#873 FreeIPA - CLI/WebUI Logging
Closed: Fixed None Opened 14 years ago by jraquino.

Currently FreeIPA is lacking logging for the Administration interfaces.

FreeIPA should have syslog compatible log output which captures:

  • The User who executed a command
  • The command that was executed
  • The status of the command: success / fail

In order to facilitate future audit solutions or efforts, suggested output should be Syslog RFC 5424 compliant.
(http://tools.ietf.org/search/rfc5424)

This can be accomplished with 1 of 2 available native python libraries:

The current plugin system already passes results which are used by the frontend.py and cli.py to display output the the user on standard out. It should be fairly straight forward to capture some of that data and set it to a logging facility.

Currently there is a great deal of verbose logging in dirsrv and apache. For the backend, this is ideal for troubleshooting.

For the cli/webui there should be a separate /var/log/freeipa.log file which can facilitate the accounting of administrative tasks a user performs.

In order for an authentication/authorization framework to be fully successful in an enterprise, logs of administrative activity are often a requirement for the management and compliance teams.

This is a PCI DSS Requirement:

10.2.2 All actions taken by any individual with administrative privileges
10.3 Record at least the following audit trail entries for all system components for each event:
10.3.1 User Identification
10.3.2 Type of Event
10.3.3 Date and Time
10.3.4 Success or Failure indication


<time/date> authenticated_user plugin usage / modification

For example:
Jan 26 17:46:45 auth1.example.com FreeIPA: admin@EXAMPLE.COM: user_show(u'admin', all=True, ...), <some success/failure indicator>

An ipa-specific log would be very difficult to do unless we switch to a threaded Apache server. Given that this isn't the default setting on most distros I think we're better off sticking with the Apache log. The ipa log entries are found easily enough with grep ipa:.

I looked at the syslog format and we generally provide the required data just not in the RFC 5424 format. Since we are sticking with Apache logs we can't really comply with this.

Calling syslog directly for our logging would likely be overkill.

I think the current format provides adequate information, do you agree JR?

Talked about this with JR in IRC, he agreed that we currently meet his basic requirements, closing.

Metadata Update from @jraquino:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1 - 2011/08 (Final)

8 years ago

Log in to comment on this ticket.

Metadata