5.2. IdM API 감사 로그 보기

프로세스

1. 저널에 기록된 모든 IdM API 작업 목록을 보려면 IPA.API 마커에 대한 저널을 필터링합니다.

   # journalctl -g IPA.API
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   May 23 10:32:01 idmserver.idm.example.com /usr/bin/ipa[247555]: [IPA.API] admin@IDM.EXAMPLE.COM: user_add: SUCCESS [ldap2_140328582446999] {"uid": ["new_user"], "givenname": "New", "sn": "User", "cn": "New User"}
   May 23 10:33:10 idmserver.idm.example.com /mod_wsgi[247035]: [IPA.API] admin@IDM.EXAMPLE.COM: ping: SUCCESS [ldap2_139910420944784] {"version": "2.253"}
   May 23 10:34:05 idmserver.idm.example.com /usr/bin/ipa[247888]: [IPA.API] [autobind]: group_add_member: SUCCESS [ldap2_140328582447111] {"cn": "admins", "user": "new_user"}

   Copy to Clipboard Toggle word wrap

   출력에는 사용자, 명령, 결과, 고유한 연결 ID 및 사용된 매개변수를 포함하여 각 API 호출의 요약이 표시됩니다.

2. 검사할 특정 항목의 고유 ID를 식별합니다. 예를 들어 user_del 호출의 LDAP 백엔드 인스턴스 식별자 ldap2_140328582446688.

3. 사용자 삭제 로그 항목에 대한 자세한 설명을 얻으려면 -x 옵션과 함께 journalctl 을 사용하고 고유 ID 값을 사용합니다.

   # journalctl -x -g ldap2_140328582446688
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[255232]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- Subject: IdM API command was executed and result of its execution was audited
   -- Defined-by: FreeIPA
   -- Support: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
   -- Documentation: man:ipa(1)
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/index.html
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/user_del.html
   
   -- Identity Management provides an extensive API that allows to manage all aspects of IdM deployments.
   
   -- The following information about the API command executed is available:
   
   -- [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   
   -- The command was executed by '/usr/bin/ipa' utility. If the utility name
   -- is '/mod_wsgi`, then this API command came from a remote source through the IdM
   -- API end-point.
   
   -- The message includes following fields:
   
   --   - executable name and PID ('/mod_wsgi' for HTTP end-point; in this case it
   --     was '/usr/bin/ipa' command)
   
   --   - '[IPA.API]' marker to allow searches with 'journalctl -g IPA.API'
   
   --   - authenticated Kerberos principal or '[autobind]' marker for LDAPI-based
   --     access as root. In this case it was '[autobind]'
   
   --   - name of the command executed, in this case 'user_del'
   
   --   - result of execution: SUCCESS or an exception name. In this case it was
   --     'SUCCESS'
   
   --   - LDAP backend instance identifier. The identifier will be the same for all
   --     operations performed under the same request. This allows to identify operations
   --     which were executed as a part of the same API request instance. For API
   --     operations that didn't result in LDAP access, there will be
   --     '[no_connection_id]' marker.
   
   --   - finally, a list of arguments and options passed to the command is provided
   --     in JSON format.
   
   -- ---------
   -- The following list of arguments and options were passed to the command
   -- 'user_del' by the '[autobind]' actor:
   --
   -- {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- ---------
   
   -- A detailed information about Identity Management API can be found at upstream documentation API reference:
   -- https://freeipa.readthedocs.io/en/latest/api/index.html
   
   -- For details on the IdM API command 'user_del' see
   -- https://freeipa.readthedocs.io/en/latest/api/user_del.html

   Copy to Clipboard Toggle word wrap