Bug 1594128
| Summary: | CMC: Audit Events needed for failures in SharedToken scenario's [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.5 | CC: | cfu, gkapoor, lmiksik, mharmsen, msauton |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-14.el7_5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, Certificate System did not contain audit log entries for failed Certificate Management over CMS (CMC) SharedToken authentication scenarios. As a consequence, these events were not logged in the audit log. This update adds the missing audit events. As a result, failed CMC SharedToken authentication events are now logged in the audit log.
|
Story Points: | --- |
| Clone Of: | 1540440 | Environment: | |
| Last Closed: | 2018-08-16 14:20:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1540440 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-06-22 08:01:32 UTC
commit 2a228b4a8e1af920e577d007be87291831c635d5 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date: Wed Jun 20 18:59:28 2018 -0700
Ticket 2920 Part2 of SharedToken Audit
This patch addresses the issue that the original audit message for failure
got overwritten for SharedToken.
fixes https://pagure.io/dogtagpki/issue/2920
Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
test suggestions: Execute various CMC Shared Token authentication scenarios (for both revocation an d enrollment) including: * bad passphrase * missing shared token in user entry for enrollment only: * wrong profile (say, use caFullCMCUserSignedCert instead of caFullCMCSelfSignedCert) For revocation, look for CERT_STATUS_CHANGE_REQUEST_PROCESSED. for enrollment, look for CERT_REQUEST_PROCESSED. Hi Christina,
There are some revocation scenario's where if we have some failures they are not getting captured in audit logs. Do you think such events should be there in audit logs or it's fine to have them in debug only.
1. In case issuerdn and certificate dn doesn't match
2. Shared token meta info missing in LDAP.
example 1 : failure because certificate issuer DN and revocation request issuer DN do not match
Revocation CMCResponse:
=======================
Number of controls is 1
Control #0: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
Status String: certificate issuer DN and revocation request issuer DN do not match
OtherInfo type: FAIL
failInfo=bad identity
CMC Full Response.
ERROR: CMC status for [1]: failed
Debug logs:
============
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl: Client and server shared secret are the same, can go ahead and revoke certificate.
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: In LdapBoundConnFactory::getConn()
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: masterConn is connected: true
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: getConn: conn is connected true
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: getConn: mNumConns now 2
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: returnConn: mNumConns now 3
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl: shared secret revocation: checking issuer DN
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl: certificate issuer DN and revocation request issuer DN do not match
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST_PROCESSED
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: LogFile: event type not selected: CERT_STATUS_CHANGE_REQUEST_PROCESSED
============================================
Audit logs:
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.8.60.16][ServerIP=10.8.60.16][SubjectID=UID=test10,CN=test10,O=example.org][Outcome=Success] access session establish success
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIGOBgkqhkiG9w0BBwGggYAEfjB8MHQwcgIBAQYIKwYBBQUHBxExYzBhMDoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdDb21wYW55MRkwFwYDVQQDDBBDb21wYW55IFJvb3QgQ0EyAgFOCgEABAx3b25kZXJmdWxkYXkMD3Jldm9jYXRpb24gdGVzdDAAMAAwAA==] CMC request received
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:13 EDT] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIHRwYJKoZIhvcNAQcCoIIHODCCBzQCAQMxDzANBglghkgBZQMEAgIFADB6BggrBgEFBQcMA6BuBGwwajBkMGICAQEGCCsGAQUFBwcZMVMwUQIBAjADAgEBDEQgY2VydGlmaWNhdGUgaXNzdWVyIEROIGFuZCByZXZvY2F0aW9uIHJlcXVlc3QgaXNzdWVyIEROIGRvIG5vdCBtYXRjaAIBBzAAMACgggVDMIICiDCCAg6gAwIBAgIEBtLdITAKBggqhkjOPQQDAzBmMR4wHAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxIzAhBgNVBAsMGmdrYXBvb3JfUkhDUzc1X3VwZGF0ZTJfZWNjMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDYxMzE2NTQxMVoXDTM4MDMwNTE3NTQxMVowOjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NvbXBhbnkxGTAXBgNVBAMTEENvbXBhbnkgUm9vdCBDQTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARzlhmepuoxSErEpYM3WzDuguhfbrJ9eIihMPRtmaNAz4a9R0oJbGYSSP78RADP/wFCDYXMiVM8RpL9X7Rakbr64U7ikwDIUU9S8fYBiQTtxlWfowsrKfKB6XFwTasEzs6jgbgwgbUwHwYDVR0jBBgwFoAULpPFUV5OQPoqt76qiMYv3RwBv34wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFHQQy8+XenxmleSvkhA08CUHVrIWMFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDovL25vY3A0LmlkbS5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbToyMDA4MC9jYS9vY3NwMAoGCCqGSM49BAMDA2gAMGUCMQC2zgdSWG8T0nyZ8x8HyRINqILLkwR3khHDkVcmga5NbTRylCLteTxRiow4ikceAbQCMB0ovCbRoyaNp/EgpIF61xHBTmLqtGHwB4qEaaqhXRMpq67sYa3dsMcsJpLXhmRmnTCCArMwggI6oAMCAQICBAXQxpgwCgYIKoZIzj0EAwMwZjEeMBwGA1UECgwVRXhhbXBsZS1yaGNzOTItQ0EtZWNjMSMwIQYDVQQLDBpna2Fwb29yX1JIQ1M3NV91cGRhdGUyX2VjYzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA1MjUxMDMzMjdaFw0zODA1MjUxMDMzMjdaMGYxHjAcBgNVBAoMFUV4YW1wbGUtcmhjczkyLUNBLWVjYzEjMCEGA1UECwwaZ2thcG9vcl9SSENTNzVfdXBkYXRlMl9lY2MxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATm49kQHJvf30ucEHrf4rYS3Sr5n0BJIxiXF9dsFwA0FZnYnC1OFmPJnZJxtLjqJdeEte/Ba0dBHz2W1ZoQQoSj26Up+CCzdmzdDUdTL419o2iwaxcLXsZFZ/sIT1585BOjgbgwgbUwHwYDVR0jBBgwFoAULpPFUV5OQPoqt76qiMYv3RwBv34wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFC6TxVFeTkD6Kre+qojGL90cAb9+MFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDovL25vY3A0LmlkbS5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbToyMDA4MC9jYS9vY3NwMAoGCCqGSM49BAMDA2cAMGQCMEbVnh+hGwm3zDsw9tGxpfmsJRxrhUcGKQW8Bv7uzAmMsHE3k0L5rBHzrgfE77AA4QIwT8kItcb4C6xJX45s4elU314uMajYtm2CSRCxvWT4di9T4aQMt2tNo6xB/VDTOEvVMYIBWTCCAVUCAQEwbjBmMR4wHAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxIzAhBgNVBAsMGmdrYXBvb3JfUkhDUzc1X3VwZGF0ZTJfZWNjMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgQG0t0hMA0GCWCGSAFlAwQCAgUAoFowFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwDMD8GCSqGSIb3DQEJBDEyBDAoMMzsintqftK3JUU+75FQJy0XNk+6lH+0HU7vc4lxwbLsTQQdOlP+pXGDDWHUMzcwDAYIKoZIzj0EAwMFAARnMGUCMHuJh9MJACW37dcB0fgkCPb3QYobBsPXPUd37AEEMmhFrXMlfhYnIhVKZL9N9+yXPwIxAMOfCCflP9epbwx51W0xoyQEWqQz4zr7EtW8Go90XfEJBnWZ/2u/fRyTTUwEyYYLPg==] CMC response sent
Hi Geetika, Good find. Just fail QE on this bug and I'll supplement with additional fix. thanks! (In reply to Christina Fu from comment #8) > Hi Geetika, > Good find. Just fail QE on this bug and I'll supplement with additional fix. > thanks! Wait, looking closely, the debug and audit log are showing "success" not "failure". Could you show me the actual "failure" case that matched with your "failure" test? Based on discussion on IRC, we decided to give it another round of review. Marking it assigned. We have decided on IRC that we are going to add this issue to another bug https://bugzilla.redhat.com/show_bug.cgi?id=1601071 and marking this bug verified. Geetika, for the record, I could not reproduce the issue. Did you by any chance not enable the audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED as instructed in comment #3? Yes, we could move this conversation to https://bugzilla.redhat.com/show_bug.cgi?id=1601071 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2306 This needinfo is taken care in https://bugzilla.redhat.com/show_bug.cgi?id=1601071 |