Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP All
Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1
Fixed In:
15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
Opened: Sep 15, 2018 Severity: 2-Critical
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged. Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
None.
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files. Here's an example of what shows in audit log: -- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018". Here's an example of what shows in secure log: -- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018". -- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018". Subsequent REST calls will continue to be logged normally.
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files. Subsequent REST calls will continue to be logged normally.