Hi All,
I noticed the audit logs capture all details about any change in the directory, including password hashes when an account's password is updated. This strikes me as a security risk and I'd like to stop password hashes from being logged, or at least have them masked.
In reading https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html I see it might be possible to configure attributes to omit from the audit log by setting:
cn=config
nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
My reading of that is that you need to either allow all ("*"), or enumerate each and every attribute you want in the audit log; you can't say "all, except userPassword". Would that be correct? The problem with this is that every time we update the schema to add a new attribute type, we'll need to remember to update this list on every machine we capture audit logs on.
Is there perhaps some other way that I may have missed in my research?
Thanks everyone,
Trevor
-- _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
