To properly track issues over time as the normal DS logs can rotate too quickly. Instead we can have a more specialized/condensed log that will maintain this data for longer since it’s not consuming as much disk resources.
The access logs do have all the info this security audit log would maintain, but it requires expensive parsing to get all the info. As stated above, logs can get rotated very fast, and critical audit information can be lost due to the log rotation/deletion policy.
The security audit log would not be as busy, and would not rotate nearly as fast, allowing for months/years of audit information to be kept without consuming a lot of disk space.
Track authentication/authorization failures. The most important attacks are on passwords. These attacks can come in different forms: brute force and password spraying.
Should we track Root DN (cn=directory manager) failed binds differently? Separate stat/report?
What about replication manager? Is this easily detectable in code?
Data corruption
Do the security logging in: disconnect_server_nomutex_ext()
Authentication.Authorization
{
date: '', // Human readable
utc_time: '', // For easy sorting/reporting
event: '',
client_ip: '',
server_ip: '',
conn_id: '',
op_id: '',
dn: '',
bind_method: 'SIMPLE, SIMPLE/MFA, SASL/GSSAPI, SASL/DIGEST-MD5, SSLCLIENTAUTH',
root_dn: true/false,
msg: 'INVALID_PASSWORD, NO_SUCH_ENTRY, ACCOUNT_LOCKED, CERT_MAP_FAILED'
}
{'date': '13/May/2022:14:19:21.828151054 -0400', 'utc_time': '168485945', 'event': 'BIND_FAILED', 'dn': 'uid=mark,ou=people,dc=example,dc=com', 'bind_method': 'SIMPLE', 'root_dn': 'false', 'client_ip': '127.0.0.1', 'server_ip': '127.0.0.1', 'conn_id': '2', 'op_id': '1', 'msg': 'INVALID_PASSWORD'}
{'date': '13/May/2022:14:19:22.828151058 -0400', 'utc_time': '168499999', 'event': 'BIND_FAILED', 'dn': 'uid=mike,ou=people,dc=example,dc=com', 'bind_method': 'SIMPLE', 'root_dn': 'false', 'client_ip': '127.0.0.1', 'server_ip': '127.0.0.1', 'conn_id': '7', 'op_id': '1', 'msg': 'NO_SUCH_ENTRY'}
TCP Errors
{
"date": "",
"utc_time": #####,
"event": "TCP_ERROR",
"client_ip": "",
"server_ip": "",
"ldap_version": 3,
"conn_id": 1,
"msg": "Bad Ber Tag or uncleanly closed connection - B1"
}
{"date": "[15/Jul/2022:13:50:29.688975861 -0400] ", "utc_time": 1657907429, "event": "TCP_ERROR", "client_ip": "::1", "server_ip": "::1", "ldap_version": 3, "conn_id": 1, "msg": "Bad Ber Tag or uncleanly closed connection - B1"
Just like any other DS log
nsslapd-securitylog: /var/log/dirsrv/slapd-localhost/security
nsslapd-securitylog-logging-enabled: on
nsslapd-securitylog-logexpirationtime: 12
nsslapd-securitylog-logexpirationtimeunit: month
nsslapd-securitylog-logmaxdiskspace: 500
nsslapd-securitylog-logminfreediskspace: 5
nsslapd-securitylog-logrotationsync-enabled: off
nsslapd-securitylog-logrotationtime: 1
nsslapd-securitylog-logrotationtimeunit: month
nsslapd-securitylog-maxlogsize: 100
nsslapd-securitylog-maxlogsperdir: 10
nsslapd-securitylog-mode: 600
nsslapd-securitylog-logbuffering: on
nsslapd-securitylog-compress: on
We’ll let other tooling do the complex parsing (e.g. Splunk). However, we can still provide a generic report.
Example of basic report we could produce.
Successful Binds: ####
Failed binds: ####
Root DN Failed Binds: ####
Authentication Events
Invalid Password: ####
Account Locked: ####
No Such Entry: ####
Authorization Events
Unauthorized Ops: ####
TCP Events
B1 (BAD_BER_TAG): ####
B2 (BER_TOO_BIG): ####
B3 (BER_PEEK): ####
Should we add more information about common IP addresses, or common accounts? How far down the rabbit hole do we go?
Top 100 Failed Binds
uid=mark,ou=people,dc=example,dc=com 179
cn=directory manager 89
...
Top 100 Clients
10.10.10.201 493
- Failed binds: 400
- Acount locked: 93
10.20.10.30 201
- Failed binds: 150
- No Such Entry: 51
Allow the UI to view the logs, and generate these reports? Should the UI view the results as text, or in a tree (lot of work)!?
https://github.com/389ds/389-ds-base/issues/5335
Need new ticket for new CLI tool (dslog)