RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2136610 - [RFE] Add 'cn' attribute to IPA audit logs
Summary: [RFE] Add 'cn' attribute to IPA audit logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-10-10
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.2
Hardware: Unspecified
OS: Linux
high
low
Target Milestone: rc
: 8.8
Assignee: mreynolds
QA Contact: LDAP QA Team
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-20 20:55 UTC by Corey Brown
Modified: 2023-05-24 12:37 UTC (History)
10 users (show)

Fixed In Version: 389-ds-1.4-8080020221115220516.6e2e7265
Doc Type: Enhancement
Doc Text:
.New `nsslapd-auditlog-display-attrs` configuration parameter for the Directory Server audit log Previously, it was difficult to determine who changed an entry if the distinguished name (DN) of the entry did not contain clear identifying information. With the new `nsslapd-auditlog-display-attrs` parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the modified entry. For example, if you set the `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log displays the entry `cn` attribute in the output: ---- time: 20221014125914 dn: uid=73747737483,ou=people,dc=example,dc=com result: 0 *#cn: John Smith* changetype: modify replace: displayName displayName: jsmith - replace: modifiersname modifiersname: cn=dm - replace: modifytimestamp modifytimestamp: 20221014165914Z ---- Note that if you want the audit log to include all attributes of a modified entry, you can use an asterisk (`*`) as the parameter value.
Clone Of:
Environment:
Last Closed: 2023-05-16 08:33:01 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-2591 0 None None None 2022-10-26 15:32:23 UTC
Red Hat Issue Tracker IDMDS-2636 0 None None None 2022-11-15 20:27:46 UTC
Red Hat Issue Tracker RHELPLAN-137228 0 None None None 2022-10-20 20:59:58 UTC
Red Hat Product Errata RHBA-2023:2811 0 None None None 2023-05-16 08:33:34 UTC

Description Corey Brown 2022-10-20 20:55:10 UTC
1. Proposed title of this feature request
  Adding 'cn' attribute to IPA audit logs (/var/log/dirsrv/slapd-<domainname>/audit)

2. What is the nature and description of the request? 
  In the IdM audit logs when an AD user makes a change only the SID is shown and not the username.
  
3. Why does the customer need this? (List the business requirements here)
  There are mandates and security frameworks that require centralized logging. Most of our government customers are already doing this, not only due to the mandates and security frameworks, but for auditing purposes. Currently it is very difficult for an auditor to review the logs and determine who has made a change if only the SID is listed. As an alternative to modifying the SID, we have convinced the customer that it is possible to add the 'cn' to entries so that they can be added into the audit logs via configuration setting.

4. How would the customer like to achieve this? (List the functional requirements here)
  The customer would like the application to add the cn to entries so they could be added to the audit logs.

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Mark Reynolds suggested that we will add a new configuration setting for the audit/auditfail log where you can set what attributes you want to be added to the audit log.  

As of right now it will look like this:
-------------------------------------------
cn=config

nsslapd-auditlog-entry-attrs: cn <attribute> <attribute> <"*" for all attributes> ...
-------------------------------------------------

time: 20221014125914
dn: uid=demo_user,ou=people,dc=example,dc=com
result: 0
#cn: <CN VALUE>
changetype: modify
replace: displayName
displayName: Demo Entry
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
-------------------------------------------------

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
RHEL 8

8. Is the sales team involved in this request and do they have any additional input?
No

9. List any affected packages or components.
SSSD
IPA

10. Would the customer be able to assist in testing this functionality if implemented?
Yes

Comment 2 mreynolds 2022-10-27 16:14:35 UTC
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5502

Comment 8 Akshay Adhikari 2022-12-06 12:02:01 UTC
# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings
re-exec with libfaketime dependencies
============================================================================ test session starts =========================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: libfaketime-0.1.2
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED                                                                                [100%]

============================================================================ 1 passed in 34.82s ==========================================================================

Marking as verified: Tested.

Comment 9 bsmejkal 2022-12-12 11:25:40 UTC
As per comment #c8 marking as VERIFIED.

Comment 10 Ding-Yi Chen 2023-03-01 01:19:34 UTC
Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?

Comment 11 mreynolds 2023-03-01 14:09:05 UTC
(In reply to Ding-Yi Chen from comment #10)
> Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE?

If you check the "target release" of this bug you will see it's set for RHEL 8.8.  Bug is already verified so it is good to go.

Comment 16 Evgenia Martynyuk 2023-05-09 21:43:57 UTC
Hi @mareynol !

I have prepared RN text, could you please review it? 

.New configuration parameter `nsslapd-auditlog-display-attrs` for the Directory Server audit log.

Previously, it was very difficult to determine who has made a change to an entry if the entry distinguished name (DN) does not contain clear identifying information. With `nsslapd-auditlog-display-attrs` parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the entry being modified.

For example, if you set `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log starts to display the entry `cn` attribute in the output:

----
time: 20221014125914
dn: uid=73747737483,ou=people,dc=example,dc=com
result: 0
*#cn: John Smith*
changetype: modify
replace: displayName
displayName: jsmith
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221014165914Z
----

You can use an asterisk (`*`) as a value if you want the audit log to contain all attributes of modified entries.

Comment 18 errata-xmlrpc 2023-05-16 08:33:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2811

Comment 19 mreynolds 2023-05-17 12:55:24 UTC
Doc text looks good.

Comment 20 Evgenia Martynyuk 2023-05-18 12:38:01 UTC
RN text passed peer view. Thanks Masha! RN is release pending.


Note You need to log in before you can comment on or make changes to this bug.