NAS-130462 / 24.10 / Add auditing for directory services changes (#14150

)

Generate audit trail for kerberos, AD, and LDAP changes.

src/middlewared/middlewared/plugins/activedirectory.py

@@ -257,7 +257,7 @@ async def common_validate(self, new, old, verrors):
                         'configure DNS A and AAAA records as needed for their domain.'
                     )
 
-    @accepts(Ref('activedirectory_update'))
+    @accepts(Ref('activedirectory_update'), audit='Active directory configuration update')
     @returns(Ref('activedirectory_update'))
     @job(lock="AD_start_stop")
     async def do_update(self, job, data):
@@ -776,7 +776,7 @@ async def lookup_dc(self, domain=None):
         out = json.loads(lookup.stdout.decode())
         return out
 
-    @accepts(Ref('kerberos_username_password'), roles=['DIRECTORY_SERVICE_WRITE'])
+    @accepts(Ref('kerberos_username_password'), roles=['DIRECTORY_SERVICE_WRITE'], audit='Active directory leave')
     @returns()
     @job(lock="AD_start_stop")
     async def leave(self, job, data):

src/middlewared/middlewared/plugins/kerberos.py

@@ -59,7 +59,7 @@ class Config:
         Str('appdefaults_aux', max_length=None),
         Str('libdefaults_aux', max_length=None),
         update=True
-    ))
+    ), audit='Kerberos configuration update')
     async def do_update(self, data):
         """
         `appdefaults_aux` add parameters to "appdefaults" section of the krb5.conf file.
@@ -641,7 +641,9 @@ async def kerberos_compress(self, data):
             List('admin_server'),
             List('kpasswd_server'),
             register=True
-        )
+        ),
+        audit='Kerberos realm create:',
+        audit_extended=lambda data: data['realm']
     )
     async def do_create(self, data):
         """
@@ -677,15 +679,18 @@ async def do_create(self, data):
             "kerberos_realm_create",
             "kerberos_realm_update",
             ("attr", {"update": True})
-        )
+        ),
+        audit='Kerberos realm update:',
+        audit_callback=True
     )
-    async def do_update(self, id_, data):
+    async def do_update(self, audit_callback, id_, data):
         """
         Update a kerberos realm by id. This will be automatically populated during the
         domain join process in an Active Directory environment. Kerberos realm names
         are case-sensitive, but convention is to only use upper-case.
         """
         old = await self.get_instance(id_)
+        audit_callback(old['realm'])
         new = old.copy()
         new.update(data)
 
@@ -698,11 +703,13 @@ async def do_update(self, id_, data):
         await self.middleware.call('etc.generate', 'kerberos')
         return await self.get_instance(id_)
 
-    @accepts(Int('id'))
-    async def do_delete(self, id_):
+    @accepts(Int('id'), audit='Kerberos realm delete:', audit_callback=True)
+    async def do_delete(self, audit_callback, id_):
         """
         Delete a kerberos realm by ID.
         """
+        realm_name = (await self.get_instance(id_))['realm']
+        audit_callback(realm_name)
         await self.middleware.call('datastore.delete', self._config.datastore, id_)
         await self.middleware.call('etc.generate', 'kerberos')
 
@@ -740,10 +747,12 @@ class Config:
     @accepts(
         Dict(
             'kerberos_keytab_create',
-            Str('file', max_length=None),
+            Str('file', max_length=None, private=True),
             Str('name'),
             register=True
-        )
+        ),
+        audit='Kerberos keytab create:',
+        audit_extended=lambda data: data['name']
     )
     async def do_create(self, data):
         """
@@ -772,13 +781,16 @@ async def do_create(self, data):
         Patch(
             'kerberos_keytab_create',
             'kerberos_keytab_update',
-        )
+        ),
+        audit='Kerberos keytab update:',
+        audit_callback=True
     )
-    async def do_update(self, id_, data):
+    async def do_update(self, audit_callback, id_, data):
         """
         Update kerberos keytab by id.
         """
         old = await self.get_instance(id_)
+        audit_callback(old['name'])
         new = old.copy()
         new.update(data)
 
@@ -796,13 +808,14 @@ async def do_update(self, id_, data):
 
         return await self.get_instance(id_)
 
-    @accepts(Int('id'))
-    async def do_delete(self, id_):
+    @accepts(Int('id'), audit='Kerberos keytab delete:', audit_callback=True)
+    async def do_delete(self, audit_callback, id_):
         """
         Delete kerberos keytab by id, and force regeneration of
         system keytab.
         """
         kt = await self.get_instance(id_)
+        audit_callback(kt['name'])
         if kt['name'] == 'AD_MACHINE_ACCOUNT':
             ad_config = await self.middleware.call('activedirectory.config')
             if ad_config['enable']:
@@ -830,7 +843,7 @@ async def do_delete(self, id_):
     @accepts(Dict(
         'keytab_data',
         Str('name', required=True),
-    ))
+    ), audit='Kerberos keytab upload:', audit_extended=lambda name: name)
     @returns(Ref('kerberos_keytab_entry'))
     @job(lock='upload_keytab', pipes=['input'], check_pipes=True)
     async def upload_keytab(self, job, data):

src/middlewared/middlewared/plugins/ldap.py

@@ -566,7 +566,7 @@ async def autodetect_ldap_settings(self, data):
 
         return constants.SERVER_TYPE_GENERIC
 
-    @accepts(Ref('ldap_update'))
+    @accepts(Ref('ldap_update'), audit='LDAP configuration update')
     @job(lock="ldap_start_stop")
     async def do_update(self, job, data):
         """