Changeset

5771:dfbced5e54b9

mod_audit_auth: Ignore FAST authentication events by default FAST is more like a cookie that allows linking new connections to a previous (e.g. password) authentication. Since we assume that FAST tokens are secure (not user generated) and not shareable, it reduces a lot of noise by filtering out uninteresting authentication events.
author Matthew Wild <mwild1@gmail.com>
date Fri, 01 Dec 2023 11:34:52 +0000
parents 5770:111e970213a0
children 5772:238c4ac8b735
files mod_audit_auth/mod_audit_auth.lua
diffstat 1 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_audit_auth/mod_audit_auth.lua	Thu Nov 30 18:05:42 2023 +0000
+++ b/mod_audit_auth/mod_audit_auth.lua	Fri Dec 01 11:34:52 2023 +0000
@@ -3,6 +3,8 @@
 module:depends("audit");
 -- luacheck: read globals module.audit
 
+local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true);
+
 module:hook("authentication-failure", function(event)
 	local session = event.session;
 	module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-failure", {
@@ -12,6 +14,9 @@
 
 module:hook("authentication-success", function(event)
 	local session = event.session;
+	if only_passwords and session.sasl_handler.fast then
+		return;
+	end
 	module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-success", {
 		session = session,
 	});