Hide Forgot
1. Proposed title of this feature request Adding 'cn' attribute to IPA audit logs (/var/log/dirsrv/slapd-<domainname>/audit) 2. What is the nature and description of the request? In the IdM audit logs when an AD user makes a change only the SID is shown and not the username. 3. Why does the customer need this? (List the business requirements here) There are mandates and security frameworks that require centralized logging. Most of our government customers are already doing this, not only due to the mandates and security frameworks, but for auditing purposes. Currently it is very difficult for an auditor to review the logs and determine who has made a change if only the SID is listed. As an alternative to modifying the SID, we have convinced the customer that it is possible to add the 'cn' to entries so that they can be added into the audit logs via configuration setting. 4. How would the customer like to achieve this? (List the functional requirements here) The customer would like the application to add the cn to entries so they could be added to the audit logs. 5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Mark Reynolds suggested that we will add a new configuration setting for the audit/auditfail log where you can set what attributes you want to be added to the audit log. As of right now it will look like this: ------------------------------------------- cn=config nsslapd-auditlog-entry-attrs: cn <attribute> <attribute> <"*" for all attributes> ... ------------------------------------------------- time: 20221014125914 dn: uid=demo_user,ou=people,dc=example,dc=com result: 0 #cn: <CN VALUE> changetype: modify replace: displayName displayName: Demo Entry - replace: modifiersname modifiersname: cn=dm - replace: modifytimestamp modifytimestamp: 20221014165914Z ------------------------------------------------- 6. Is there already an existing RFE upstream or in Red Hat Bugzilla? No 7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)? RHEL 8 8. Is the sales team involved in this request and do they have any additional input? No 9. List any affected packages or components. SSSD IPA 10. Would the customer be able to assist in testing this functionality if implemented? Yes
Upstream ticket: https://github.com/389ds/389-ds-base/issues/5502
Design doc: https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html
# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings re-exec with libfaketime dependencies ============================================================================ test session starts ========================================================================= platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6 cachedir: .pytest_cache 389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618 nss: 3.79.0-10.el8_6 nspr: 4.34.0-3.el8_6 openldap: 2.4.46-18.el8 cyrus-sasl: not installed FIPS: disabled rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini plugins: libfaketime-0.1.2 collected 1 item dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED [100%] ============================================================================ 1 passed in 34.82s ========================================================================== Marking as verified: Tested.
As per comment #c8 marking as VERIFIED.