1.7. Audit Trail#

Starting with LinOTP 2.4 you may also write an Audit Trail. The Audit Trail contains digitally signed log messages, that shall inform you, which user or administrator did what with which token.

For all events a consecutive number, the timestamp, the LinOTP server name and a digital signature is logged. Depending on module, other information are logged, too.

1.7.1. Logging Scopes#

Selfservice Portal#

The fact that a user logs in to the audit trail is logged as action “selfservice/index”. All actions a user may perform within the Selfservice Portal are also written to the Audit Trail.

The following information is logged:

  • action: can be:

    • userassign

    • userdisable

    • userinit

    • userresync

    • usersetmpin

    • usersetpin

    • userwebprovision

  • user: the user logon name.

  • realm: the realm of the user.

  • serial: The token serial number, on which the user preformed the action.

  • token_type: The type of the token, on which the user preformed the action.

  • success: whether the action was successful or not.

  • info: additional information in case of failure.

Validate#

If a user is authenticating the following actions and information are logged:

  • action: This can be

    • check

    • simplecheck

    • check_s

  • user

  • realm

  • serial

  • token_type

  • success

  • info

Audit Trail#

When an administrator is viewing the Audit Trail, this event is also logged with the following information:

  • action: audit/search

  • administrator: The name of the administrator

  • info: Contains the additional search pattern

Administrative Tasks#

All administrative Tasks are logged with these additional information:

  • action: This can be one of the many admin/<tasks> actions.

  • action-details: in case of the action admin/set, there are additional information, what feature of the token was set.

  • administrator: The name of the LinOTP administrator performing this task.

  • user: The name of the user on whose token this task was performed.

  • serial: The token serial number on which the task was performed.

  • token_type: The type of the token on which the task was performed.

  • success

  • info: more information in case of a failure or new values that were set, e.g. the new value of the OTP length when the OTP length was set.

System configuration#

All system configuration tasks including policy settings, UserIdResolver and realm definitions are logged with the following information:

  • action: The name of the action.

  • action-detail: If a key is set, this contains the name of the key.

  • administrator: The name of the administrator performing the task.

  • success

  • info: more information in case of failure or the new value if a key was set.

Setting License#

When an administrator is setting the license, the following information are logged:

  • action: license/setLicense

  • administrator

  • success

  • info: contains either additional error messages or in case of success information about the newly set license.

1.7.2. Viewing the Audit Trail#

You may view the Audit Trail in the tab “Audit Trail”.

1.7.3. Configuration#

The configuration of the Audit Trail can only be done via the linotp.ini file. This is a security feature to prevent LinOTP admins from configuring the Audit Trail. The Audit Trail is written by a module, that you can choose or reprogram. LinOTP comes with an audit module:

  • SQL Audit Tail.

Configure the SQL Audit Trail like this:

linotpAudit.type = linotp.lib.audit.SQLAudit
linotpAudit.sql.url = mysql://<user>:<password>@sqlserver/<Database>

If the user got the right to create database tables, the table will also be automatically created on first use.

The Audit log entries get digitally signed so that they can not be manipulated. You can generate a public/private key pair like this:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

Now you can specify the location of the private and public key for the Audit-Modules in the /etc/linotp2/linotp.ini file:

linotpAudit.key.private = /etc/linotp2/private.pem
linotpAudit.key.public = /etc/linotp2/public.pem

You should limit the access right of the private key to the owner linotp (chmod 400 private.pem).

Note

You can create the signing keys using the tool linotp-create-auditkeys -f <linotp.ini file>.

The default name of the database audit table is “audit”. On certain databases like Oracle this is a reserved keyword, therefore you can define a prefix to ensure that there is no name collision:

linotpAudit.sql.table_prefix = linotp_

will make LinOTP write its audit data to the table “linotp_audit”.

1.7.4. Searching the Audit Trail#

You can also search with the different columns.

The search depends on your Audit Module. The SQL Audit Module accepts searching like SQL WHERE clauses.

Search in SQL Audit#

You can also do basic search and extended search with the SQL Audit Module. But the search pattern will only accept the % character like this:

date=% 11:%; action=system%

Which will give you all system configuration events at 11 am.