GitHub audit logs only go back 180 days. As we discovered during the response to GHSA-67f2-674w-6g63, that can be exceptionally inconvenient when a long‐dormant security risk comes to light.
GitHub Enterprise lets us stream audit logs to S3 for long‐term storage. It seems like it shouldn’t be hard for @NixOS/org and @NixOS/infra to arrange to get these stored for the long term. I believe we should also consider enabling audit log streaming of security‐sensitive API requests.
I expect that the size of these logs will not be significant compared to the growth of the cache; if it is, we could look into doing some kind of filtering, or potentially use the audit log API to cook up a custom solution.
Additionally, only org owners have any access to the audit logs, which can slow down incident response and reduces transparency. Given the wide importance of repositories in the NixOS organization, I think it would make sense for at least the security team to have access to the S3 bucket, but even better would be if we had publicly‐accessible logs for at least a subset of actions by privileged users (e.g. at least org owners, probably repository admins, perhaps even committers in general?). These should of course be filtered to remove personal information like location. This would make it easier to ensure that org owner actions are logged publicly as required, and reduce the toil in doing so.
GitHub audit logs only go back 180 days. As we discovered during the response to GHSA-67f2-674w-6g63, that can be exceptionally inconvenient when a long‐dormant security risk comes to light.
GitHub Enterprise lets us stream audit logs to S3 for long‐term storage. It seems like it shouldn’t be hard for @NixOS/org and @NixOS/infra to arrange to get these stored for the long term. I believe we should also consider enabling audit log streaming of security‐sensitive API requests.
I expect that the size of these logs will not be significant compared to the growth of the cache; if it is, we could look into doing some kind of filtering, or potentially use the audit log API to cook up a custom solution.
Additionally, only org owners have any access to the audit logs, which can slow down incident response and reduces transparency. Given the wide importance of repositories in the NixOS organization, I think it would make sense for at least the security team to have access to the S3 bucket, but even better would be if we had publicly‐accessible logs for at least a subset of actions by privileged users (e.g. at least org owners, probably repository admins, perhaps even committers in general?). These should of course be filtered to remove personal information like location. This would make it easier to ensure that org owner actions are logged publicly as required, and reduce the toil in doing so.