Bug 1069326 - Need login/logout audit events
Summary: Need login/logout audit events
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.0,6.3.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: EAP 6.4.0
Assignee: Darran Lofthouse
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard: MustBeFixed
Depends On:
Blocks: 1129644
TreeView+ depends on / blocked
 
Reported: 2014-02-24 17:55 UTC by Kyle Lape
Modified: 2017-04-26 14:33 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-04-26 14:32:56 UTC
Type: Feature Request
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker PRODMGT-1483 0 Major Open audit of login (and potentially logout) of the management interfaces 2018-10-31 15:14:34 UTC

Description Kyle Lape 2014-02-24 17:55:33 UTC
The fundamental problem we have is multiple components are involved in negotiation the authentication for the connection, we have Remoting, SASL and the security realms but it is a collaborative effort for them to agree - as we were talking today we are also missing a concept of management for currently connected / established connections which also fits quite tightly in this area.

Need to look properly into which options we can follow for both long and short term.

Comment 2 Darran Lofthouse 2014-08-22 13:41:53 UTC
I am ACKing this one on the basis that I will increase the level of audit logging we have around authentication for management.

However we do not have a concept of an authenticated session so we do not have a login / logout around a session to audit.

Comment 5 Darran Lofthouse 2014-11-19 09:40:19 UTC
To clarify once and for all - there is no such thing as a login and logout in EAP 6 for domain managament - there is no authenticated session to wrap with such audit events, what we have is for the Native interface authentication on the establishment of a connection and for the HTTP interface authentication we have authentication on the receipt of a request.

So for this task I can add audit entries for successful and failed authentication attempts - the successful ones may be a little redundant as the users operation request might also log an audit event but the failure ones will be the most useful.

Comment 6 Jason T. Greene 2014-11-19 16:42:48 UTC
I'm adding a NACK to this, and it's definitely not a blocker. Authentication for management operations is per-request, and there are audit logs for every change, and it can be enabled for reads as well.

We shouldn't log anything about transport activity as it is not useful information. A client might reuse a connection, and it might not, the fact that it reuses a connection isn't of security interest. It would be volatile and lead to confusion.

Comment 7 Jason T. Greene 2014-11-19 16:51:17 UTC
Just to be clear though I think its fine to add a feature for rejected requests due to lack of authentication, but thats an RFE not a blocker, and we are out of time for the 6.4 feature schedule.

Comment 8 Dimitris Andreadis 2014-11-20 11:10:08 UTC
Changed issue type to RFE, cleared the blocker?

Comment 10 Brad Maxwell 2017-04-26 14:32:56 UTC
Closing out old BZs, this is an RFE not a bug, and there are no more feature releases for EAP 6.x.  An RFE exists for this request for a future EAP feature release.


Note You need to log in before you can comment on or make changes to this bug.