Changing a Password is audited

[jvanderhoof]

As a security administrator, I want to know when users attempt to change their passwords so that I can detect any suspicious behavior.

GIVEN a running Conjur instance
WHEN I change my password with an invalid password ¹
THEN I see an unsuccessful password change audit event ²

AND WHEN I change my password with a valid password ³
THEN I see a successful password change audit event ⁴

Notes
Conjur does not currently support changing another user's password. The only way to "fail" when setting a password is to attempt to change a password to something that does not meet the complexity requirements.

---

¹ Change the admin user's password to a password that does not meet the complexity requirements:

$ curl -k -X PUT --data password --user admin:ADmin123!!!! \
http://localhost:3000/authn/cucumber/password

² Unsuccessful "Change Password" audit event should follow the Audit Event convention. Before we implement, let's get agreement on the format. A possible format could be:

• subject@43868
  • user: cucumber:user:admin
• auth@43868
  • user: cucumber:user:admin
• action@43868
  • result: failure
  • operation: update
• MSGID: password
• MESSAGE: "cucumber:user:admin failed to update password for cucumber:user:admin due to complexity requirements"
• LEVEL: "notice"

³ Change the admin user's password to a password that meets the complexity requirements:

$ curl -k -X PUT --data ADmin123!!-new --user admin:ADmin123!!!!
http://localhost:3000/authn/cucumber/password

⁴ Successful "Change Password" audit event should follow the Audit Event convention. Before we implement, let's get agreement on the format. A possible format could be:

• subject@43868
  • user: cucumber:user:admin
• auth@43868
  • user: cucumber:user:admin
• action@43868
  • result: success
  • operation: update
• MSGID: password
• MESSAGE: "cucumber:user:admin updated password for cucumber:user:admin"
• LEVEL: "notice"