5.2. 查看 IdM API 审计日志

流程

1. 要查看日志中记录的所有 IdM API 操作列表，请过滤 IPA.API 标记的日志：

   # journalctl -g IPA.API
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   May 23 10:32:01 idmserver.idm.example.com /usr/bin/ipa[247555]: [IPA.API] admin@IDM.EXAMPLE.COM: user_add: SUCCESS [ldap2_140328582446999] {"uid": ["new_user"], "givenname": "New", "sn": "User", "cn": "New User"}
   May 23 10:33:10 idmserver.idm.example.com /mod_wsgi[247035]: [IPA.API] admin@IDM.EXAMPLE.COM: ping: SUCCESS [ldap2_139910420944784] {"version": "2.253"}
   May 23 10:34:05 idmserver.idm.example.com /usr/bin/ipa[247888]: [IPA.API] [autobind]: group_add_member: SUCCESS [ldap2_140328582447111] {"cn": "admins", "user": "new_user"}

   Copy to Clipboard Toggle word wrap

   输出显示每个 API 调用的摘要，包括用户、命令、结果、唯一连接 ID 以及使用的参数。

2. 识别您要检查的特定条目的唯一标识符。例如，user_del 调用具有 LDAP 后端实例标识符 ldap2_140328582446688。

3. 使用 journalctl 和 the -x 选项和唯一标识符值，以获得用户删除日志条目的详细说明：

   # journalctl -x -g ldap2_140328582446688
   May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[255232]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- Subject: IdM API command was executed and result of its execution was audited
   -- Defined-by: FreeIPA
   -- Support: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
   -- Documentation: man:ipa(1)
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/index.html
   -- Documentation: https://freeipa.readthedocs.io/en/latest/api/user_del.html
   
   -- Identity Management provides an extensive API that allows to manage all aspects of IdM deployments.
   
   -- The following information about the API command executed is available:
   
   -- [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
   
   -- The command was executed by '/usr/bin/ipa' utility. If the utility name
   -- is '/mod_wsgi`, then this API command came from a remote source through the IdM
   -- API end-point.
   
   -- The message includes following fields:
   
   --   - executable name and PID ('/mod_wsgi' for HTTP end-point; in this case it
   --     was '/usr/bin/ipa' command)
   
   --   - '[IPA.API]' marker to allow searches with 'journalctl -g IPA.API'
   
   --   - authenticated Kerberos principal or '[autobind]' marker for LDAPI-based
   --     access as root. In this case it was '[autobind]'
   
   --   - name of the command executed, in this case 'user_del'
   
   --   - result of execution: SUCCESS or an exception name. In this case it was
   --     'SUCCESS'
   
   --   - LDAP backend instance identifier. The identifier will be the same for all
   --     operations performed under the same request. This allows to identify operations
   --     which were executed as a part of the same API request instance. For API
   --     operations that didn't result in LDAP access, there will be
   --     '[no_connection_id]' marker.
   
   --   - finally, a list of arguments and options passed to the command is provided
   --     in JSON format.
   
   -- ---------
   -- The following list of arguments and options were passed to the command
   -- 'user_del' by the '[autobind]' actor:
   --
   -- {"uid": ["example_user"], "continue": false, "version": "2.253"}
   -- ---------
   
   -- A detailed information about Identity Management API can be found at upstream documentation API reference:
   -- https://freeipa.readthedocs.io/en/latest/api/index.html
   
   -- For details on the IdM API command 'user_del' see
   -- https://freeipa.readthedocs.io/en/latest/api/user_del.html

   Copy to Clipboard Toggle word wrap