[mitreid-connect] Audit logging?

Mon Feb 2 13:40:51 EST 2015

Hi,
Back in August 2014 there was a discussion of Audit feature in OIDC. Please, see the "[Openid-specs-ab] audit in OIDC” on OIDC mailing list.  For various reasons this effort was put on hold.

Currently, there is an IETF draft https://tools.ietf.org/html/draft-tsitkov-oauth-audit-02 that discusses Audit in OAuth2; if there is any interest, it can be extended to OIDC and UMA.

Thanks,
Zhanna

On Feb 2, 2015, at 12:21 PM, mitreid-connect-request at MIT.EDU wrote:

> Send mitreid-connect mailing list submissions to
> 	mitreid-connect at mit.edu
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.mit.edu/mailman/listinfo/mitreid-connect
> or, via email, send a message with subject or body 'help' to
> 	mitreid-connect-request at mit.edu
> 
> You can reach the person managing the list at
> 	mitreid-connect-owner at mit.edu
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of mitreid-connect digest..."
> 
> 
> Today's Topics:
> 
>   1. Audit logging? (Fredrik J?nsson)
>   2. Re: Audit logging? (Justin Richer)
>   3. Re: Audit logging? (Fredrik J?nsson)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 2 Feb 2015 10:50:49 +0000
> From: Fredrik J?nsson <fjo at kth.se>
> Subject: [mitreid-connect] Audit logging?
> To: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
> Message-ID: <9D5AEF39-0872-4AF5-ACCE-D7D183B2021A at kth.se>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> We are looking into MitreID Conncet and I?ve currently got a 1.2.0-SNAPSHOT server up and running with Active Directory integration for UserInfo and CAS authentication.
> 
> So far so good.
> 
> A question so far, has anyone implemented some reasonable level of audit logging for a production environment, and how? Any suggestions? Would like to modify the code as little as possible of course.
> 
> Best regards,
> /Fredrik
> 
> -- 
> Fredrik J?nsson, M.Sc.				Email:  fjo at kth.se
> System architect                   			Phone:  +46 8 790 66 03
> Kungliga tekniska h?gskolan (KTH) 	Mobile: +46 73 595 66 03
> KTH/UF/ITA
> 
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 02 Feb 2015 08:25:15 -0500
> From: Justin Richer <jricher at mit.edu>
> Subject: Re: [mitreid-connect] Audit logging?
> To: Fredrik J?nsson <fjo at kth.se>,	"mitreid-connect at mit.edu"
> 	<mitreid-connect at mit.edu>
> Message-ID: <54CF7ABB.8050004 at mit.edu>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> We don't have a lot of formal audit logging built in to the system apart 
> from the system logger, which is configurable with the log4j.xml file. 
> We'd tried it with a previous version of the server (0.9 and 1.0) but it 
> was applied inconsistently and not very useful, so we pulled it out for 
> the latest stable release (1.1) so that we could re-think it and 
> reintroduce it to the next version (1.2). Which is to say, it's on our 
> to-do list for this version and we're open to ideas on how to implement 
> a proper structured audit system. I believe it would be beneficial to 
> coordinate our efforts so that the features and functionality you're 
> after get included into the main project and you'll be able to deploy 
> 1.2.0 without modification (beyond configuration) when it's released.
> 
>  -- Justin
> 
> On 2/2/2015 5:50 AM, Fredrik J?nsson wrote:
>> Hi,
>> 
>> We are looking into MitreID Conncet and I?ve currently got a 1.2.0-SNAPSHOT server up and running with Active Directory integration for UserInfo and CAS authentication.
>> 
>> So far so good.
>> 
>> A question so far, has anyone implemented some reasonable level of audit logging for a production environment, and how? Any suggestions? Would like to modify the code as little as possible of course.
>> 
>> Best regards,
>> /Fredrik
>> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 2 Feb 2015 15:31:51 +0000
> From: Fredrik J?nsson <fjo at kth.se>
> Subject: Re: [mitreid-connect] Audit logging?
> To: Justin Richer <jricher at mit.edu>
> Cc: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
> Message-ID: <C352E084-908B-4FD5-8C35-C8DC909C99B4 at kth.se>
> Content-Type: text/plain; charset="utf-8"
> 
> I can get org.springframework output, but org.mitre is pretty much not logging anything at all, at any level.
> 
> What I am primarily looking for is auditing from a Internet response team perspective, not application debugging. What we would need to be able to trace are typical authenticated actions (including Oauth clients), which in this case becomes pretty much who made what request with what result to most endpoints in the application.
> 
> I don?t have an awful lot of experience on how to achieve it though. It is done reasonably well from our perspective in the Jasig CAS server, I?ll check how it is done and if it?s a pattern one would want to reuse.
> 
> /Fredrik
> 
> 
>> 2 feb 2015 kl. 14:25 skrev Justin Richer <jricher at mit.edu>:
>> 
>> We don't have a lot of formal audit logging built in to the system apart from the system logger, which is configurable with the log4j.xml file. We'd tried it with a previous version of the server (0.9 and 1.0) but it was applied inconsistently and not very useful, so we pulled it out for the latest stable release (1.1) so that we could re-think it and reintroduce it to the next version (1.2). Which is to say, it's on our to-do list for this version and we're open to ideas on how to implement a proper structured audit system. I believe it would be beneficial to coordinate our efforts so that the features and functionality you're after get included into the main project and you'll be able to deploy 1.2.0 without modification (beyond configuration) when it's released.
>> 
>> -- Justin
>> 
>> On 2/2/2015 5:50 AM, Fredrik J?nsson wrote:
>>> Hi,
>>> 
>>> We are looking into MitreID Conncet and I?ve currently got a 1.2.0-SNAPSHOT server up and running with Active Directory integration for UserInfo and CAS authentication.
>>> 
>>> So far so good.
>>> 
>>> A question so far, has anyone implemented some reasonable level of audit logging for a production environment, and how? Any suggestions? Would like to modify the code as little as possible of course.
>>> 
>>> Best regards,
>>> /Fredrik
>>> 
>> 
> 
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
> 
> 
> End of mitreid-connect Digest, Vol 15, Issue 1
> **********************************************