Bug 1069326 – Need login/logout audit events

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1069326 - Need login/logout audit events

Summary:	Need login/logout audit events

Status:	CLOSED NOTABUG

Aliases:	None

Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security (Show other bugs)
Sub Component:
Version:	6.2.0,6.3.0
Hardware:	Unspecified Unspecified

Priority	urgent Severity high
Target Milestone:	---
Target Release:	EAP 6.4.0
Assigned To:	Darran Lofthouse
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson

URL:
Whiteboard:	MustBeFixed
Keywords:

Depends On:
Blocks:	1129644
	Show dependency tree / graph

Reported:	2014-02-24 12:55 EST by Kyle Lape
Modified:	2017-04-26 10:33 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Domain management requests are handled using a stateless protocol. For HTTP, authentication occurs with each request. For Native authentication, it happens on the establishment of the connection. Other than this, there is no 'authenticated session'. Because there is no 'authenticated session', 'login' and 'logout' events can not be audited. Instead. audit messages are logged when an operation is received from the user.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-04-26 10:32:56 EDT
Type:	Feature Request
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	PRODMGT-1483	Major	Open	audit of login (and potentially logout) of the management interfaces	2018-10-31 11:14 EDT

Groups: None (edit)

Description Kyle Lape 2014-02-24 12:55:33 EST

The fundamental problem we have is multiple components are involved in negotiation the authentication for the connection, we have Remoting, SASL and the security realms but it is a collaborative effort for them to agree - as we were talking today we are also missing a concept of management for currently connected / established connections which also fits quite tightly in this area.

Need to look properly into which options we can follow for both long and short term.

Comment 2 Darran Lofthouse 2014-08-22 09:41:53 EDT

I am ACKing this one on the basis that I will increase the level of audit logging we have around authentication for management.

However we do not have a concept of an authenticated session so we do not have a login / logout around a session to audit.

Comment 5 Darran Lofthouse 2014-11-19 04:40:19 EST

To clarify once and for all - there is no such thing as a login and logout in EAP 6 for domain managament - there is no authenticated session to wrap with such audit events, what we have is for the Native interface authentication on the establishment of a connection and for the HTTP interface authentication we have authentication on the receipt of a request.

So for this task I can add audit entries for successful and failed authentication attempts - the successful ones may be a little redundant as the users operation request might also log an audit event but the failure ones will be the most useful.

Comment 6 Jason T. Greene 2014-11-19 11:42:48 EST

I'm adding a NACK to this, and it's definitely not a blocker. Authentication for management operations is per-request, and there are audit logs for every change, and it can be enabled for reads as well.

We shouldn't log anything about transport activity as it is not useful information. A client might reuse a connection, and it might not, the fact that it reuses a connection isn't of security interest. It would be volatile and lead to confusion.

Comment 7 Jason T. Greene 2014-11-19 11:51:17 EST

Just to be clear though I think its fine to add a feature for rejected requests due to lack of authentication, but thats an RFE not a blocker, and we are out of time for the 6.4 feature schedule.

Comment 8 Dimitris Andreadis 2014-11-20 06:10:08 EST

Changed issue type to RFE, cleared the blocker?

Comment 10 Brad Maxwell 2017-04-26 10:32:56 EDT

Closing out old BZs, this is an RFE not a bug, and there are no more feature releases for EAP 6.x.  An RFE exists for this request for a future EAP feature release.

Note You need to log in before you can comment on or make changes to this bug.