Audit events are present for for user login #1054
Comments
jvanderhoof
added
kind/enhancement
component/conjur
security/medium
defined
and removed
defined
labels
|
The following video shows the audit logs on the Conjur-UI. The steps completed were all done with a valid username.
Is this the result we were interested in? @jvanderhoof |
|
Hey @h-artzi , one thing we should change here is make sure the audit logs use "login" in the failure message, rather than "authentication" since these are two different kinds of events. |
|
The following event is generated on a failed user login: {
"subject@43868": {
"role": "demo:user:admin"
},
"auth@43868": {
"authenticator": "authn"
},
"action@43868": {
"result": "failure",
"operation": "authenticate"
},
"PROGRAM": "conjur",
"PID": "6a7cad51-11cd-4683-9e2d-4562cee0e4f7",
"MSGID": "authn",
"MESSAGE": "demo:user:admin failed to authenticate with authenticator authn: CONJ00002E Invalid credentials",
"LEVEL": "warning",
"ISODATE": "2020-04-17T15:53:26.576+00:00",
"FACILITY": "authpriv"
}There is nothing more we need to complete. |
|
@jvanderhoof, the issue is this is the exact same message whether you attempt the These really should be separate audit events. Right now there is no way to distinguish between them, and they are different credentials and endpoints than |
|
Thanks for the clarification @micahlee. I'm going to re-open this and add some additional context. |
As a security administrator, I want to know when users successfully or unsuccessfully logged into Conjur, so that I can detect any suspicious behavior.
GIVEN a running Conjur instance with a user
WHEN that user logs in with a valid username and invalid password
THEN an audit message is present in the audit log noting the unsuccessful login attempt
AND WHEN that user logs in with a valid username and valid password
THEN an audit message is present in the audit log noting the successful log in
Developer Notes
authenticateevent.The text was updated successfully, but these errors were encountered: