5.2. IdM API 監査ログの表示

手順

1. ジャーナルに記録されたすべての IdM API 操作のリストを表示するために、ジャーナルを IPA.API マーカーでフィルタリングします。

   # journalctl -g IPA.API
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   May 23 10:32:01 idmserver.idm.example.com /usr/bin/ipa[247555]: [IPA.API] admin@IDM.EXAMPLE.COM: user_add: SUCCESS [ldap2_140328582446999] {"uid": ["new_user"], "givenname": "New", "sn": "User", "cn": "New User"}
   May 23 10:33:10 idmserver.idm.example.com /mod_wsgi[247035]: [IPA.API] admin@IDM.EXAMPLE.COM: ping: SUCCESS [ldap2_139910420944784] {"version": "2.253"}
   May 23 10:34:05 idmserver.idm.example.com /usr/bin/ipa[247888]: [IPA.API] [autobind]: group_add_member: SUCCESS [ldap2_140328582447111] {"cn": "admins", "user": "new_user"}

   出力には、ユーザー、コマンド、結果、一意の接続 ID、使用されたパラメーターなど、各 API 呼び出しの概要が表示されます。

2. 調べる必要がある特定エントリーの一意の識別子を特定します。たとえば、user_del 呼び出しの LDAP バックエンドインスタンスの ID が、ldap2_140328582446688 であるとします。

3. ユーザー削除ログエントリーの詳細な説明を取得するために、-x オプションと一意の識別子の値を指定して journalctl を使用します。

   # journalctl -x -g ldap2_140328582446688
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[255232]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- Subject: IdM API command was executed and result of its execution was audited
   -- Defined-by: FreeIPA
   -- Support: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
   -- Documentation: man:ipa(1)
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/index.html
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/user_del.html
   
   -- Identity Management provides an extensive API that allows to manage all aspects of IdM deployments.
   
   -- The following information about the API command executed is available:
   
   -- [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   
   -- The command was executed by '/usr/bin/ipa' utility. If the utility name
   -- is '/mod_wsgi`, then this API command came from a remote source through the IdM
   -- API end-point.
   
   -- The message includes following fields:
   
   --   - executable name and PID ('/mod_wsgi' for HTTP end-point; in this case it
   --     was '/usr/bin/ipa' command)
   
   --   - '[IPA.API]' marker to allow searches with 'journalctl -g IPA.API'
   
   --   - authenticated Kerberos principal or '[autobind]' marker for LDAPI-based
   --     access as root. In this case it was '[autobind]'
   
   --   - name of the command executed, in this case 'user_del'
   
   --   - result of execution: SUCCESS or an exception name. In this case it was
   --     'SUCCESS'
   
   --   - LDAP backend instance identifier. The identifier will be the same for all
   --     operations performed under the same request. This allows to identify operations
   --     which were executed as a part of the same API request instance. For API
   --     operations that didn't result in LDAP access, there will be
   --     '[no_connection_id]' marker.
   
   --   - finally, a list of arguments and options passed to the command is provided
   --     in JSON format.
   
   -- ---------
   -- The following list of arguments and options were passed to the command
   -- 'user_del' by the '[autobind]' actor:
   --
   -- {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- ---------
   
   -- A detailed information about Identity Management API can be found at upstream documentation API reference:
   -- https://freeipa.readthedocs.io/en/latest/api/index.html
   
   -- For details on the IdM API command 'user_del' see
   -- https://freeipa.readthedocs.io/en/latest/api/user_del.html