Bug 2136610 - [RFE] Add 'cn' attribute to IPA audit logs
Summary: [RFE] Add 'cn' attribute to IPA audit logs
Keywords:
Status: VERIFIED
Alias: None
Deadline: 2022-10-10
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.2
Hardware: Unspecified
OS: Linux
high
low
Target Milestone: rc
: 8.8
Assignee: mreynolds
QA Contact: idm-ds-qe-bugs
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-20 20:55 UTC by Corey Brown
Modified: 2022-12-12 11:25 UTC (History)
7 users (show)

Fixed In Version: 389-ds-1.4-8080020221115220516.6e2e7265
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-2591 0 None None None 2022-10-26 15:32:23 UTC
Red Hat Issue Tracker IDMDS-2636 0 None None None 2022-11-15 20:27:46 UTC
Red Hat Issue Tracker RHELPLAN-137228 0 None None None 2022-10-20 20:59:58 UTC

Description Corey Brown 2022-10-20 20:55:10 UTC
1. Proposed title of this feature request
  Adding 'cn' attribute to IPA audit logs (/var/log/dirsrv/slapd-<domainname>/audit)

2. What is the nature and description of the request? 
  In the IdM audit logs when an AD user makes a change only the SID is shown and not the username.
  
3. Why does the customer need this? (List the business requirements here)
  There are mandates and security frameworks that require centralized logging. Most of our government customers are already doing this, not only due to the mandates and security frameworks, but for auditing purposes. Currently it is very difficult for an auditor to review the logs and determine who has made a change if only the SID is listed. As an alternative to modifying the SID, we have convinced the customer that it is possible to add the 'cn' to entries so that they can be added into the audit logs via configuration setting.

4. How would the customer like to achieve this? (List the functional requirements here)
  The customer would like the application to add the cn to entries so they could be added to the audit logs.

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Mark Reynolds suggested that we will add a new configuration setting for the audit/auditfail log where you can set what attributes you want to be added to the audit log.  

As of right now it will look like this:
-------------------------------------------
cn=config

nsslapd-auditlog-entry-attrs: cn <attribute> <attribute> <"*" for all attributes> ...
-------------------------------------------------

time: 20221014125914
dn: uid=demo_user,ou=people,dc=example,dc=com
result: 0
#cn: <CN VALUE>
changetype: modify
replace: displayName
displayName: Demo Entry
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
-------------------------------------------------

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
RHEL 8

8. Is the sales team involved in this request and do they have any additional input?
No

9. List any affected packages or components.
SSSD
IPA

10. Would the customer be able to assist in testing this functionality if implemented?
Yes

Comment 2 mreynolds 2022-10-27 16:14:35 UTC
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5502

Comment 8 Akshay Adhikari 2022-12-06 12:02:01 UTC
# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings
re-exec with libfaketime dependencies
============================================================================ test session starts =========================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: libfaketime-0.1.2
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED                                                                                [100%]

============================================================================ 1 passed in 34.82s ==========================================================================

Marking as verified: Tested.

Comment 9 bsmejkal 2022-12-12 11:25:40 UTC
As per comment #c8 marking as VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.