Capturing the remoteIpAddr on login failure?

[Cyrille Le Clerc]

Dear all,

The Jenkins OpenTelemetry Plugin is now sending Jenkins authentication audit logs to external observability backends with the goal for routing these logs to SIEM solutions that will be able to detect abnormal behaviours (see documentation here).

To implement this authentication audit trail, we implemented a Jenkins SecurityListener  (source code here: AuditingSecurityListener.java#L120) but the SecurityListener#failedLogin(username) doesn't provide any mechanism to retrieve the remoteIpAddr (Stapler#getCurrentRequest() returns null) .

I looked at the code of other Jenkins plugins such as the Jenkins AuditTrail Plugin and couldn't find a solution.

Is there way in in Jenkins plugins to listen to failed logins and to retrieve the remoteIpAddr? If not, did the community consider adding this capability as it's commonly used by security tools to detect anomalous ?

Cyrille

[Cyrille Le Clerc]

Dear jenkins-dev community,

Is there anyone interested in helping me solve this gap in Jenkins APIs to enable better security on, the Software Supply Chain process?

Cyrille

[Cyrille Le Clerc]

I would have a question here to the Jenkins Core developers who have been involved in migrating from Acegi Security to Spring Security:

As Spring Security publishes all the authentication events as subclasses of the AbstractAuthenticationEvent through the Spring ApplicationEventPublisher, did we consider making the Jenkins SecurityListener an adapter of the Spring ApplicationEventPublisher rather than to hook the "SecurityListener.fireXxx" in different places of Jenkins with the risk to miss some of the events?

Cyrille

[Jesse Glick]

On Wed, Apr 13, 2022 at 5:21 AM 'Cyrille Le Clerc' via Jenkins Developers <jenkin...@googlegroups.com> wrote:

did we consider making the Jenkins SecurityListener an adapter of the Spring ApplicationEventPublisher

I do not believe that was ever considered or proposed. The focus was on moving from Acegi Security idioms to the nearest Spring Security equivalent with the minimum effort required. Expanding the coupling between Jenkins authentication and Spring Security specifics feels like the wrong direction—the migration to Spring Security would have been much easier had the vast surface area of the Acegi Security API not been directly exposed to plugins.

[Cyrille Le Clerc]

Thanks Jesse, I'm not sure how much hooking in the Spring Security events mechanism would have locked us more or less.

In the meantime, I'm doing the inventory of the SecurityListener events fired by the most popular authentication plugins in https://github.com/jenkinsci/opentelemetry-plugin/issues/410