Log security incidents

[lucky-lusa]

There is an interface that can be used to create tickets for the dev team in slack and zammad in the event of security incidents. the eps should also use this interface to report security-related events.

iris-connect/backlog#199

iris-connect/backlog#232

• Define which incidents should trigger corresponding tickets. For example Request timeouts / rate limiting at IP/subnet level #14
• Use the interface for these incidents.

[hey-johnnypark]

It should be possible to configure the endpoint of the alert receiver.

[adewes]

Which incidents should we log? I'm not sure if logging certificate errors will make sense as for public EPS instances we'll probably get drowned in alerts (since there's a lot of scanning going on in general), probably permission errors are more interesting here (e.g. a given EPS server tries to call a method that's not permitted for the given group).

[adewes]

Proposal

We define a Report function in the message broker that can be used by channels and the message broker itself to report different types of incidents (e.g. failed authentication, use of valid but unpinned certificates etc.). The message broker can the be configured with an operator name to send these reports to (e.g. iris-1) using a report method. The receiving EPS will then forward the reports via the JSON-RPC client to an internal endpoint, which in turn can store or process them.