Bug 2136610

Summary: [RFE] Add 'cn' attribute to IPA audit logs
Product: Red Hat Enterprise Linux 8 Reporter: Corey Brown <cobrown>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: low Docs Contact: Evgenia Martynyuk <emartyny>
Priority: high    
Version: 8.2CC: aadhikar, bsmejkal, dchen, emartyny, fhanzelk, gkimetto, idm-ds-dev-bugs, mralph, mreynolds, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided, Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8080020221115220516.6e2e7265 Doc Type: Enhancement
Doc Text:
.New `nsslapd-auditlog-display-attrs` configuration parameter for the Directory Server audit log Previously, the distinguished name (DN) was the only way to identify the target entry in the audit log event. With the new `nsslapd-auditlog-display-attrs` parameter, you can configure Directory Server to display additional attributes in the audit log, providing more details about the modified entry.. For example, if you set the `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log displays the entry `cn` attribute in the output. To include all attributes of a modified entry, use an asterisk (`*`) as the parameter value. For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#cnconf[…]-attrs[nsslapd-auditlog-display-attrs]
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 08:33:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2022-10-10   

Description Corey Brown 2022-10-20 20:55:10 UTC 
1. Proposed title of this feature request
  Adding 'cn' attribute to IPA audit logs (/var/log/dirsrv/slapd-<domainname>/audit)

2. What is the nature and description of the request? 
  In the IdM audit logs when an AD user makes a change only the SID is shown and not the username.
  
3. Why does the customer need this? (List the business requirements here)
  There are mandates and security frameworks that require centralized logging. Most of our government customers are already doing this, not only due to the mandates and security frameworks, but for auditing purposes. Currently it is very difficult for an auditor to review the logs and determine who has made a change if only the SID is listed. As an alternative to modifying the SID, we have convinced the customer that it is possible to add the 'cn' to entries so that they can be added into the audit logs via configuration setting.

4. How would the customer like to achieve this? (List the functional requirements here)
  The customer would like the application to add the cn to entries so they could be added to the audit logs.

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Mark Reynolds suggested that we will add a new configuration setting for the audit/auditfail log where you can set what attributes you want to be added to the audit log.  

As of right now it will look like this:
-------------------------------------------
cn=config

nsslapd-auditlog-entry-attrs: cn <attribute> <attribute> <"*" for all attributes> ...
-------------------------------------------------

time: 20221014125914
dn: uid=demo_user,ou=people,dc=example,dc=com
result: 0
#cn: <CN VALUE>
changetype: modify
replace: displayName
displayName: Demo Entry
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
-------------------------------------------------

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
RHEL 8

8. Is the sales team involved in this request and do they have any additional input?
No

9. List any affected packages or components.
SSSD
IPA

10. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 2 mreynolds 2022-10-27 16:14:35 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5502
Comment 3 mreynolds 2022-10-27 18:10:34 UTC 
Design doc:

https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html
Comment 8 Akshay Adhikari 2022-12-06 12:02:01 UTC 
# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings
re-exec with libfaketime dependencies
============================================================================ test session starts =========================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: libfaketime-0.1.2
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED                                                                                [100%]

============================================================================ 1 passed in 34.82s ==========================================================================

Marking as verified: Tested.
Comment 9 bsmejkal 2022-12-12 11:25:40 UTC 
As per comment #c8 marking as VERIFIED.
Comment 10 Ding-Yi Chen 2023-03-01 01:19:34 UTC 
Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?
Comment 11 mreynolds 2023-03-01 14:09:05 UTC 
(In reply to Ding-Yi Chen from comment #10)
> Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?

If you check the "target release" of this bug you will see it's set for RHEL 8.8.  Bug is already verified so it is good to go.
Comment 16 Evgenia Martynyuk 2023-05-09 21:43:57 UTC 
Hi @mareynol !

I have prepared RN text, could you please review it? 

.New configuration parameter `nsslapd-auditlog-display-attrs` for the Directory Server audit log.

Previously, it was very difficult to determine who has made a change to an entry if the entry distinguished name (DN) does not contain clear identifying information. With `nsslapd-auditlog-display-attrs` parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the entry being modified.

For example, if you set `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log starts to display the entry `cn` attribute in the output:

----
time: 20221014125914
dn: uid=73747737483,ou=people,dc=example,dc=com
result: 0
*#cn: John Smith*
changetype: modify
replace: displayName
displayName: jsmith
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
----

You can use an asterisk (`*`) as a value if you want the audit log to contain all attributes of modified entries.
Comment 18 errata-xmlrpc 2023-05-16 08:33:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2811
Comment 19 mreynolds 2023-05-17 12:55:24 UTC 
Doc text looks good.
Comment 20 Evgenia Martynyuk 2023-05-18 12:38:01 UTC 
RN text passed peer view. Thanks Masha! RN is release pending.
Comment 21 Evgenia Martynyuk 2024-04-18 15:51:42 UTC 
Hi Mark! Could you please review the updated description of the RN text in the Doc Text field.

Thanks,
Evgenia