freeipa/client/man
Alexander Bokovoy 84eed2a67f frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.

In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.

With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.

To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.

If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].

Messages sent with syslog NOTICE priority.

More information is available in the design document 'audit-ipa-api.md'

Fixes: https://pagure.io/freeipa/issue/9589

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-22 17:06:23 -04:00
..
default.conf.5 ipa-otpd: add passkey_child_debug_level option 2023-06-01 08:20:37 +02:00
epn.conf.5 component: mail_from_realname config setting added to IPA-EPN 2023-07-26 09:01:37 -04:00
ipa-certupdate.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa-client-automount.1 Remove the --no-sssd option from ipa-client-automount 2022-03-18 09:40:37 +01:00
ipa-client-install.1 Mention in ipa-client-install that nscd is disabled 2023-05-24 13:29:35 +02:00
ipa-client-samba.1 man: fix ipa-client-samba.1 typos 2021-02-15 10:04:55 +02:00
ipa-epn.1 man: fix typos in ipa-epn.1 2021-05-18 14:59:10 +02:00
ipa-getkeytab.1 ipa-getkeytab: add option to discover servers using DNS SRV 2021-07-30 08:45:08 -04:00
ipa-join.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa-rmkeytab.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa.1 frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
Makefile.am IPA-EPN: First version. 2020-06-09 08:43:45 +02:00