> Basically, every audit record should have: > • remote username > • remote user's IP address > • time and date > • the service being accessed > • description of the event... > • local host's name and IP address (and domain if available)
This logging data is available using Inspektr, https://wiki.jasig.org/display/CASUM/Auditing+and+Statistics+Via+Inspektr. Logging to file and database are supported. > The events that should be audited: > • system startup and shutdown Not currently supported via Inspektr. You could probably hook the Spring context initialization/teardown via AOP to accomplish this. Obviously these events are logged via standard application logging, but not consolidated with the audit data as you likely want. > • authentication and ticket creation - successful and unsuccessful > • ticket validation (esp. including the service being accessed) - successful > and unsuccessful Inspektr includes these in audit data. > • single sign-off - successful and unsuccessful Not supported at present. You could hook org.jasig.cas.authentication.principal.AbstractWebApplicationService#logOutOfService(String) to accomplish this. Again, these are logged via standard application logging but not currently included in audit records. > • logoffs due to SSO session timeout (does http session timeouts occur in > CAS? what would it mean?) Not supported at present. You could hook org.jasig.cas.ticket.registry.RegistryCleaner.clean() to trigger an audit event if a ticket satisfies a particular expiration policy, which would effectively document expired sessions for TGT expiration. HTTP session timeouts on individual services are outside the scope of CAS. > • activity in the services management console, i.e., > 1. creation or deletion of managed service > 2. modification of managed service (showing changed values) Not supported at present, but should be fairly straightforward to implement with a few audit hooks. Given the CAS roadmap, I don't think we would consider these features for 3.4.x, but they seem entirely reasonable for 4.0 or later. I would suggest you open an issue to add audit hooks for the operations you mentioned. I can imagine we might consider startup/shutdown outside the scope of application auditing, but it seems entirely reasonable for deployers to want that included in audit records as you noted. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
