<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">What we have done this as follows. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">1. For all the changes, happening thru IPA APIs (either cmd line of WebUI) you can capture these in the httpd error logs. We trigger alert emails on important events such as new user addition etc. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">2. For everything including the above, you can always enable the 389 ds ldap audit logs. Refer to this <a href="http://directory.fedoraproject.org/docs/389ds/design/audit_improvement.html">link</a>.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Both these logs are sent to a central logging system for storage and retrieval. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 July 2016 at 16:15, Stefan Uygur <span dir="ltr"><<a href="mailto:suygur@firstderivatives.com" target="_blank">suygur@firstderivatives.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div lang="EN-IE" link="blue" vlink="purple"> <div> <p class="MsoNormal"><span style="color:#1f497d">This is the case I am after just to be more precise:<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d"><a href="https://access.redhat.com/solutions/441893" target="_blank">https://access.redhat.com/solutions/441893</a><u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d">It was requested 3yrs ago but no follow up so far.<u></u><u></u></span></p> <p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p> <div> <div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Stefan Uygur <br> <b>Sent:</b> 26 July 2016 11:18<br> <b>To:</b> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br> <b>Subject:</b> who did what on IPAv3 - auditing<u></u><u></u></span></p> </div> </div><div><div class="h5"> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Hi all,<u></u><u></u></p> <p class="MsoNormal">Still around the auditing problem with IPA, it seems the part related to auditing is completely missing in IPA and that is not really good.<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">For instance, to find out who did what, who added or modified the permissions or users or sudo rules, etc, all this need auditing and it needs to be proof of concept.<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">I don’t see IPA being very friendly with auditing part, although IPA is a central identity management system, which means auditing is all over IPA. I am surprised that this part is missing.<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">There is a page suggests to set up central login: <a href="http://www.freeipa.org/page/Centralized_Logging" target="_blank"> http://www.freeipa.org/page/Centralized_Logging</a><u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">With a combination of multiple logs, but I have checked accurately the logs, I still can’t find out say, who added user John Doe in date 21 July 2016 at 11.35.<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Has anybody in the list experienced or set up such solution where the IPA server activity is tracked down?<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Stefan<u></u><u></u></p> </div></div></div> </div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>