Bug 2136610

Summary: [RFE] Add 'cn' attribute to IPA audit logs
Product: Red Hat Enterprise Linux 8 Reporter: Corey Brown <cobrown>
Component: 389-ds-baseAssignee: mreynolds
Status: VERIFIED --- QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: low Docs Contact:
Priority: high    
Version: 8.2CC: aadhikar, bsmejkal, dchen, gkimetto, idm-ds-dev-bugs, mreynolds, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided, Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8080020221115220516.6e2e7265 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Deadline: 2022-10-10   

Description Corey Brown 2022-10-20 20:55:10 UTC 
1. Proposed title of this feature request
  Adding 'cn' attribute to IPA audit logs (/var/log/dirsrv/slapd-<domainname>/audit)

2. What is the nature and description of the request? 
  In the IdM audit logs when an AD user makes a change only the SID is shown and not the username.
  
3. Why does the customer need this? (List the business requirements here)
  There are mandates and security frameworks that require centralized logging. Most of our government customers are already doing this, not only due to the mandates and security frameworks, but for auditing purposes. Currently it is very difficult for an auditor to review the logs and determine who has made a change if only the SID is listed. As an alternative to modifying the SID, we have convinced the customer that it is possible to add the 'cn' to entries so that they can be added into the audit logs via configuration setting.

4. How would the customer like to achieve this? (List the functional requirements here)
  The customer would like the application to add the cn to entries so they could be added to the audit logs.

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Mark Reynolds suggested that we will add a new configuration setting for the audit/auditfail log where you can set what attributes you want to be added to the audit log.  

As of right now it will look like this:
-------------------------------------------
cn=config

nsslapd-auditlog-entry-attrs: cn <attribute> <attribute> <"*" for all attributes> ...
-------------------------------------------------

time: 20221014125914
dn: uid=demo_user,ou=people,dc=example,dc=com
result: 0
#cn: <CN VALUE>
changetype: modify
replace: displayName
displayName: Demo Entry
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
-------------------------------------------------

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
RHEL 8

8. Is the sales team involved in this request and do they have any additional input?
No

9. List any affected packages or components.
SSSD
IPA

10. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 2 mreynolds 2022-10-27 16:14:35 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5502
Comment 3 mreynolds 2022-10-27 18:10:34 UTC 
Design doc:

https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html
Comment 8 Akshay Adhikari 2022-12-06 12:02:01 UTC 
# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings
re-exec with libfaketime dependencies
============================================================================ test session starts =========================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: libfaketime-0.1.2
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED                                                                                [100%]

============================================================================ 1 passed in 34.82s ==========================================================================

Marking as verified: Tested.
Comment 9 bsmejkal 2022-12-12 11:25:40 UTC 
As per comment #c8 marking as VERIFIED.
Comment 10 Ding-Yi Chen 2023-03-01 01:19:34 UTC 
Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?
Comment 11 mreynolds 2023-03-01 14:09:05 UTC 
(In reply to Ding-Yi Chen from comment #10)
> Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?

If you check the "target release" of this bug you will see it's set for RHEL 8.8.  Bug is already verified so it is good to go.