1092203 – Not authorized write operation does not get audit logged if log-read-only="false"

Bug 1092203 - Not authorized write operation does not get audit logged if log-read-only="false"

Summary: Not authorized write operation does not get audit logged if log-read-only="fa...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ER4
Target Release:	EAP 6.3.0
Assignee:	Brian Stansberry
QA Contact:	Ondrej Lukas
Docs Contact:	Nidhi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-29 01:07 UTC by Brian Stansberry
Modified:	2014-07-04 02:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previous versions of JBoss EAP 6 contained a bug that prevented the logging of a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as `false`. This was because the model controller used "acquisition of controller lock" as a condition to determine whether an operation should be reported as a "write" operation in the log . When role based access control (RBAC) was enabled and an unauthorized operation was performed the error occurred before the controller lock is taken. As a result, unauthorized write operations were not reported in the audit log if "log-read-only" was set as `false`. If "log-read-only" was set as `true`, the log record incorrectly stated the operation as a "read" operation. This issue has been resolved in this release of the product.
Clone Of:
Environment:
Last Closed:	2014-06-28 15:42:14 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-2891	0	Major	Resolved	Not authorised write operation does not get audit logged if log-read-only="false"	2015-09-15 05:36:05 UTC

Description Brian Stansberry 2014-04-29 01:07:43 UTC

Description of problem:

If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged.

How reproducible:

Always

Steps to Reproduce:
1. Turn on management audit logging.
2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false'
3. Switch the access control provider to 'rbac'
4. Log in as a user that maps to the 'Monitor' role
5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions.
6. Check the audit log.

Actual results:

The attempted write will not appear in the log.

Expected results:

The attempted write appears in the log.

Additional info:

This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.

Comment 4 Scott Mumford 2014-05-14 02:17:23 UTC

Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'.

This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. 

As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record  incorrectly stated the operation as a "read" operation.

In this release, the controller lock is not used with the indication that the operation is a "write" operation.

This results in correct logging of all unauthorized "write" operations in management audit log.

Comment 6 Zbyněk Roubalík 2014-05-16 10:12:01 UTC

Verified on EAP 6.3.0.ER4

Note You need to log in before you can comment on or make changes to this bug.