Using Octopus v2018.4.4
Scenario: I’ve created a new Octopus project, which contains a single process step using the built-in step template “Run a Script”. I defined the script as a Powershell script, with the script included in the step template.
Expected: When viewing the Octopus audit history, I’m expecting to see audit events of type, “Document modified” for adding the new process step, as well as audit event for each time that I change the body of the script defined in the step.
Getting: The audit log only displays Deploy events for this project. No Document Modified events are available, and the last document modified event overall on the installation is several days old, despite making numerous changes to the variables in the project as well as the script body of the step template. There are also no “Document Modified” audit events for adding new variables to this project, or for when the variables were modified.
Concern: It poses a massive security risk to our infrastructure arbitrary “Run a script” steps can be modified without audit logging. Even if were to to forbid the use the “Run a script” step template, there is currently no audit history available that this step has even been added to the Project configuration.
The help documentation states: Octopus does capture the details of every mutating action (create/edit/delete) including who initiated the action, which is not happening reliably in our installation.