I am exploring this Key Vault to be used as a credentials store (something like 1Password for Teams).
I am having trouble finding the place to see who added/updated/deleted credentials. I can only find the audit log for managing the vault itself.
Are there something else to configure for enable this logging (if it's not on by default)? Chat support does not have any idea as well.
Of course, you can enable the AuditEvent in the Diagnostic settings of your keyvault.
Reference - https://learn.microsoft.com/en-us/azure/key-vault/general/logging
I set it to send logs to my storage account, then I can check the logs in the container named insights-logs-auditevent(about half an hour delay of the container creation), to see who do the operations, just check the identity in each log.
For example, I want to see who created a secret, then I can find a log like below(hid the sensitive information).
{
"time":"2020-04-28T06:56:04.1406420Z",
"category":"AuditEvent",
"operationName":"SecretSet",
"resultType":"Success",
"correlationId":"xxxxx",
"callerIpAddress":"xxxxxx",
"identity":{
"claim":{
"http://schemas.microsoft.com/identity/claims/objectidentifier":"15xxxxx81d65",
"appid":"36xxxxx1efe",
"http://schemas.microsoft.com/identity/claims/scope":"user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"xxxxx#microsoft.com",
"ipaddr":"xxxxxxx",
"http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd"
}
},
"properties":{
"id":"https://joykeyvault.vault.azure.net/secrets/sec789",
"clientInfo":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64",
"subnetId":"(unknown)",
"httpStatusCode":200,
"requestUri":"https://joykeyvault.vault.azure.net/secrets/sec789?api-version=7.0",
"isAccessPolicyMatch":true,
"secretProperties":{
"attributes":{
"enabled":true
}
}
},
"resourceId":"/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS/xxxxx/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/JOYKEYVAULT",
"operationVersion":"7.0",
"resultSignature":"OK",
"durationMs":"80"
}
According to the doc, the operationName of Create a secret is SecretSet, from the identity, we can see the user xxxxx#microsoft.com created it, from the properties, we can see the user created the secret sec789.
Related
I would like to test 802.1X function for an Ethernet Switch (NAS).
I have a Workstation (Windows 10) and an Ubuntu server : I want to test EAP-MSCHAPv2.
I see a tutorial to configure FreeRADIUS : https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
Problem is I don't have a Windows server. Is it possible to test EAP-MSCHAPv2 without it ? How to configure FreeRADIUS ? ... I just want to test a static configuration with one login+password.
Currently my FreeRADIUS works with EAP-MD5 : I already created user profile and NAS config
You need to set the MS-CHAP-Use-NTLM-Auth attribute to No in the control list. The mschap module will then do the authentication internally, rather than trying to call out to AD.
This is documented more extensively in raddb/mods-available/mschap.
For example you could create a user bob with password test in the raddb/users file thus:
bob Cleartext-Password := "test", MS-CHAP-Use-NTLM-Auth := No
Note that this attribute must be in the control list, not in the reply list, so appears on the same line as the username.
I found strange behavior during checking functionality of WSO2 AM + IS as key manager.
Env I:
WSO2 AM 3.2.0 (GA pack)
Env II:
WSO2 AM 3.2.0 (GA pack)
WSO2 IS 5.10.0 (GA pack)
Configuration:
created users: user-low, user-high
created roles: low, high
user-low has assigned low role
user-high has assigned high role
created shared scopes: high-scope, low-scope
high-scope pointed to high role
low-scope pointed to low role
published api with 2 endpoint
/unsecure (has pointed scope: low-scope)
/secured (has pointed scope: high-scope)
Behaviour on ENV I (working fine - expected behaviour):
After trying generate token by "user-high" with scopes high-scope, low-scope as a receive on endpoint: https://localhost:9443/generate-token
response:
{
"accessToken":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05tTkRjeE5HWXdZbU00WlRBM01XSTJOREF6WkdRek5HTTBaR1JsTmpKa09ERmtaRFJpT1RGa01XRmhNelUyWkdWbE5nX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyLWhpZ2hAY2FyYm9uLnN1cGVyIiwiYXV0IjoiQVBQTElDQVRJT04iLCJhdWQiOiIxeXZfaUZ2d3RvZmZ4RU90ZlJGZmpseGNjNG9hIiwibmJmIjoxNjEyMzU3NTExLCJhenAiOiIxeXZfaUZ2d3RvZmZ4RU90ZlJGZmpseGNjNG9hIiwic2NvcGUiOiJISUdIIGFtX2FwcGxpY2F0aW9uX3Njb3BlIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNjEyMzYxMTExLCJpYXQiOjE2MTIzNTc1MTEsImp0aSI6ImQ3OTQ3ODc0LTRlNTMtNGI1My1iMWUwLTE0NGEwYTY2MDU5ZSJ9.KBol5clfIxScVPYVzdmBkz0APaE7uL8genldz8tx_G0FnaJStjn0tizDQfdcc46ZaEC1ahEfsGqBea6sJ8dpFucpf3ZqxnCz7CoJnVLU5F4lAXm_C3imWhOWLxF_wka0dlGExPDBpXQOmnspe2b45DSpIpz3zbTnnuClFM91tJkWrG9-k_ZIUHikI34m3aWltotXJzQJojdhL42pUCCttGcNGDbU9vfZ4wOcRx4fiVe6z0azvDBGP3FBSY00HyBFUo7ME9dqMaU_EDTybk77uLHyNGoQggOO42WU0ZfanrGlsYJSuzyQi4VVW3V1Uy6591b18LA28zq1c9Ay2-aMXw",
"tokenScopes":[
"HIGH",
"am_application_scope"
],
"validityTime":3600
}
Behaviour on ENV II:
After trying generate token by "user-high" with scopes high-scope, low-scope as a receive on endpoint: https://localhost:9443/generate-token
response:
{
"accessToken":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05tTkRjeE5HWXdZbU00WlRBM01XSTJOREF6WkdRek5HTTBaR1JsTmpKa09ERmtaRFJpT1RGa01XRmhNelUyWkdWbE5nX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyLWhpZ2hAY2FyYm9uLnN1cGVyIiwiYXV0IjoiQVBQTElDQVRJT04iLCJhdWQiOiJHU1RYeVdhNlNCeHRNRWhiVF91SnA4ZmtBNUlhIiwibmJmIjoxNjEyMzU3MDQ5LCJhenAiOiJHU1RYeVdhNlNCeHRNRWhiVF91SnA4ZmtBNUlhIiwic2NvcGUiOiJISUdIIExPVyIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTYxMjM2MDY0OSwiaWF0IjoxNjEyMzU3MDQ5LCJqdGkiOiI0OTdhOTQ3OC0zZjg3LTQ0NmMtYjQ4OS1kMjI1MmQ2NDA2ZTYifQ.AoFKYLRsZBHELh8m0XBV0ndr19SMl0xMwzACG5-Q_ek7VRtWmocqJeAEjrXguUhcIUqHs843NPzcf185BpEjwCwJcXcR7ssIqxzINYSH0s7_LTm4X7XHMxV4cnF8gAiRnUQhGZQHgCyWI6NJ5VAcpIde5BnWaVcmx2Q5VFOFXGskfOB7325LcmhMS13Ni5oK2vb7YcTs059Zhoj13MrRnAOKoE1xrO9ioSVBXj9oX5RZ2uvdT_V3FQNWklc5jdMgebHDUQw-q_C5q9qhlGRZKql2ktcJ3OUeyGnJYEppuM0tOKCSTeH93MNcf6TAXYWEiRioa0FhRJblrfCIQrsHvA",
"tokenScopes":[
"HIGH",
"LOW"
],
"validityTime":3600
}
It's looks like in ENV II generating tokens not working properly. There is my questions:
Is it a bug of that versions or some misconfiguration issues?
If it's bug where i should start to try fix that situation, someone could point me where is implemented that functionality? (I want use opensource version over update products using WUM)
Is that situation was resolved in later versions of submodules, which are used to build product-api, and product-is?
Thanks in advance for any help and suggestions!
Recently we migrated a Chrome extension to Microsoft Edge. For Edge hasn't implemented native messaging, so we want to communicate with native app by websocket via Edge extension background page.
After testing, we found that, in the background page websocket can access external host successfully, but localhost, even though access '127.0.0.1' failed.
And we try to access localhost in the web page, it did!
Edge browser info:
userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
We have checked "Allow localhost loopback (this might put your device at risk)" from about:flags.
Does Edge extension background page support access localhost? If it does, how can we achieve it? If not, could anyone help?
We run the WebSocket server as this example: https://blog.idrsolutions.com/2013/12/websockets-an-introduction/.
The extension can be downloaded from: https://github.com/chhxia/Edge-Extension.
The code of edge extension background js:
var ws;
function openSocket(){
var socket, path;
// path = 'wss://echo.websocket.org'; // successfully access this path.
path = 'ws://localhost:8080/EchoChamber/echo';
console.log( '===> Tested path :: ', path );
try {
ws = new WebSocket( path );
}
catch ( e ) {
console.error( '===> WebSocket creation error :: ', e );
}
ws.onopen = function(){
alert('open...');
ws.send('text');
}
ws.onmessage = function(e){
alert("receive: " + e.data);
}
ws.onclose = function(e){
ws = undefined;
alert('close...' + e);
}
}
(function(){
openSocket();
browser.browserAction.onClicked.addListener(function(tab) {
if(ws === undefined){
openSocket();
}else if(ws && ws.readyState === WebSocket.OPEN){
alert('send');
ws.send('text');
}else{
alert('websocket is closed.');
}
});
})();
To save you a few clicks: IE, Chrome, and Firefox allow it, Edge doesn't. Microsoft says that accessing localhost in Edge extensions is blocked by design:
"We are working on Native Messaging for the next release and using
native messaging is the right way to solve this scenario. Localhost
access is not enabled from extension background page is by design."
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8984919/
... and native messaging for Edge requires an UWP host:
"At a high level, Microsoft Edge extensions use the same APIs for
native messaging as Chrome and Firefox extensions. However, the native
messaging host will need to be implemented using the Universal Windows
Platform."
https://learn.microsoft.com/en-us/microsoft-edge/extensions/guides/native-messaging
I ran into this issue while developing my own extension for Edge. I had also checked the "Allow loopback..." setting in about:flags and so I was very confused and frustrated. Having your extension be able reach localhost while developing seems like a reasonable thing to want... right?
It turns out that you can actually access localhost from an Edge extension. You just have to ensure that you add Edge to the loopback exempt list by running CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" in a Powershell prompt (running in Administrator mode).
To undo that, just run CheckNetIsolation LoopbackExempt -d -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe".
Edge issue regarding Edge extensions and localhost requests: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13966307/.
Access localhost via Microsoft Edge extension background page
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8984919/
My iOS app interacts with a google app engine backend. I have the option for user to report an issue. When user enters the text describing the problem and presses the Submit button, I want to start a background upload of the issue description plus logs being collected in the app using CocoaLumberjack.
My current approach (almost working) is as follows. iOS sends a multipart/form-data POST request that contains a String with bug description and log file content (NSData) with each part separated by a boundary. The GAE server is able to successfully decode each part and I am able to see the file content when I print it out using logging.info(). However, when I try to store the file to GCS, I get an error. The code used to store to GCS and error are below.
I have one storage bucket configured and this has class = Durable Reduced Availability.
Can someone point me to what I'm doing wrong (I suspect it is something about how I set up the authorization lists in the GCS container)?
Alternatively, I am all ears if someone has an easier way to solve this problem.
Code used to store into GCS is:
logging.info('Creating file %s\n' % (filename))
write_retry_params = gcs.RetryParams(initial_delay=0.2,
max_delay=5.0,
backoff_factor=1.2,
max_retry_period=15)
gcs_file = gcs.open(filename,
'w',
content_type='text/plain',
retry_params=write_retry_params)
gcs_file.write(filename=getattr(request, 'fileAttached'))
gcs_file.close()
Error seen in GAE:
ForbiddenError: Expect status [201] from Google Storage. But got status 403.
Path: '/var/mobile/Containers/Data/Application/4FB6C1D7-9504-4215-BC25-FC490298EEF6/Library/Caches/Logs/com.apm.smartiothome.chatime%202016-01-20%2008-01.log'.
Request headers: {'x-goog-resumable': 'start', 'x-goog-api-version': '2', 'content-type': 'text/plain', 'accept-encoding': 'gzip, *'}.
Response headers: {'content-type': 'application/xml; charset=UTF-8', 'content-length': '195', 'vary': 'Origin', 'x-guploader-uploadid': 'AEnB2Uo1b-z2VGlHOnurusG2F9bgKcBVwmYWZrQFG4d4NBrHA_tk9wTPoa4kB1Aici7XP7Z6fNtuSJlGDokUmxtCFAl8aMnXGA'}.
Body: "AccessDeniedAccess denied.Caller does not have storage.objects.create access to bucket var.".
Extra info: None.
I opened the menu "IAM & Admin" > Service accounts and copied the "Service account ID" from the row "App Engine default service account". The name was my app followed by "#appspot.gserviceaccount.com".
Next, I opened Storage and click the "..." next to the default bucket > Edit bucket permissions. I added the service account as a user with Writer access.
I've looked all over for some documentation on this, but haven't found it. Some posts reference a user-agent string:
http://groups.google.com/group/feedburner-services/browse_thread/thread/7aee14cf6a2432e7/49464335d2228e25?lnk=gst&q=aweber#49464335d2228e25
I had assumed there would be an API or something. More generally, how does ANY rss feed reader/aggregator (like Bloglines, etc) report subscriber numbers to Feedburner?
I'm working on developing a new app that would need this functionality.
Thanks for your help!
Brian
As you discovered in your link, you put the subscriber count in your user-agent, then you contact the Feedburner Support Group and tell them what format you will be using.
The consensus format is something
User-agent: Service Name (http://example.com/service/info/; ### subscribers ; [optional feed identifier] )
The optional feed identifier is typically used if you run several different services, and fetch the feed separately for each one; e.g. if you have a mail service and a web-based reader service, with different subscribers, then you might either use:
User-agent: SO Agg/1.3 (http://example.com/SOAgg ; 5000 subscribers ; feed-id=mail-134 )
on request for the mailer, and
User-agent: SO Agg/1.3 (http://example.com/SOAgg ; 2000 subscribers ; feed-id=web-134 )
on the request for the website; or use
User-agent: SO Agg/1.3 (http://example.com/SOAgg ; 7000 subscribers ; )
if your system makes only one request for both services...
You will usually need to specify what IP addresses are authorised to request the feed with that user-agent, as well.
Many major aggregators report user stats by including them as part of the useragent string. Examples:
Bloglines reporting description in blog comment
Google Reader: Tips for Publishers
PostRank: Reporting Subscription Counts
There's no standard for this at this time.
To the best of my knowledge, folks will contact major feed analytics vendors like Feedburner directly, to make sure their useragent-based reporting is being counted.