|
|
Post by JenHuang on Jul 22, 2020 10:05:19 GMT
There is the long description of the property AuthFailureLoggingThreshold.
"longDescription": "This property shall contain the threshold for when an authorization failure is logged. Logging shall occur after every `n` occurrences of an authorization failure, where `n` represents the value of this property. If the value is `0`, logging of authorization failures shall be disabled."
Is the AuthFailureLoggingThreshold be used for all accounts or each account need to check seperatly?
|
|
|
|
Post by jautor on Jul 24, 2020 15:43:31 GMT
The threshold applies to each account. The underlying feature (disabling an account due to excessive invalid login attempts) tracks attempts per account, so the logging function follows that process. You would not want to take actions based on attempts across accounts, as that would provide a method to create a denial-of-service attack.
We've added a few words to the description for that property to make this clear in schema - so thanks for pointing this out.
Jeff
|
|
|
|
Post by JenHuang on Feb 25, 2021 9:28:28 GMT
Hi Jeff,
The '0' has been defined as logging of authorization failures disabled and there is no way to logging by every authorization failures.
Should this be considered?
|
|
|
|
Post by jautor on Feb 25, 2021 21:52:28 GMT
Hi Jeff, The '0' has been defined as logging of authorization failures disabled and there is no way to logging by every authorization failures. Should this be considered? Setting AuthFailureLoggingThreshold to a value of 1 would log every authentication failure. The language is a bit cumbersome but that is the result. One means every failed attempt is logged, two means every 2nd attempt, three is every 3rd attempt, and so forth. Jeff |
|
|
|
Post by mharishm on Aug 3, 2023 5:29:11 GMT
Hi Jeff,
Based on "AccountLockoutThreshold", redfish account gets locked till the number of seconds set in "AccountLockoutCounterResetAfter".
My doubt is, do we need to still log failed attempt even after account gets locked.
For example.
Lets say
"AccountLockoutThreshold" = 5,
"AuthFailureLoggingThreshold" = 3,
In the 3rd login failure attempt, we will log 1 entry for autherization failure and in the 5th login failure attempt we will log an entry for account lock. Does redfish should support loging failure attempt even for 6th attempt (when account is locked at 5th attempt)?
|
|
|
|
Post by mraineri on Aug 4, 2023 19:19:09 GMT
Since the two states are not tied together in the long descriptions, I wouldn't necessarily expect that the locked status of an account would impact whether or not a log entry is made for failed login attempts. So, on your 6th attempt, there would still be a log entry created.
|
|
|
|
Post by AMI_BenWang on Jan 5, 2024 4:19:54 GMT
Hi
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
"AuthFailureLoggingThreshold": 0,
"AccountLockoutCounterResetEnabled": false
In this configuration:
1
With AuthFailureLoggingThreshold set to 0, will an access denied log be generated when the number of failed login attempts reaches the specified AccountLockoutThreshold?
2
If the answer to scenario 1 is yes, and AuthFailureLoggingThreshold is set to 0 while AccountLockoutThreshold is set to 5,
In this situation, an access denied log will be generated on the 5th or 6th login attempt.
According to the schema, it appears to be on the 6th attempt. Is that correct?
The description for AccountLockoutThreshold is as follows:
AccountLockoutThreshold
"longDescription": "This property shall contain the threshold of failed login attempts before a user account is locked. If `0`, the account shall never be locked."
Thanks
|
|
|
|
Post by mraineri on Jan 5, 2024 13:20:06 GMT
1) No, there will not be a log entry; logging is disabled when AuthFailureLoggingThreshold is set to 0.
2) Regardless of the number of attempts and when the account is locked, failed login attempts are never logged in this configuration.
|
|
|
|
Post by AMI_BenWang on Jan 8, 2024 0:28:10 GMT
1) No, there will not be a log entry; logging is disabled when AuthFailureLoggingThreshold is set to 0. 2) Regardless of the number of attempts and when the account is locked, failed login attempts are never logged in this configuration. Thanks for your explain. One more question: When will an access denied log be generated when the number of failed login attempts reaches the specified AccountLockoutThreshold? "AccountLockoutCounterResetAfter": 30, "AccountLockoutDuration": 30, "AccountLockoutThreshold": 5, "AuthFailureLoggingThreshold": 50, "AccountLockoutCounterResetEnabled": false If the AuthFailureLoggingThreshold is 50 and AccountLockoutThreshold is set to 5, In this situation , will an access denied log be generated when the number of failed login attempts reaches the specified AccountLockoutThreshold? If yes. when will an access denied log be generated—on the 5th or 6th login attempt? According to the schema, it appears to be on the 6th attempt. Is that correct? If No. It means an access denied log will NOT be generated when the number of failed login attempts reaches the specified AccountLockoutThreshold. Thanks |
|
|
|
Post by AMI_Tina on Jan 8, 2024 4:10:01 GMT
Hi,
In this configuration:
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
"AuthFailureLoggingThreshold": 3,
"AccountLockoutCounterResetEnabled": true
Our current design is when fail login 5 times, reach AuthFailureLoggingThreshold 3th attempt will have 1 access denied log, and reach AuthFailureLoggingThreshold 5th attempt will have 1 access denied log.
But according the previous comment,
if reach lockout threshold, just lock account, don't need to have 1 access denied log, is that correct?
Thanks
|
|
|
|
Post by mraineri on Jan 8, 2024 13:49:28 GMT
Like I said earlier, the "AuthFailureLoggingThreshold" and "AccountLockoutThreshold" are independent and do not tie together. If you reach the lockout threshold before the auth failure logging threshold, this would not constitute an auth failure log entry; you just lock the account.
So, going by this question: "If the AuthFailureLoggingThreshold is 50 and AccountLockoutThreshold is set to 5, In this situation, will an access denied log be generated when the number of failed login attempts reaches the specified AccountLockoutThreshold?" The answer is no; the user would have to attempt to log in to the service 45 more times before the auth failure log is made.
|
|
|
|
Post by mraineri on Jan 8, 2024 21:26:18 GMT
It is also worth pointing out that regardless of the value of the AuthFailureLoggingThreshold property, you could always log a specific "account locked" message when you lock an account. That's outside of the scope of these properties, but that behavior is certainly acceptable.
|
|
|
|
Post by dannychen on Mar 1, 2024 5:38:48 GMT
It is also worth pointing out that regardless of the value of the AuthFailureLoggingThreshold property, you could always log a specific "account locked" message when you lock an account. That's outside of the scope of these properties, but that behavior is certainly acceptable. Hi, Did you mean whenever the account was locked, there should be a log record that the user has been locked even though the configuration was set as below, and the user has tried 6 times failed login? "AccountLockoutCounterResetAfter": 30,"AccountLockoutDuration": 30,"AccountLockoutThreshold": 5,"AccountLockoutCounterResetEnabled": falsedannychen |
|
|
|
Post by mraineri on Mar 1, 2024 13:32:53 GMT
No, what I'm suggesting is that it's reasonable to log an event that an account is locked when it enters the locked state as a general policy; not all services will do this, and it's going to come down to product requirements.
In this case, that would occur on the 5th failed login attempt. A 6th failed login attempt wouldn't result in that type of message to be added to a log file since the account is already in the locked state.
|
|
