[Bug 21190] New: GDPR: Log successful/unsuccessful login attempts
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Bug ID: 21190 Summary: GDPR: Log successful/unsuccessful login attempts Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: vfernandes@keep.pt QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Under the auspices of the recently issued European legislation regarding data privacy (GDPR), the Portuguese government has issued a series of mandatory requirements, as well as general recommendations, for software applications that are implemented under the umbrella of public bodies (RCM 41/2018). Since Koha is mostly used by municipalities and universities in Portugal, some of these mandatory requirements need to be address by Koha implementers in Portugal. We believe that this requirement is also useful for the community at large. Here’s a description of the requirement. *** Requirement description *** The application MUST log successful and unsuccessful authentication operations. This is useful, for example, to detect that a user account is being hacked. *** Scope *** Applies in all cases. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Vitor Fernandes <vfernandes@keep.pt> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |P2 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Vitor Fernandes <vfernandes@keep.pt> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |21191 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21191 [Bug 21191] GDPR: Script to block inactive users (with no successful logins on a defined period) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no --- Comment #1 from Magnus Enger <magnus@libriotech.no> --- We must then rememeber to log all kinds of login attempts, including ILS-DI, SIP2, the REST API (if that can be used for autnetication, not sure) etc. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtj@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Vitor Fernandes from comment #0)
*** Requirement description ***
The application MUST log successful and unsuccessful authentication operations. This is useful, for example, to detect that a user account is being hacked.
How extensive is this requirement? Koha already allows you to lock accounts after x failed login attempts. Could this be considered as meeting this requirement already? Testing the lockout feature I also noticed that the counter is being incremented too even if the account has been locked out. So each successful and each unsuccessful authentication triggers a database action. What would be the use of storing date, time and ip address additionally ? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #3 from Vitor Fernandes <vfernandes@keep.pt> --- (In reply to Marcel de Rooy from comment #2)
How extensive is this requirement? Koha already allows you to lock accounts after x failed login attempts. Could this be considered as meeting this requirement already?
Testing the lockout feature I also noticed that the counter is being incremented too even if the account has been locked out. So each successful and each unsuccessful authentication triggers a database action. What would be the use of storing date, time and ip address additionally ?
Marcel, the account lockout after a number of failed login attempts is an important enhancement but isn't what is requested by the requirement. The application must log successful and unsuccessful authentication operations. This can be done by modifying Auth.pm. When the authentication fails we can add something like: logaction("MEMBERS", "LOGIN", 0, "Login failed: ($userid) Invalid username or password" ) if C4::Context->preference("BorrowersLog"); When the authentication is successful we can add something like: my $login_info = sprintf "Login successful: (%s) %s %s - %s\n", map { $session->param($_) } qw(cardnumber firstname surname branch); logaction("MEMBERS", "LOGIN", $borrowernumber, $login_info ) if C4::Context->preference("BorrowersLog"); -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Agnes Rivers-Moore <arm@hanover.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arm@hanover.ca --- Comment #4 from Agnes Rivers-Moore <arm@hanover.ca> --- We have had some accounts apparently fail to allow repeat login attempts to the limit in our preferences. In investigating this, support noted that the database counter resets back to zero after a successful login, leaving no record of the failed attempts. We would really like Koha to keep the log of successful and unsuccessful account login attempts - with timestamp. Even if we don't have it logged and visible to staff it would be helpful to support for troubleshooting. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 George Williams (NEKLS) <george@nekls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |george@nekls.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|koha-bugs@lists.koha-commun |m.de.rooy@rijksmuseum.nl |ity.org | Summary|GDPR: Log |GDPR: Log |successful/unsuccessful |successful/unsuccessful |login attempts |login attempts [part 1] --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Trying to give this a little start here :) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94713 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94713&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94714 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94714&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94715 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94715&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94717 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94717&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |23896 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23896 [Bug 23896] logaction should pass the correct interface to Koha::Logger -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|23896 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23896 [Bug 23896] logaction should pass the correct interface to Koha::Logger -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=23896 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=21191 Blocks|21191 | --- Comment #10 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Moving 21191 to see also Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21191 [Bug 21191] GDPR: Script to block inactive users (with no successful logins on a defined period) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94732 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94732&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #12 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94733 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94733&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94732|0 |1 is obsolete| | --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94734 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94734&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94733|0 |1 is obsolete| | --- Comment #14 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94735 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94735&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #15 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94736 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94736&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #16 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Status: I will only extend the test for the changes in checkpw. Exploring further non-regular authentication events might be a part 2. We cover the most now via checkpw. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #17 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 94805 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94805&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #18 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Please get this further now by testing and signing off ! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Joonas Kylmälä <joonas.kylmala@helsinki.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joonas.kylmala@helsinki.fi --- Comment #19 from Joonas Kylmälä <joonas.kylmala@helsinki.fi> --- I suggest that instead of adding two new sysprefs we could use the already existing syspref TrackLastPatronActivity? Or at least just add one syspref instead of two since I don't think such granularity is needed to log either failed or successful logins. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #20 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Joonas Kylmälä from comment #19)
I suggest that instead of adding two new sysprefs we could use the already existing syspref TrackLastPatronActivity? Or at least just add one syspref instead of two since I don't think such granularity is needed to log either failed or successful logins.
Hi Jonaas, Thx for asking. I agree that they are related. But I do think that granularity of logging success and/or failure is useful. Although Vitor is interested in both, I can imagine that others only would be interested in the failures. There might be a difference in numbers there too. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de --- Comment #21 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Marcel de Rooy from comment #20)
(In reply to Joonas Kylmälä from comment #19)
I suggest that instead of adding two new sysprefs we could use the already existing syspref TrackLastPatronActivity? Or at least just add one syspref instead of two since I don't think such granularity is needed to log either failed or successful logins.
Hi Jonaas, Thx for asking. I agree that they are related. But I do think that granularity of logging success and/or failure is useful. Although Vitor is interested in both, I can imagine that others only would be interested in the failures. There might be a difference in numbers there too.
I think TrackLastPatronActivity has a different goal. Could we shrink it to one additional pref using a multi-select approach? Check what you want to track. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #22 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Katrin Fischer from comment #21)
(In reply to Marcel de Rooy from comment #20)
(In reply to Joonas Kylmälä from comment #19)
I suggest that instead of adding two new sysprefs we could use the already existing syspref TrackLastPatronActivity? Or at least just add one syspref instead of two since I don't think such granularity is needed to log either failed or successful logins.
Hi Jonaas, Thx for asking. I agree that they are related. But I do think that granularity of logging success and/or failure is useful. Although Vitor is interested in both, I can imagine that others only would be interested in the failures. There might be a difference in numbers there too.
I think TrackLastPatronActivity has a different goal. Could we shrink it to one additional pref using a multi-select approach? Check what you want to track.
Thx for your feedback. Agree about TrackLastPatronActivity. The multi-select approach could of course be done; would that mean a sign-off? :) I do not think it is a requirement to get this further btw. Currently, we have all log preferences on one tab, all in YesNo style. So this is consistent; adding another way would be a style change. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #23 from Joonas Kylmälä <joonas.kylmala@helsinki.fi> --- (In reply to Marcel de Rooy from comment #22)
(In reply to Katrin Fischer from comment #21)
I think TrackLastPatronActivity has a different goal. Could we shrink it to one additional pref using a multi-select approach? Check what you want to track.
Thx for your feedback. Agree about TrackLastPatronActivity. The multi-select approach could of course be done; would that mean a sign-off? :) I do not think it is a requirement to get this further btw. Currently, we have all log preferences on one tab, all in YesNo style. So this is consistent; adding another way would be a style change.
I agree to not go out of style, so doing the multi-select approach could be something to be done in a separate bug report for all the logging options. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #24 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I was just trying to offer a compromise here :) The other log options are simple yes/no questions, so there is no need to change that unless we want to make it more granular in what they log. I am NOT suggesting to combine them into one big multi-select, I think that would be more confusing than helpful. But a LoginLog (or similar) with 2 options in a select would still make sense to me. One pref per "data type" + options. Not insisting tho, just to explain more what I meant in the first place. I am not in the Anti-YASP group. Examples for a multi-select would be: MarkLostItemsAsReturned or SocialNetworks (on master). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94713|0 |1 is obsolete| | --- Comment #25 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98067 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98067&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94714|0 |1 is obsolete| | --- Comment #26 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98068 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98068&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94715|0 |1 is obsolete| | --- Comment #27 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98069 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98069&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94717|0 |1 is obsolete| | --- Comment #28 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98070 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98070&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94734|0 |1 is obsolete| | --- Comment #29 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98071 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98071&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94735|0 |1 is obsolete| | --- Comment #30 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98072 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98072&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94736|0 |1 is obsolete| | --- Comment #31 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98073 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98073&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94805|0 |1 is obsolete| | --- Comment #32 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98074 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98074&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #33 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Last action before I obsolete this report. If you ask for a change, please be ready to support its development by testing it too. Sending a signoff request to the mailing list. No response means closing this report and wasted time! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #34 from Agnes Rivers-Moore <arm@hanover.ca> --- I added comments as an end-user, my way of supporting work on this - will be sad to see it die. I appreciate the work done. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |black23@gmail.com, | |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #35 from Magnus Enger <magnus@libriotech.no> --- Tested this, and everything looks good. To me it makes perfect sense to have two regular sysprefs, as Marcel says, some libraries might want to log only success or failure. I have one question, though. After doing one failed login and some successful ones I have this in the database: +-----------+---------------------+------+--------+---------+--------+--------------------------+-----------+ | action_id | timestamp | user | module | action | object | info | interface | +-----------+---------------------+------+--------+---------+--------+--------------------------+-----------+ | 1676 | 2020-01-29 22:17:06 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | | 1678 | 2020-01-29 22:17:17 | 0 | AUTH | FAILURE | 0 | Wrong password for admin | intranet | | 1680 | 2020-01-29 22:17:20 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | | 1681 | 2020-01-29 22:18:11 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | +-----------+---------------------+------+--------+---------+--------+--------------------------+-----------+ The successfull logins are tied to a user (51), but the failed one is not (0). Couldn't the failed one also be tied to the user, as long as the username provided is the username of an actual user in the db? Or is there some reason for not doing this? Apart from this question I'm ready to sign off. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98067|0 |1 is obsolete| | --- Comment #36 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98110 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98110&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98068|0 |1 is obsolete| | --- Comment #37 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98111 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98111&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98069|0 |1 is obsolete| | --- Comment #38 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98112 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98112&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98070|0 |1 is obsolete| | --- Comment #39 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98113 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98113&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98071|0 |1 is obsolete| | --- Comment #40 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98114 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98114&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98072|0 |1 is obsolete| | --- Comment #41 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98115 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98115&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98073|0 |1 is obsolete| | --- Comment #42 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98116 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98116&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 ByWater Sandboxes <bws.sandboxes@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98074|0 |1 is obsolete| | --- Comment #43 from ByWater Sandboxes <bws.sandboxes@gmail.com> --- Created attachment 98117 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98117&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jon Knight <J.P.Knight@lboro.ac.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |J.P.Knight@lboro.ac.uk Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jacek Ablewicz <abl@biblos.pk.edu.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abl@biblos.pk.edu.pl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #44 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Magnus Enger from comment #35)
Tested this, and everything looks good. To me it makes perfect sense to have two regular sysprefs, as Marcel says, some libraries might want to log only success or failure.
I have one question, though. After doing one failed login and some successful ones I have this in the database:
+-----------+---------------------+------+--------+---------+--------+------- -------------------+-----------+ | action_id | timestamp | user | module | action | object | info | interface | +-----------+---------------------+------+--------+---------+--------+------- -------------------+-----------+ | 1676 | 2020-01-29 22:17:06 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | | 1678 | 2020-01-29 22:17:17 | 0 | AUTH | FAILURE | 0 | Wrong password for admin | intranet | | 1680 | 2020-01-29 22:17:20 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | | 1681 | 2020-01-29 22:18:11 | 51 | AUTH | SUCCESS | 51 | Valid password for admin | intranet | +-----------+---------------------+------+--------+---------+--------+------- -------------------+-----------+
The successfull logins are tied to a user (51), but the failed one is not (0). Couldn't the failed one also be tied to the user, as long as the username provided is the username of an actual user in the db? Or is there some reason for not doing this?
Apart from this question I'm ready to sign off.
Thanks, Magnus. I do not really remember a specific reason. I could register it if it is available. People could try to hack an existing and a not-existing account. So we might have a $patron, we might not. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #45 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to ByWater Sandboxes from comment #43)
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Thanks Jon -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #46 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 98125 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98125&action=edit Bug 21190: (follow-up) Save patron id in failure when available The wrong password might belong to an existing user. If that is the case, we have a $patron. Note that logaction will save the object info but has no user in the context environment for a failure. Test plan: Login with good user, bad pw and bad user, bad pw. Check logviewer. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Michal Denar <black23@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98110|0 |1 is obsolete| | Attachment #98111|0 |1 is obsolete| | Attachment #98112|0 |1 is obsolete| | Attachment #98113|0 |1 is obsolete| | Attachment #98114|0 |1 is obsolete| | Attachment #98115|0 |1 is obsolete| | Attachment #98116|0 |1 is obsolete| | Attachment #98117|0 |1 is obsolete| | Attachment #98125|0 |1 is obsolete| | --- Comment #47 from Michal Denar <black23@gmail.com> --- Created attachment 98133 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98133&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #48 from Michal Denar <black23@gmail.com> --- Created attachment 98134 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98134&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #49 from Michal Denar <black23@gmail.com> --- Created attachment 98135 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98135&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #50 from Michal Denar <black23@gmail.com> --- Created attachment 98136 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98136&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #51 from Michal Denar <black23@gmail.com> --- Created attachment 98137 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98137&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #52 from Michal Denar <black23@gmail.com> --- Created attachment 98138 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98138&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #53 from Michal Denar <black23@gmail.com> --- Created attachment 98139 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98139&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #54 from Michal Denar <black23@gmail.com> --- Created attachment 98140 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98140&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #55 from Michal Denar <black23@gmail.com> --- Created attachment 98141 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98141&action=edit Bug 21190: (follow-up) Save patron id in failure when available The wrong password might belong to an existing user. If that is the case, we have a $patron. Note that logaction will save the object info but has no user in the context environment for a failure. Test plan: Login with good user, bad pw and bad user, bad pw. Check logviewer. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #56 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Michal Denar from comment #55)
Signed-off-by: Michal Denar <black23@gmail.com>
Thanks Michal too! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #57 from Magnus Enger <magnus@libriotech.no> --- (In reply to Marcel de Rooy from comment #46)
Created attachment 98125 [details] [review] Bug 21190: (follow-up) Save patron id in failure when available
The wrong password might belong to an existing user. If that is the case, we have a $patron. Note that logaction will save the object info but has no user in the context environment for a failure.
Test plan: Login with good user, bad pw and bad user, bad pw. Check logviewer.
Thanks, Marcel! Looks like people beat me to the signoff, though. :-) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98133|0 |1 is obsolete| | --- Comment #58 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101971 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101971&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98134|0 |1 is obsolete| | --- Comment #59 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101972 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101972&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98135|0 |1 is obsolete| | --- Comment #60 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101973 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101973&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98136|0 |1 is obsolete| | --- Comment #61 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101974 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101974&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98137|0 |1 is obsolete| | --- Comment #62 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101975 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101975&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98138|0 |1 is obsolete| | --- Comment #63 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101976 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101976&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98139|0 |1 is obsolete| | --- Comment #64 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101977 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101977&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98140|0 |1 is obsolete| | --- Comment #65 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101978 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101978&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #98141|0 |1 is obsolete| | --- Comment #66 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 101979 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=101979&action=edit Bug 21190: (follow-up) Save patron id in failure when available The wrong password might belong to an existing user. If that is the case, we have a $patron. Note that logaction will save the object info but has no user in the context environment for a failure. Test plan: Login with good user, bad pw and bad user, bad pw. Check logviewer. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Michal Denar <black23@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #67 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Rebased after last signoff on 30-01. Please QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #68 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Can we have a link to the European legislation? I would like to correctly understand the need we are trying to answer with this patch set. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |jonathan.druart@bugs.koha-c |y.org |ommunity.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #69 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #68)
Can we have a link to the European legislation? I would like to correctly understand the need we are trying to answer with this patch set.
Comment1. Vitor ? Note that it is preference controlled. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #70 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Marcel de Rooy from comment #69)
(In reply to Jonathan Druart from comment #68)
Can we have a link to the European legislation? I would like to correctly understand the need we are trying to answer with this patch set.
Comment1. Vitor ? Note that it is preference controlled.
Sorry, I do not read Portuguese. If we are going to implement/release a GDPR recommendation we should at least point to the legislation. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #71 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- The problem is, that GDPR does not describe technical measures - so all we might have here is the Portugese guidelines. We can check if other jurisdictions have done similar, but we will probably not find something specific in the law itself. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |22794 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22794 [Bug 22794] Omnibus: Improve and extend logging in Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #72 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- To me, the relevant part of the document (https://dre.pt/application/conteudo/114937034) is page 1429: """ Capacidade de monitorização, registo e análise de toda a atividade de acessos de modo a procurar ameaças prováveis. Deve ser guardado registo de atividade (log) de todas as ações que um utiliza-dor efetue sobre dados pessoais, independentemente do seu perfil e função.Obrigatório. [1] Todos os registos de atividade (log) devem ser armazenados apenas em modo de leitura, devendo, com uma periodicidade máxima de 1 mês, ser englo-bados num único bloco de registos e assinado digitalmente (garantia de integridade).Obrigatório. [2] Deve ser guardado registo de atividade (log) de todos os acessos e tentativas falhadas de acesso, obedecendo aos requisitos anteriores.Obrigatório. Garantir que os registos de atividade provenientes dos diversos subsistemas (Sistemas Operativos, aplicações, browsers, Sistema de Gestão de Base de Dados — SGBD, etc.) são inequivocamente associados à sua origem.Obrigatório. Os registos de atividade (log) devem conter, no mínimo, o endereço de acesso (IP e Porto), Host, HASH da conta do utilizador que efetuou a ação, ação efe-tuada (CRUD), Tipo de Dado Pessoal onde a ação foi efetuada, data/hora/mi-nuto/segundo (TimeStamp) da ação, alteração efetuada sobre o dado pessoal.Obrigatório. """ Trying a translation of the block [1] that we need here: """ All logs should be stored in read-only mode and kept for a maximum of 1 month. """ But I do not understand the second part (Vitor, could you help? "ser englo-bados num único bloco de registos e assinado digitalmente") Block [2]: """ Must bbe kept all activity log of all accesses and failed access attempts must be saved, in compliance with the previous requirements. """ So I think we must comply with the "maximum of 1 month". What about having a new switch to cleanup_database to get a module-name and action-name parameter for --logs? Or maybe we already deal with this part on a separate bug report? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #73 from Vitor Fernandes <vfernandes@keep.pt> --- Hi Jonathan, I'll try to explain what the portuguese legislation says about this case. (In reply to Jonathan Druart from comment #72)
To me, the relevant part of the document (https://dre.pt/application/conteudo/114937034) is page 1429:
""" Capacidade de monitorização, registo e análise de toda a atividade de acessos de modo a procurar ameaças prováveis.
Deve ser guardado registo de atividade (log) de todas as ações que um utiliza-dor efetue sobre dados pessoais, independentemente do seu perfil e função.Obrigatório.
[1] Todos os registos de atividade (log) devem ser armazenados apenas em modo de leitura, devendo, com uma periodicidade máxima de 1 mês, ser englo-bados num único bloco de registos e assinado digitalmente (garantia de integridade).Obrigatório.
[2] Deve ser guardado registo de atividade (log) de todos os acessos e tentativas falhadas de acesso, obedecendo aos requisitos anteriores.Obrigatório.
Garantir que os registos de atividade provenientes dos diversos subsistemas (Sistemas Operativos, aplicações, browsers, Sistema de Gestão de Base de Dados — SGBD, etc.) são inequivocamente associados à sua origem.Obrigatório.
Os registos de atividade (log) devem conter, no mínimo, o endereço de acesso (IP e Porto), Host, HASH da conta do utilizador que efetuou a ação, ação efe-tuada (CRUD), Tipo de Dado Pessoal onde a ação foi efetuada, data/hora/mi-nuto/segundo (TimeStamp) da ação, alteração efetuada sobre o dado pessoal.Obrigatório. """
That's the correct points :)
Trying a translation of the block [1] that we need here: """ All logs should be stored in read-only mode and kept for a maximum of 1 month. """ But I do not understand the second part (Vitor, could you help? "ser englo-bados num único bloco de registos e assinado digitalmente")
The second phrase says that we should do one of two things: 1) Dump the month entries to a file and sign the file digitally 2) Add a column in action_logs that saves the signature used for each authentication entry The first option is easy to implement using the atual BD and code of Koha.
Block [2]: """ Must bbe kept all activity log of all accesses and failed access attempts must be saved, in compliance with the previous requirements. """
So I think we must comply with the "maximum of 1 month". What about having a new switch to cleanup_database to get a module-name and action-name parameter for --logs? Or maybe we already deal with this part on a separate bug report?
The legislation doesn't cleary say that authentications logs should be removed. It says that every month we should do one of the two options above. If the first option is implemented and if the file is backed up, then we can clean the authentication logs (because we have a backup of them). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #101971|0 |1 is obsolete| | Attachment #101972|0 |1 is obsolete| | Attachment #101973|0 |1 is obsolete| | Attachment #101974|0 |1 is obsolete| | Attachment #101975|0 |1 is obsolete| | Attachment #101976|0 |1 is obsolete| | Attachment #101977|0 |1 is obsolete| | Attachment #101978|0 |1 is obsolete| | Attachment #101979|0 |1 is obsolete| | --- Comment #74 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102493 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102493&action=edit Bug 21190: Prepare Log.t for further changes This patch only makes cosmetic changes: [1] It moves the existing tests at 'root level' inside a new subtest. [2] It obviously adds indentation for step 1. [3] It fixes some whitespace (tabs, space before newline) Test plan: Run t/db../Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #75 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102494 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102494&action=edit Bug 21190: Add subtest to Log.t for GDPR logging Apart from a new subtest, doing some more cleanup: [1] Copyright statement [2] Removing the (unneeded) flush [3] Removing C4::Log from the BEGIN block; we seem to skip that nowadays. [4] $succes goes to the subtest, $schema and $dbh are global our vars. Not required but just what we should do if it would run under Plack. Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #76 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102496 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102496&action=edit Bug 21190: Add interfaces parameter to POD in C4::Logs Just fixing documentation along the way. No test plan, just read the patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #77 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102497 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102497&action=edit Bug 21190: Remove t/Log.t Since we have t/db../Log.t and t/Log.t simply does nothing, we would better remove it. No test plan either :) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #78 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102498 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102498&action=edit Bug 21190: Introduce preferences AuthFailureLog and AuthSuccessLog Test plan: Run atomic update. Check the Logs tab of preferences. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #79 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102499 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102499&action=edit Bug 21190: Add authentication logging to checkpw Add optional logging for successful and failing login attempts in checkpw. Test plan: Enable the preferences Perform a good login and a bad attempt Check action_logs Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #80 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102500 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102500&action=edit Bug 21190: Allow browsing the system logs for AUTH events Trivial change, adding AUTH to viewlog template only. Test plan: Look for the Authentication log lines in viewlog.pl (intranet tools). Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #81 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102501 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102501&action=edit Bug 21190: Add tests for authentication success and failure Test plan: Run t/db_dependent/Log.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #82 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 102502 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=102502&action=edit Bug 21190: (follow-up) Save patron id in failure when available The wrong password might belong to an existing user. If that is the case, we have a $patron. Note that logaction will save the object info but has no user in the context environment for a failure. Test plan: Login with good user, bad pw and bad user, bad pw. Check logviewer. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Michal Denar <black23@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #83 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Thanks Vitor and Jonathan for further follow-up -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |20.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #84 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Nice work everyone! Pushed to master for 20.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |release-notes-needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #85 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Please fix the bug title if there is now [part 2] bug reported or in the works. -- You are receiving this mail because: You are watching all bug changes.
From an earlier comment: Exploring further non-regular authentication events might be a part 2. We cover
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|GDPR: Log |GDPR: Log |successful/unsuccessful |successful/unsuccessful |login attempts [part 1] |login attempts --- Comment #86 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- the most now via checkpw. I will remove "part 1" from the title, because I do not think I will be addressing that topic very soon. But if some one is interested to go down that road (deeper in Auth.pm), I wont mind and will certainly follow it. Open up a new report and put me in CC :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This report adds two release notes| |logging preferences | |AuthFailureLog and | |AuthSuccessLog in order to | |keep track of bad login | |attempts and succcesful | |ones. | |Note that in some | |countries this may be a | |requirement as a local | |application of GDPR | |legislation. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Joy Nelson <joy@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joy@bywatersolutions.com --- Comment #87 from Joy Nelson <joy@bywatersolutions.com> --- enhancement not backported to 19.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|GDPR: Log |Add logging of |successful/unsuccessful |successful/unsuccessful |login attempts |login attempts for GDPR -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the|This report adds two |This enhancement adds two release notes|logging preferences |new logging preferences |AuthFailureLog and |`AuthFailureLog` and |AuthSuccessLog in order to |`AuthSuccessLog` in order |keep track of bad login |to keep track of bad login |attempts and succcesful |attempts and successful |ones. |ones. |Note that in some | |countries this may be a |NOTE: In some |requirement as a local |countries, this may be a |application of GDPR |requirement as a local |legislation. |application of GDPR | |legislation. Summary|Add logging of |Add logging of |successful/unsuccessful |successful/unsuccessful |login attempts for GDPR |login attempts -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the|This enhancement adds two |This enhancement adds two release notes|new logging preferences |new logging preferences |`AuthFailureLog` and |`AuthFailureLog` and |`AuthSuccessLog` in order |`AuthSuccessLog` in order |to keep track of bad login |to keep track of bad login |attempts and successful |attempts and successful |ones. |ones. | | |NOTE: In some |NOTE: In some |countries, this may be a |countries, this may be a |requirement as a local |requirement as a local |application of GDPR |application of GDPR |legislation. |legislation. | | | |**New system | |preferences**: | |`AuthFailureLog` and | |`AuthSuccessLog` both | |default to disabled. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=25937 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|release-notes-needed | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to master |RESOLVED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #88 from Agnes Rivers-Moore <arm@hanover.ca> --- Created attachment 123540 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=123540&action=edit Picture of log showing successful SIP logins incrementing 'attempts' -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #89 from Agnes Rivers-Moore <arm@hanover.ca> --- Ah - there might be a problem with Koha counting SIP logins as 'failed' attempts. I could not see it before, but thanks to this enhancement I do see that the total of login attempts goes up by one when I log in to Overdrive Libby, and it is not reset to zero again - even though the login is successful. We had found more patrons complained of being locked out of the OPAC when they had not had 8 failed login attempts. If SIP login adds one every time, and does not clear back to zero, people using SIP products can come back to the Koha OPAC and find themselves locked out. I am on Koha 20.11 It may be this needs to be a separate new bug - anyone interested to describe what's not working as expected with SIP logins? (and possibly other kinds of external login too...) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #90 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Agnes Rivers-Moore from comment #89)
Ah - there might be a problem with Koha counting SIP logins as 'failed' attempts. I could not see it before, but thanks to this enhancement I do see that the total of login attempts goes up by one when I log in to Overdrive Libby, and it is not reset to zero again - even though the login is successful. We had found more patrons complained of being locked out of the OPAC when they had not had 8 failed login attempts. If SIP login adds one every time, and does not clear back to zero, people using SIP products can come back to the Koha OPAC and find themselves locked out. I am on Koha 20.11 It may be this needs to be a separate new bug - anyone interested to describe what's not working as expected with SIP logins? (and possibly other kinds of external login too...)
Thx for reporting. This problem should go on its own. Will open a new report now. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21190 --- Comment #91 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- See bug 28822 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org