8.2.13.2. Logbook Exploitation¶
8.2.13.2.1. Configuration du Logbook¶
logbook.conf : fichier Yaml de configuration du serveur logbook. Celle-ci possède une propriété :
- alertEvents : configuration des alertes de sécurité
une alerte est déclenchée soit sur l’analyse du couple {evType,outCome} soit sur celle du {outDetail}
- Dans le cas du déclenchement sur l’analyse du couple {evType, outCome}
- evType: 'CHECK_HEADER.CHECK_CONTRACT_INGEST'
outcome: 'KO'
- Dans le cas du déclenchement sur l’analyse du {outComeDetail}
- outDetail: 'CHECK_HEADER.CHECK_CONTRACT_INGEST.KO'
- La liste des détections de l’alerte
- non conformité de la base des règles de gestion au référentiel enregistré (CHECK_RULES)
- refus d’entrée d’un SIP pour des raisons d’inadéquation de contrats (CHECK_HEADER.CHECK_CONTRACT_INGEST)
- soumission d’un SIP avec une classification incompatible avec la plateforme (CHECK_CLASSIFICATION_LEVEL)
- valeur de durée dans les régle de gestion inférieure à la durée minimum (CHECK_RULES.MAX_DURATION_EXCEEDS)
- refus d’un accès avec les droits personae (STP_PERSONAL_CERTIFICATE_CHECK)
- absence de sécurisation des journaux sur 12h (TODO)
Les fichiers de configuration sont gérés par les procédures d’installation ou de mise à niveau de l’environnement VITAM. Se référer au DIN.
Les fichiers de configuration sont définis sous /vitam/conf/logbook.
8.2.13.2.2. Fichier logbook.conf¶
#jinja2: lstrip_blocks: True
jettyConfig: jetty-config.xml
urlProcessing: {{ vitam.processing | client_url }}
urlWorkspace: {{ vitam.workspace | client_url }}
p12LogbookPassword: {{ keystores.timestamping.secure_logbook }}
p12LogbookFile: keystore_secure-logbook.p12
# Basic Authentication
adminBasicAuth:
- userName: {{ admin_basic_auth_user }}
password: {{ admin_basic_auth_password }}
# MongoDB configuration
mongoDbNodes:
{% for server in groups['hosts_mongos_data'] %}
- dbHost: {{ hostvars[server]['ip_service'] }}
dbPort: {{ mongodb.mongos_port }}
{% endfor %}
dbName: logbook
dbAuthentication: {{ mongodb.mongo_authentication | bool | lower }}
dbUserName: {{ mongodb['mongo-data'].logbook.user }}
dbPassword: {{ mongodb['mongo-data'].logbook.password }}
# ElasticSearch configuration
clusterName: {{ vitam_struct.cluster_name }}
elasticsearchConfigurationFile: {{ vitam_folder_conf }}/elasticsearch-settings/elasticsearch-configuration.json
elasticsearchNodes:
{% for server in groups['hosts_elasticsearch_data'] %}
- hostName: {{ hostvars[server]['ip_service'] }}
httpPort: {{ elasticsearch.data.port_http }}
{% endfor %}
# ElasticSearch tenant indexation
elasticsearchTenantIndexation:
default_config:
logbookoperation:
number_of_shards: {{ vitam_elasticsearch_tenant_indexation.default_config.logbookoperation.number_of_shards | default(1) }}
number_of_replicas: {{ vitam_elasticsearch_tenant_indexation.default_config.logbookoperation.number_of_replicas | default(2) }}
{% if vitam_elasticsearch_tenant_indexation.dedicated_tenants is defined and vitam_elasticsearch_tenant_indexation.dedicated_tenants is not none %}
dedicated_tenants:
{% for entry in vitam_elasticsearch_tenant_indexation.dedicated_tenants %}
- tenants: '{{ entry.tenants }}'
{% if entry.logbookoperation is defined %}
logbookoperation:
{% if entry.logbookoperation.number_of_shards is defined %}
number_of_shards: {{ entry.logbookoperation.number_of_shards }}
{% endif %}
{% if entry.logbookoperation.number_of_replicas is defined %}
number_of_replicas: {{ entry.logbookoperation.number_of_replicas }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% if vitam_elasticsearch_tenant_indexation.grouped_tenants is defined and vitam_elasticsearch_tenant_indexation.grouped_tenants is not none %}
grouped_tenants:
{% for entry in vitam_elasticsearch_tenant_indexation.grouped_tenants %}
- name: '{{ entry.name }}'
tenants: '{{ entry.tenants }}'
{% if entry.logbookoperation is defined %}
logbookoperation:
{% if entry.logbookoperation.number_of_shards is defined %}
number_of_shards: {{ entry.logbookoperation.number_of_shards }}
{% endif %}
{% if entry.logbookoperation.number_of_replicas is defined %}
number_of_replicas: {{ entry.logbookoperation.number_of_replicas }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
## Configuration for logbook coherence check
# list of operations that generate LFC
opWithLFC: [
"PROCESS_SIP_UNITARY",
"FILINGSCHEME",
"HOLDINGSCHEME",
"UPDATE_RULES_ARCHIVE_UNITS",
"PROCESS_AUDIT",
"STP_UPDATE_UNIT"]
# list of events not declared in wf
opEventsNotInWf: [
"STP_SANITY_CHECK_SIP",
"SANITY_CHECK_SIP",
"CHECK_CONTAINER",
"STP_UPLOAD_SIP"
]
# list of events to skip for OP-LFC check
opLfcEventsToSkip: [
"STP_SANITY_CHECK_SIP", "SANITY_CHECK_SIP", "CHECK_CONTAINER", "STP_UPLOAD_SIP", "ATR_NOTIFICATION", "ROLL_BACK",
"STORAGE_AVAILABILITY_CHECK", "ACCESSION_REGISTRATION",
"ROLL_BACK", "ATR_NOTIFICATION", "COMMIT_LIFE_CYCLE_OBJECT_GROUP", "COMMIT_LIFE_CYCLE_UNIT",
"LIST_OBJECTGROUP_ID", "REPORT_AUDIT",
"LIST_ARCHIVE_UNITS", "LIST_RUNNING_INGESTS"]
# Security alerts configuration
alertEvents:
- evType: 'CHECK_HEADER.CHECK_CONTRACT_INGEST'
outcome: 'KO'
- evType: 'CHECK_RULES.MAX_DURATION_EXCEEDS'
outcome: 'KO'
- evType: 'CHECK_RULES'
outcome: 'KO'
- outDetail: 'CHECK_CLASSIFICATION_LEVEL.KO'
- outDetail: 'STP_PERSONAL_CERTIFICATE_CHECK.KO'
## Traceability params
# Temporization delay (in seconds) for recent logbook operation events.
# Set it to a reasonable delay to cover max clock difference across servers + VM/GC pauses
operationTraceabilityTemporizationDelay: {{ vitam.logbook.operationTraceabilityTemporizationDelay | default(300) }}
# Max delay between 2 logbook operation traceability operations.
# A new logbook operation traceability is generated after this delay,
# even if tenant has no new logbook operations to secure
# Unit can be in DAYS, HOURS, MINUTES, SECONDS
# Hint: Set it to 690 MINUTES (11 hours and 30 minutes) to force new traceability after +/- 12 hours
# (supposing logbook operation traceability timer run every hour +/- some clock delays)
operationTraceabilityMaxRenewalDelay: {{ vitam.logbook.operationTraceabilityMaxRenewalDelay | default(690) }}
operationTraceabilityMaxRenewalDelayUnit: {{ vitam.logbook.operationTraceabilityMaxRenewalDelayUnit | default('MINUTES') }}
# Number of logbook operations that can be run in parallel.
operationTraceabilityThreadPoolSize: {{ vitam.logbook.operationTraceabilityThreadPoolSize | default(16) }}
# Max entries selected per LogbookOperation traceability
operationTraceabilityMaxEntries: {{ vitam.logbook.operationTraceabilityMaxEntries | default(100000) }}
# Temporization delay (in seconds) for recent logbook lifecycle events.
# Set it to a reasonable delay to cover max clock difference across servers + VM/GC pauses
lifecycleTraceabilityTemporizationDelay: {{ vitam.logbook.lifecycleTraceabilityTemporizationDelay | default(300) }}
# Max delay between 2 lifecycle traceability operations.
# A new unit/objectgroup lifecycle traceability is generated after this delay,
# even if tenant has no new unit/objectgroups to secure
# Unit can be in DAYS, HOURS, MINUTES, SECONDS
# Hint: Set it to 690 MINUTES (11 hours and 30 minutes) to force new traceability after +/- 12 hour
# (supposing LFC traceability timers run every hour +/- some clock delays)
lifecycleTraceabilityMaxRenewalDelay: {{ vitam.logbook.lifecycleTraceabilityMaxRenewalDelay | default(690) }}
lifecycleTraceabilityMaxRenewalDelayUnit: {{ vitam.logbook.lifecycleTraceabilityMaxRenewalDelayUnit | default('MINUTES') }}
# Max entries selected per (Unit or Object Group) LFC traceability operation
lifecycleTraceabilityMaxEntries: {{ vitam.logbook.lifecycleTraceabilityMaxEntries | default(100000) }}
{% if not primary_site | bool %}
# Reconstruction metrics cache in minutes (secondary site)
reconstructionMetricsCacheDurationInMinutes: {{ vitam.logbook.reconstructionMetricsCacheDurationInMinutes | default(15) }}
{% endif %}
8.2.13.2.3. Fichier functional-administration-client.conf¶
serverHost: {{ vitam.functional_administration.host }}
serverPort: {{ vitam.functional_administration.port_service }}
8.2.13.2.4. Fichier logbook-client.conf¶
serverHost: {{ vitam.logbook.host }}
serverPort: {{ vitam.logbook.port_service }}
8.2.13.2.5. Fichier storage-client.conf¶
serverHost: {{ vitam.storage.host }}
serverPort: {{ vitam.storage.port_service }}