how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?
36 views
Skip to first unread message
crdaudt
Feb 8, 2018, 4:06:06 PM2/8/18
to CAS Community
For one of my services, I have the following accessStrategy defined in my JSON file:
---begin---
"accessStrategy" :
{
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/",
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" :
{
"@class" : "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [ "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu" ] ]
}
}
---end---
This works nicely to redirect unauthorized users who do not belong to either of the memberOf AD groups. However, the default log settings in log4j2.xml do not provide any indication that an unauthorized user attempted to obtain a service ticket.
How can I set up my CAS (v5.2.2) instance to log failed attempts by unauthorized users to obtain a service ticket?
Carl
---begin---
"accessStrategy" :
{
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/",
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" :
{
"@class" : "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [ "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu" ] ]
}
}
---end---
This works nicely to redirect unauthorized users who do not belong to either of the memberOf AD groups. However, the default log settings in log4j2.xml do not provide any indication that an unauthorized user attempted to obtain a service ticket.
How can I set up my CAS (v5.2.2) instance to log failed attempts by unauthorized users to obtain a service ticket?
Carl
Ray Bon
Feb 8, 2018, 4:35:22 PM2/8/18
to cas-...@apereo.org
Carl,
This already should be in log4j2:
<!-- Log audit to all root appenders, and also to audit log (additivity is not false) -->
<AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" >
<AppenderRef ref="casAudit"/>
<AppenderRef ref="syslog"/>
</AsyncLogger>
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
crdaudt
Feb 9, 2018, 10:00:13 AM2/9/18
to CAS Community
Yes, the configuration is there in log4j2 but the audit log is only providing entries for users who are authorized, not for those who are denied access.
I am attaching an annotated copy of my cas_audit.log, and also copies of my service's JSON file and log4j2.xml file.
My goals:
I am attaching an annotated copy of my cas_audit.log, and also copies of my service's JSON file and log4j2.xml file.
My goals:
- To log attempts of a user to gain a service ticket, both when:
- the user is authorized (and therefore successful) and,
- unauthorized (and therefore denied access).
- To keep the log verbosity reasonably trim (I do not want to set debug for the entire log)
Dmitriy Kopylenko
Feb 9, 2018, 10:06:44 AM2/9/18
to cas-...@apereo.org
The short answer is - there is currently no audit trail advice weaved at the audit point you are after.
Best,
D.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.
crdaudt
Feb 9, 2018, 11:38:40 AM2/9/18
to CAS Community, dkopy...@unicon.net
Thanks for the quick response Dmitriy.
As a workaround, might it be possible for me to replace the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/",
...with something like the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com&username=%sAMAccountName%",
...where %sAMAccountName% could be a variable replaced with the username of the user who is denied access?
If there is a way for me to grab and use the value of the username, the tomcat access log would capture the denied attempt for me.
Carl
As a workaround, might it be possible for me to replace the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/",
...with something like the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com&username=%sAMAccountName%",
...where %sAMAccountName% could be a variable replaced with the username of the user who is denied access?
If there is a way for me to grab and use the value of the username, the tomcat access log would capture the denied attempt for me.
Carl
Dmitriy Kopylenko
Feb 9, 2018, 11:57:07 AM2/9/18
to cas-...@apereo.org
I’m not sure that’s possible.
One other option would be for you to implement Inspektr’s audit log at that audit point and contribute back to CAS project :-)
D.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org.
crdaudt
Feb 9, 2018, 1:32:44 PM2/9/18
to CAS Community, dkopy...@unicon.net
Thanks! :)
Dmitriy Kopylenko
Feb 12, 2018, 2:51:02 PM2/12/18
to cas-...@apereo.org
The basic log entry for unauthorized principal service access (based on registered service access policies) is already present. You could see it at WARN level for org.apereo.cas.services.RegisteredServiceAccessStrategyUtils
The full-blown Inspektr audit will require some development effort.
Cheers,
D.
Reply all
Reply to author
Forward
0 new messages