -152,6 +152,10 @@ Added
 
   Contributed by @Kami.
 
+* Add new audit message when a user has decrypted a key whether manually in the container (st2 key get [] --decrypt)
+  or through a workflow with a defined config. #5594
+  Contributed by @dmork123
+
 * Added garbage collection for rule_enforcement and trace models #5596/5602
   Contributed by Amanda McGuinness (@amanda11 intive)
 

st2api/st2api/controllers/v1/keyvalue.py

@@ -97,7 +97,8 @@ def get_one(self, name, requester_user, scope=None, user=None, decrypt=False):
         key_ref = get_key_reference(scope=scope, name=name, user=user)
         extra = {"scope": scope, "name": name, "user": user, "key_ref": key_ref}
         LOG.debug("GET /v1/keys/%s", name, extra=extra)
-
+        LOG.audit("User %s decrypted the value %s ", user, name,
+                  extra={"user": user, "scope": scope, "key_name": name, "operation": "decrypt"})
         # Setup a kvp database object used for verifying permission
         kvp_db = KeyValuePairDB(
             uid="%s:%s:%s" % (ResourceType.KEY_VALUE_PAIR, scope, key_ref),

st2common/st2common/util/config_loader.py

@@ -169,6 +169,11 @@ def _assign_dynamic_config_values(self, schema, config, parent_keys=None):
                 is_jinja_expression = jinja_utils.is_jinja_expression(
                     value=config_item_value
                 )
+                if "decrypt_kv" in str(config_item_value):
+                    LOG.audit("User %s is decrypting the value for key %s from the config within pack %s", self.user,
+                              config_item_key, self.pack_name,
+                    extra = {"user": self.user, "key_name": config_item_key, "pack_name": self.pack_name,
+                             "operation": "pack_config_value_decrypt"})
 
                 if is_jinja_expression:
                     # Resolve / render the Jinja template expression