Friday, May 31, 2024

[389-users] Password Hashes in Audit Log

Hi All,
I noticed the audit logs capture all details about any change in the directory, including password hashes when an account's password is updated.  This strikes me as a security risk and I'd like to stop password hashes from being logged, or at least have them masked.  

In reading I see it might be possible to configure attributes to omit from the audit log by setting:
    nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
My reading of that is that you need to either allow all ("*"), or enumerate each and every attribute you want in the audit log; you can't say "all, except userPassword".  Would that be correct?  The problem with this is that every time we update the schema to add a new attribute type, we'll need to remember to update this list on every machine we capture audit logs on. 

Is there perhaps some other way that I may have missed in my research?
Thanks everyone,

No comments:

Post a Comment