[PATCH] 0054 Lightweight CAs: add audit events - Pki-devel - Dogtag Pki List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[PATCH] 0054 Lightweight CAs: add audit events

[PATCH] 283 -- fix pki export into...

[PATCH] 0056 Fix sphinx build

Fraser Tweedale

Monday, 2 November 2015 Mon, 2 Nov '15

1:14 a.m.

The attached patch adds audit events for lightweight CA administration, fixing https://fedorahosted.org/pki/ticket/1590. Cheers, Fraser

Attachments:

pki-ftweedal-0054-Lightweight-CAs-add-audit-events.patch (text/plain — 16.8 KB)

Reply

Show replies by date

Ade Lee

Monday, 22 February Mon, 22 Feb

1:21 p.m.

This patch needs to be rebased. Tt was possible, however, to review the contents. In general, everything looks good. It would be be useful though, to be able to distinguish the many failure cases. For instance -- try { ca.modifyAuthority(data.getEnabled(), data.getDescription()); + audit(ILogger.SUCCESS, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); return createOKResponse(readAuthorityData(ca)); } catch (CATypeException e) { + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new ForbiddenException(e.toString()); } catch (IssuerUnavailableException e) { + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new ConflictingOperationException(e.toString()); } catch (EBaseException e) { CMS.debug(e); + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new PKIException("Error modifying authority: " + e.toString()); } It would be nice to be able to determine if the modify failed because of permissions or otherwise. Can we add the exception error message to the auditParams? Ade On Mon, 2015-11-02 at 17:14 +1000, Fraser Tweedale wrote:

The attached patch adds audit events for lightweight CA administration, fixing https://fedorahosted.org/pki/ticket/1590. Cheers, Fraser _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Reply

Fraser Tweedale

Tuesday, 1 March Tue, 1 Mar

6:05 p.m.

On Mon, Feb 22, 2016 at 02:21:58PM -0500, Ade Lee wrote:

This patch needs to be rebased. Tt was possible, however, to review the contents. In general, everything looks good. It would be be useful though, to be able to distinguish the many failure cases. For instance -- try { ca.modifyAuthority(data.getEnabled(), data.getDescription()); + audit(ILogger.SUCCESS, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); return createOKResponse(readAuthorityData(ca)); } catch (CATypeException e) { + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new ForbiddenException(e.toString()); } catch (IssuerUnavailableException e) { + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new ConflictingOperationException(e.toString()); } catch (EBaseException e) { CMS.debug(e); + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); throw new PKIException("Error modifying authority: " + e.toString()); } It would be nice to be able to determine if the modify failed because of permissions or otherwise. Can we add the exception error message to the auditParams? Ade

Updated patch attached. The "exception" key is added to the auditParams map to indicate the exception (if any), rather than adding a whole new audit message parameter. Cheers, Fraser

Reply

Fraser Tweedale

6:13 p.m.

On Wed, Mar 02, 2016 at 10:05:56AM +1000, Fraser Tweedale wrote:

On Mon, Feb 22, 2016 at 02:21:58PM -0500, Ade Lee wrote: > This patch needs to be rebased. > > Tt was possible, however, to review the contents. In general, > everything looks good. It would be be useful though, to be able to > distinguish the many failure cases. For instance -- > > try { > ca.modifyAuthority(data.getEnabled(), data.getDescription()); > + audit(ILogger.SUCCESS, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); > return createOKResponse(readAuthorityData(ca)); > } catch (CATypeException e) { > + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); > throw new ForbiddenException(e.toString()); > } catch (IssuerUnavailableException e) { > + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); > throw new ConflictingOperationException(e.toString()); > } catch (EBaseException e) { > CMS.debug(e); > + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams); > throw new PKIException("Error modifying authority: " + e.toString()); > } > > It would be nice to be able to determine if the modify failed because of permissions or otherwise. > Can we add the exception error message to the auditParams? > > Ade > Updated patch attached. The "exception" key is added to the auditParams map to indicate the exception (if any), rather than adding a whole new audit message parameter. Cheers, Fraser

FRACKed by Ade (Fix, retest -> ACK). Pushed to master (2d7722f2c9b8230e79d258ad7aa1be1e87804518)

Reply

3216

days inactive

3337

days old

devel@lists.dogtagpki.org

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Ade Lee
Fraser Tweedale