Univention Bugzilla – Bug 48037
Disable security related attribute values in directory-logger logs
Last modified: 2021-05-14 16:34:14 CEST
In the directory-logger log '/var/log/univention/directory-logger.log' there are security related attributes (krb5key, sambyNTPassword, sambaPasswordHistory, userPassword and pwhistory). It should be configurable to exclude or obscure these attributes.
The original purpose of the directory logger is auditing LDAP changes in blockchain style. The file should be readable only for root. If the data is not included there, the root user can do a slapcat at any time to learn the current hashes, so IMHO there is no gain in security. But maybe there are valid reasons for filtering beyond my current grasp.
There you go, the Ticket has the explanation: "we would like to send the logs over the network to our central logging system."
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.