Hi All,
I noticed the audit logs capture all details about any change in the directory, including password hashes when an account's password is updated. This strikes me as a security risk and I'd like to stop password hashes from being logged, or at least have them masked.
In reading https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html I see it might be possible to configure attributes to omit from the audit log by setting:
cn=config
nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
My reading of that is that you need to either allow all ("*"), or enumerate each and every attribute you want in the audit log; you can't say "all, except userPassword". Would that be correct? The problem with this is that every time we update the schema to add a new attribute type, we'll need to remember to update this list on every machine we capture audit logs on.
Is there perhaps some other way that I may have missed in my research?
Thanks everyone,
Trevor
No comments:
Post a Comment