Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16988

[GSS](7.2.z) WFCORE-4561 - JMX audit log does not show operation parameters

    XMLWordPrintable

Details

    • +
    • Hide
      1. Install EAP 7.1.2 or higher to $SOME_DIR
      2. At a terminal, change to the $SOME_DIR directory and start the EAP server with the command ./standalone.sh -c standalone-full.xml
      3. At a terminal in the $SOME_DIR directory, run the command ./jboss-cli.sh
      4. Inside jboss-cli, run the following two commands to enable JMX audit logs:

        /subsystem=jmx/configuration=audit-log:add()
        /subsystem=jmx/configuration=audit-log/handler=file:add()

      5. Exit jboss-cli
      6. Create user jmxuser with password redhat1! on realm ManagementRealm
      7. Untar the attached "reproducer.tar.gz" to $SOME_DIR
      8. At a terminal in the $SOME_DIR directory, run the command ./runTest.sh to perform a basic JMX call from a remote Java class
      9. Observe output in $SOME_DIR/standalone/data/audit-log.log
      Show
      Install EAP 7.1.2 or higher to $SOME_DIR At a terminal, change to the $SOME_DIR directory and start the EAP server with the command ./standalone.sh -c standalone-full.xml At a terminal in the $ SOME_DIR directory, run the command ./jboss-cli.sh Inside jboss-cli, run the following two commands to enable JMX audit logs: /subsystem=jmx/configuration=audit-log:add() /subsystem=jmx/configuration=audit-log/handler= file:add( ) Exit jboss-cli Create user jmxuser with password redhat1! on realm ManagementRealm Untar the attached "reproducer.tar.gz" to $ SOME_DIR At a terminal in the $SOME_DIR directory, run the command ./runTest.sh to perform a basic JMX call from a remote Java class Observe output in $SOME_DIR/standalone/data/audit-log.log

    Description

      JMX audit logs don't actually show all values needed to audit JMX operations.

      Output for EAP's JMX audit logging currently looks like the following:

      2019-05-29 16:01:40 - {
    "type" : "jmx",
    "r/o" : false,
    "booting" : false,
    "version" : "7.1.3.GA",
    "user" : "jmxuser",
    "domainUUID" : null,
    "access" : "JMX",
    "remote-address" : "localhost/127.0.0.1",
    "method" : "invoke",
    "sig" : [
        "javax.management.ObjectName",
        "java.lang.String",
        "[Ljava.lang.Object;",
        "[Ljava.lang.String;"
    ],
    "params" : [
        "java.util.logging:type=Logging",
        "getLoggerLevel",
        "[Ljava.lang.Object;@5755b7fa",
        "[Ljava.lang.String;@784a9d0d"
    ]
}

      This result follows the format of the Java interface MBeanServerConnection.invoke() [1], but does not actually display the values in the "sig" and "params" blocks for the two arrays passed in as parameters ([Ljava.lang.Object; and [Ljava.lang.String; are just what Object.toString() returns for any array of Objects or array of Strings).

      This means that we can gather the name of the MBean and the method of it which has been invoked, but we cannot gather any information on what values were sent to the MBean. Because of this, we cannot determine what change has been attempted. This absence of information is relatively important for what is supposed to be an auditing log.

      Auditing output should contain the actual values of (at least) the Object array so that customers can audit what JMX alterations were attempted.

      [1] https://docs.oracle.com/javase/8/docs/api/javax/management/MBeanServerConnection.html#invoke-javax.management.ObjectName-java.lang.String-java.lang.Object:A-java.lang.String:A-

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-4561 JMX audit log does not show operation parameters

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-17223 [GSS](7.2.z) Upgrade WildFly Core from 6.0.15 to 6.0.16

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-iweiss Ingo Weiss
              rhn-gps-dlaffran David Laffranchi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: