Re: Audit Logs (Syncope Version 1.2.0)

Wed, 19 Nov 2014 00:35:13 -0800 

Il 19/11/2014 09:26, Francesco Chicchiriccò ha scritto:

Hi Hermann,
see my replies embedded below.

Regards.

On 18/11/2014 10:24, Hermann Angstl wrote:

HI there,

I'm just trying to make sense of Syncope's Audit feature.

Under "Reports" -> "Audit" I enabled ALL options of type "REST".
So, for example, "REST" / "EntitlementController" / "getAll" and "getOwn" is checked. For both " Success" and "Failure".
Now I did a login to the Web Console, first with a wrong password, then with the correct password. 

When I look into the Syncope database, table syncopeaudit, I see this:

(1) Login to Web Console with wrong Password:
[...]

(2) Login to Web Console with correct Password:
[...]

Questions:
- It seems that I only get EntitlementController audit events for the Success - not for Failure. What do I have to configure to get failed login requests?
EntitlementController [1] methods do not enforce any security constraint, so there is no chance you can get any failure there under normal circumstances. 

For your purpose I would suggest instead to set audit information on

[REST]:[AuthenticationController]:[]:[login]:[SUCCESS]
[REST]:[AuthenticationController]:[]:[login]:[FAILURE]

I have just added such information to our FAQ page [2].
- How to get change information, like Role XYZ has been added to User ABC? When I, for example, add Role "ArtDirector" to User "rossini" I get this here - which is hard to parse. Is there better way to get this kind of information?
The information reported below is the complete audit that needs of course further processing for being effective.
You could, however, empower Activiti for providing more sensible audit for your own purpose: add a Java UserTask (see the provided classes for some examples) which inspects the user request being served (adding roles, in your case) and
...and invokes the AuditManager with appropriate arguments. (send was too quick, sorry). 


[...]
[1] https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/main/java/org/apache/syncope/core/rest/controller/EntitlementController.java;hb=1_2_X [2] https://cwiki.apache.org/confluence/display/SYNCOPE/FAQ#FAQ-HowdoIauditloginsuccess/failure? 




--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/

Reply via email to