Logging and auditing relationship with your security/auditors

Christopher Bongaarts cab at umn.edu
Tue May 19 16:30:39 UTC 2020


On 5/18/2020 4:30 PM, Cantor, Scott wrote:
> Keep in mind, this whole idea of "failed logins" makes almost no sense for any other technology but passwords, or actually does get logged as a failed request since the user doesn't get to "keep trying" over and over.

I'm bet that most people asking to audit "failed logins" are actually 
asking to log "failed password attempts" (and maybe "failed Duo 
validations"); i.e. they want to "audit" the authentication process 
rather than (or more likely in additional to) the normal audit 
processing showing what was sent to the SP. At least that's our case.

To get this, I hacked up the ValidateUsernameAndPasswordLDAP class to 
insert log messages matching our old SSO system, but I wouldn't 
recommend that as a general approach.  The ldaptive log messages 
actually come pretty close on INFO, though I think all the 
username/password failures end up with a generic 
"AUTHENTICATION_SYSTEM_FAILURE" rather than the ideal of the LDAP result 
codes like "Invalid credentials".

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%



More information about the users mailing list