Blueprint: pci-dss-notifications
Add reason field in notifications for various PCI-DSS events for auditing.
Keystone currently does not include a reason for why a CADF notification was sent for various PCI-DSS compliance events. For example, if: keystone.conf [security_compliance] lockout_failure_attempts is set to 5, and a user tries and fails to login 6 times, the notification for the 6th attempt does not explain that the user has been locked out for failing to login for the maximum number of attempts. Having this reason in the notification would be beneficial for technical support and auditing purposes.
Add a reason code and reason type in the notifications for the following compliance events:
Limit repeated access attempts by locking out the user ID after not more than six attempts.
This will append the following reason code and reason type to the existing identity.authenticate failure notification.
| Reason Code | Reason Type / Message |
|---|---|
| 401 | Maximum number of <number> login attempts exceeded. |
Passwords/passphrases must meet the following: (i) require a minimum length of at least seven characters, and (ii) contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
This will append the following reason code and reason type to the existing identity.update.user failure notification.
PATCH /v3/users/{user_id}
POST /v3/users/{user_id}/password
| Reason Code | Reason Type / Message |
|---|---|
| 400 | Password does not meet expected requirements: <regex_description>. |
Change user passwords/passphrases at least once every 90 days.
This will create a new notification for:
POST /v3/users/{user_id}/password
| Reason Code | Reason Type / Message |
|---|---|
| 401 | Password for <user> expired and must be changed |
Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
This will append the following reason code and reason type to the existing identity.authenticate failure notification.
POST /v3/users/{user_id}/password
| Reason Code | Reason Type / Message |
|---|---|
| 400 | Changed password cannot be identical to the last <number> passwords. |
User attempting to change a password before a minimum password age elapsed. This prevents users from erasing password history to re-use an old password.
This will create a new notification for:
POST /v3/users/{user_id}/password
| Reason Code | Reason Type / Message |
|---|---|
| 400 | Cannot change password before minimum age <number> days is met. |
Events can be logged and parsed through log files.
None.
A CADF notification should be emitted for each of the PCI-DSS events triggered. A sample notification would be:
{
"priority": "INFO",
"_unique_id": "3c030dc463114aa0ad17d703942b1a0e",
"event_type": "identity.authenticate",
"timestamp": "2016-10-07 01:30:53.075097",
"publisher_id": "identity.controller",
"payload": {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"initiator": {
"typeURI": "service/security/account/user",
"host": {
"address": "192.168.1.1"
},
"user_id": "6c3d3615c1fd4e868503f0f3f4366874",
"id": "6c3d3615c1fd4e868503f0f3f4366874"
},
"target": {
"typeURI": "service/security/account/user",
"id": "a53ea0be-cb4b-529b-8648-09999df8f511"
},
"observer": {
"typeURI": "service/security",
"id": "9bdddeda6a0b451e9e0439646e532afd"
},
"eventType": "activity",
"eventTime": "2016-10-07T01:30:53.072992+0000",
"action": "authenticate",
"outcome": "failure",
"id": "272aad18-5fbe-580b-b39a-5f9c3ea42f79",
"reason": {
"reasonCode": "401",
"reasonType": "Maximum number of X login attempts exceeded."
}
},
"message_id": "e95a0285-ac25-43d6-b4d9-406997bba38c"
}
None. There will be no other end user impact.
None. There will be no additional performance impact.
None. There will be no other deployer impact.
None. There will be no developer impact.
Primary assignee:
Other contributors:
Notification structures outlined at http://docs.openstack.org/developer/keystone/event_notifications.html will be updated to include the reason codes.