freeipa/init/systemd
Alexander Bokovoy 84eed2a67f frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.

In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.

With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.

To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.

If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].

Messages sent with syslog NOTICE priority.

More information is available in the design document 'audit-ipa-api.md'

Fixes: https://pagure.io/freeipa/issue/9589

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-22 17:06:23 -04:00
..
ipa-ccache-sweep.service.in Fix ipa-ccache-sweeper activation timer and clean up service file 2022-08-29 18:28:42 +02:00
ipa-ccache-sweep.timer.in Fix ipa-ccache-sweeper activation timer and clean up service file 2022-08-29 18:28:42 +02:00
ipa-custodia.service.in systemd: enforce en_US.UTF-8 locale in systemd units 2020-12-10 14:38:05 +02:00
ipa.catalog frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
ipa.service.in systemd: enforce en_US.UTF-8 locale in systemd units 2020-12-10 14:38:05 +02:00
Makefile.am frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00