Bug 1302905

Summary: RFE audit logging improvement
Product: Red Hat Directory Server Reporter: wibrown <wibrown>
Component: DocumentationAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0CC: mmuehlfe, nhosoi, nkinder, pbokoc, rmeggins, wibrown
Target Milestone: DS10.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-21 13:43:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description wibrown@redhat.com 2016-01-28 23:16:58 UTC 
Suggestions for improvement: 

We added a new logging mechanism to ds which is able to log failed attempts to alter / modify objects in a directory. 

A new set of configuration values is added. These match the nsslapd-audit config items in function, but they control the auditfail log.

'nsslapd-auditfaillog-maxlogsize'
'nsslapd-auditfaillog-logrotationsync-enabled'
'nsslapd-auditfaillog-logrotationsynchour'
'nsslapd-auditfaillog-logrotationtime'
'nsslapd-auditfaillog-logrotationtimeunit'
'nsslapd-auditfaillog-logmaxdiskspace'
'nsslapd-auditfaillog-logminfreediskspace'
'nsslapd-auditfaillog-logexpirationtime'
'nsslapd-auditfaillog-logexpirationtimeunit'
'nsslapd-auditfaillog-logging-enabled'
'nsslapd-auditfaillog-logging-hide-unhashed-pw'
'nsslapd-auditfaillog'
'nsslapd-auditfaillog-list'

If the nsslapd-auditfaillog is *not* given, the fail events are logged into the audit log as well.

Audit events now show the operation return code and reason for failure / success.

If a plugin has the attribute in it's configuration

nsslapd-logAccess
nsslapd-logAudit

The events generated by the plugin will go to the access and audit logs respectively. If auditfail is enabled, failures will be logged too.

Additionally, the plugins now respect the global values:

nsslapd-plugin-logging

Which will cause all plugins to log their access and audit events.
Comment 1 Petr Bokoc 2016-05-31 11:02:08 UTC 
Hi Will, I was comparing the list of attributes you provided above with the existing list of 'nsslapd-auditlog*' parameters in the Configuration, Command and File Reference, and I found some discrepancies. Can you please take a look and let me know if this is expected or if we're missing some attributes?

The following attributes are available for auditlog, but do not have an equivalent in the list you provided for auditfaillog:

* nsslapd-auditlog-logrotationsyncmin
* nsslapd-auditlog-maxlogsperdir
* nsslapd-auditlog-mode

The following attribute is in your list for auditfaillog, but does not have an equivalent auditlog attribute:

* nsslapd-auditfaillog-logging-hide-unhashed-pw

The following attribute is documented for nsslapd-accesslog but not auditlog or auditfaillog or errorlog - although I suspect that might be OK:

* nsslapd-accesslog-logbuffering

Thanks!
Comment 2 wibrown@redhat.com 2016-06-14 00:23:39 UTC 
ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE	"nsslapd-auditfaillog-mode"

./ldap/servers/slapd/libglobs.c:1130:	{CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL,
./ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE	"nsslapd-auditfaillog-mode"

ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditfaillog-maxlogsperdir"

ldap/servers/slapd/libglobs.c:1162:	{CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditfaillog-maxlogsperdir"

ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin"

ldap/servers/slapd/libglobs.c:297:	{CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin"


Appears to all be there. But it's missing from the 01core389.ldif. Saying this, nsslapd-auditlog-mode and co. are missing from the 389core.ldif too.


What made you think they were missing? They just aren't part of the template dse.ldif, but if you add them they will work ...
Comment 5 Marc Muehlfeld 2016-11-21 13:43:19 UTC 
The update for Directory Server 10.1 is now available on the Customer Portal.