- Q. How does AM protect from Clickjacking?
- Q. How do I set Content-Security-Policy headers in AM?
- Q. Can I remove the YUI 2.3.0 library (/openam/assets/lib/yui)?
- Q. Is Elasticsearch 6 supported for audit logging?
- Q. Does AM support syslog for audit logging?
- Q. Why are the timestamps displayed in the audit logs and debug logs different?
- Q. Can I change the delimiter used in the log files?
- Q. Can I rotate the debug log files?
- Q. Can I rotate the audit log files?
- Q. Do translation memory files exist for AM locales?
- The X-Frame-Options header is set to SAMEORIGIN to prevent the page being framed by a malicious site. Per RFC 7034, "A browser receiving content with this header field MUST NOT display this content in any frame from a page of different origin than the content itself."
- A /* url-pattern is included in the list of protected resources.
The relevant snippets in the web.xml file (located in the /path/to/tomcat/webapps/openam/WEB-INF directory) are:<filter> <filter-name>SecurityHeaders</filter-name> <filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class> <init-param> <param-name>X-Frame-Options</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> .... <filter-mapping> <filter-name>SecurityHeaders</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
A. You can define Content-Security-Policy headers in AM by updating the web.xml file (located in the /path/to/tomcat/webapps/openam/WEB-INF directory). Content-Security-Policy headers can be used to reduce XSS risks.
For example, you could add something similar to this to the web.xml file:<filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class> <init-param> <param-name>Content-Security-Policy</param-name> <param-value>frame-ancestors https://frame-parent.example.org</param-value> </init-param> <init-param> <param-name>excludes</param-name> <param-value>/connect/checkSession</param-value> </init-param> </filter>
See Content Security Policy Reference for further information and examples.
There is a related RFE: OPENAM-11855 (Add support for Content-Security-Policy headers).
You may see this being used in URLs such as:http://host1.example.com:8080/openam/assets/lib/yui/animation/animation-min.js http://host1.example.com:8080/openam/assets/lib/yui/button/button-beta-min.js ...
Per the Elasticsearch documentation (Removal of mapping types):
Indices created in Elasticsearch 6.0.0 or later may only contain a single mapping type. Indices created in 5.x with multiple mapping types will continue to function as before in Elasticsearch 6.x. Mapping types will be completely removed in Elasticsearch 7.0.0.
A possible workaround is to create the index in Elasticsearch 5 and then upgrade to Elasticsearch 6.
The Elasticsearch audit handler is deprecated in AM 7.1.
A. Yes syslog for audit logs is supported. See Security Guide › Configuring Syslog Audit Event Handlers for further information.
The audit logs (CAUD) are compliant with RFC 5424; you should ensure syslog is configured to log using this format (STRUCTURED-DATA). For example, if you are using Rsyslog, you would need to add the following to your template:RSYSLOG_SyslogProtocol23Format
See RSYSLOG - RFC5424 and OPENAM-8436 (Syslog handler always sends useless information during XUI operations) for further information.
- Audit logs use timestamps in UTC format (for example, 2018-07-18T08:48:00.160Z); UTC is a unified standard that is not affected by daylight saving time changes. The format used in audit logs is not configurable since UTC provides the consistency needed for auditing when AM servers are deployed globally across different timezones.
- Debug logs use the system time since they are primarily used for diagnosing issues where local timestamps are needed in troubleshooting analysis.
This does mean that timestamps will be different if your system uses a format other than UTC.
You could log to a database as this provides greater flexibility or you could use a custom formatter to customize the output of the log files. The ELF formatter is currently used and its source can be found here to give you some background on what it does.
A. Yes, you can rotate the debug log files (typically located in the /path/to/openam/var/debug directory (AM 7 and later) or the /path/to/openAM/debug directory (pre-AM 7)) as detailed in Maintenance Guide › To Rotate Debug Logs with Logback.xml (AM 7 and later) or How do I rotate AM (All versions) debug logs?
You can also clear these files if required: How do I clear debug logs in AM (All versions)?
Audit Logging Service
The following JSON files are generated by the Audit Logging Service (by default this is the Global JSON Handler):
Configuration for this handler can be found in: Configure > Global Services > Audit Logging > Secondary Configurations > Edit the Global JSON Handler. See Security Guide › Configuring JSON Audit Event Handlers for further information on configuring the handler, including file rotation, logs files etc.
See How do I configure audit logging via ssoadm in AM (All versions)? for further information on configuring these services using ssoadm.