Details

    • Steps to Reproduce:
      Hide
      1. Install EAP 7.1.2 or higher to $SOME_DIR
      2. At a terminal, change to the $SOME_DIR directory and start the EAP server with the command ./standalone.sh -c standalone-full.xml
      3. At a terminal in the $SOME_DIR directory, run the command ./jboss-cli.sh
      4. Inside jboss-cli, run the following two commands to enable JMX audit logs:

        /subsystem=jmx/configuration=audit-log:add()
        /subsystem=jmx/configuration=audit-log/handler=file:add()

      5. Exit jboss-cli
      6. Create user jmxuser with password redhat1! on realm ManagementRealm
      7. Untar the attached "reproducer.tar.gz" to $SOME_DIR
      8. At a terminal in the $SOME_DIR directory, run the command ./runTest.sh to perform a basic JMX call from a remote Java class
      9. Observe output in $SOME_DIR/standalone/data/audit-log.log
      Show
      Install EAP 7.1.2 or higher to $SOME_DIR At a terminal, change to the $SOME_DIR directory and start the EAP server with the command ./standalone.sh -c standalone-full.xml At a terminal in the $ SOME_DIR directory, run the command ./jboss-cli.sh Inside jboss-cli, run the following two commands to enable JMX audit logs: /subsystem=jmx/configuration=audit-log:add() /subsystem=jmx/configuration=audit-log/handler= file:add( ) Exit jboss-cli Create user jmxuser with password redhat1! on realm ManagementRealm Untar the attached "reproducer.tar.gz" to $ SOME_DIR At a terminal in the $SOME_DIR directory, run the command ./runTest.sh to perform a basic JMX call from a remote Java class Observe output in $SOME_DIR/standalone/data/audit-log.log

      Description

      JMX audit logs don't actually show all values needed to audit JMX operations.

      Output for EAP's JMX audit logging currently looks like the following:

      2019-05-29 16:01:40 - {
          "type" : "jmx",
          "r/o" : false,
          "booting" : false,
          "version" : "7.1.3.GA",
          "user" : "jmxuser",
          "domainUUID" : null,
          "access" : "JMX",
          "remote-address" : "localhost/127.0.0.1",
          "method" : "invoke",
          "sig" : [
              "javax.management.ObjectName",
              "java.lang.String",
              "[Ljava.lang.Object;",
              "[Ljava.lang.String;"
          ],
          "params" : [
              "java.util.logging:type=Logging",
              "getLoggerLevel",
              "[Ljava.lang.Object;@5755b7fa",
              "[Ljava.lang.String;@784a9d0d"
          ]
      }
      

      This result follows the format of the Java interface MBeanServerConnection.invoke() [1], but does not actually display the values in the "sig" and "params" blocks for the two arrays passed in as parameters ([Ljava.lang.Object; and [Ljava.lang.String; are just what Object.toString() returns for any array of Objects or array of Strings).

      This means that we can gather the name of the MBean and the method of it which has been invoked, but we cannot gather any information on what values were sent to the MBean. Because of this, we cannot determine what change has been attempted. This absence of information is relatively important for what is supposed to be an auditing log.

      Auditing output should contain the actual values of (at least) the Object array so that customers can audit what JMX alterations were attempted.

      [1] https://docs.oracle.com/javase/8/docs/api/javax/management/MBeanServerConnection.html#invoke-javax.management.ObjectName-java.lang.String-java.lang.Object:A-java.lang.String:A-

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  iweiss Ingo Weiss
                  Reporter:
                  iweiss Ingo Weiss
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: