Description of problem: If an authorised user's password has expired a "User <user>@<DOMAIN> cannot login, as it got disabled or locked. Please contact the system administrator." event is generated. But if an unauthorised user attempts to login to webadmin portal no event is generated. Version-Release number of selected component (if applicable): rhevm-backend-3.2.5-0.49.el6ev How reproducible: Always. Steps to Reproduce: 1. Attach RHEV-M to a domain (e.g. IPA). 2. Try to log in to webadmin portal as a user that has not been granted access to webadmin portal. Actual results: Unauthorised login attempts are logged to /var/log/ovirt-engine/engine.log : 2013-12-31 12:00:50,883 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION But unauthorised login attempts are not logged to Events section of webadmin portal. Expected results: Unauthorised login attempts are logged to Events section of webadmin portal. Additional info: This is required for PCI DSS compliant environments to meet requirements such as 10.2.4 and 11.4 ( https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf ).
need to think how this will look like post the authentication refactoring, where some of these authentication checks will be done by apache as a frontend, etc.
Arthur, Please define what is an unauthorized login attempt is: - no such user - existing user wrong password (failed authentication)?
(In reply to Barak from comment #2) > Arthur, > > Please define what is an unauthorized login attempt is: > - no such user > - existing user wrong password (failed authentication)? Both: any unsuccessful login attempt needs to be logged including the reason for the failure.
(In reply to Julio Entrena Perez from comment #3) > (In reply to Barak from comment #2) > > Arthur, > > > > Please define what is an unauthorized login attempt is: > > - no such user > > - existing user wrong password (failed authentication)? > > Both: any unsuccessful login attempt needs to be logged including the reason > for the failure. +1 Both are part of PCI DSS, and should be presented in the events section. For wrong password event the requirement is to present failure of multiple log-in attempts, so if we would like to avoid flooding the events tab we could look for multiple login failures in a given time.
I suggest to handle this for 3.4, it is possible to add relevant audit log type and map them to the authentication results , same as for account is locked/disabled and password expired are mapped. regarding AAA refactoring - i suggest we revisit the events issue at this point (and the effort is for 3.5 anyway, I don't think we should postpone this bug until then).
Eli don't we have a "user X failed to login" in eventlog of 3.4 ?
It looks like it was fixed for 3.4 (Bug 1066103), Leaving it open for now due to the refactor done on the accounting as a part of the AAA effort. Yair can we CLOSE DUPLICATE (if you had already handled it for 3.5) ?
*** This bug has been marked as a duplicate of bug 1066103 ***