mirror of
				https://salsa.debian.org/freeipa-team/freeipa.git
				synced 2025-02-25 18:55:28 -06:00 
			
		
		
		
	For each executed command in server context, send the information about the command to the systemd journal. The resulting string is similar to what is recored in httpd's error_log for API requests coming through the RPC layer. In server mode operations are performed directly on the server over LDAPI unix domain socket, so httpd end-point is not used and therefore operations aren't recorded in the error_log. With this change any IPA API operation is sent as an audit event to the journal, alog with additional information collected by the journald itself. To aid with identification of these messages, an application name is replaced with IPA.API and the actual name from api.env.script is made a part of the logged message. The actual application script name is available as part of the journal metadata anyway. If no Kerberos authentication was used but rather LDAPI autobind was in use, the name of the authenticated principal will be replaced with [autobind]. Messages sent with syslog NOTICE priority. More information is available in the design document 'audit-ipa-api.md' Fixes: https://pagure.io/freeipa/issue/9589 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>