Logging and auditing relationship with your security/auditors
Christopher Bongaarts
cab at umn.edu
Tue May 19 16:30:39 UTC 2020
On 5/18/2020 4:30 PM, Cantor, Scott wrote:
> Keep in mind, this whole idea of "failed logins" makes almost no sense for any other technology but passwords, or actually does get logged as a failed request since the user doesn't get to "keep trying" over and over.
I'm bet that most people asking to audit "failed logins" are actually
asking to log "failed password attempts" (and maybe "failed Duo
validations"); i.e. they want to "audit" the authentication process
rather than (or more likely in additional to) the normal audit
processing showing what was sent to the SP. At least that's our case.
To get this, I hacked up the ValidateUsernameAndPasswordLDAP class to
insert log messages matching our old SSO system, but I wouldn't
recommend that as a general approach. The ldaptive log messages
actually come pretty close on INFO, though I think all the
username/password failures end up with a generic
"AUTHENTICATION_SYSTEM_FAILURE" rather than the ideal of the LDAP result
codes like "Invalid credentials".
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list