Opened 9 years ago
Closed 9 years ago
#26629 closed New feature (duplicate)
Login failures should be logged
Reported by: | Jacob Kaplan-Moss | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.9 |
Severity: | Normal | Keywords: | login security logigng |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Login failures [*] should emit logging messages. There are a couple of good reasons for this:
- Many compliance regimes (all those deriving from NIST-800-53, so FISMA, PCI, HIPAA, etc) require logging of failed login attempts.
- It'll makes integration with a SIEM easier out of the box.
[*] we may want to log successes, too, or have a configuration option or somesuch. I tend to think successes are noise, but reasonable people disagree on that point.
[One of a series of bugs from a discussion I had with @mallyvai about improving the security of Django's admin - see https://gist.github.com/mallyvai/bcb0bb827d6d53212879dff23cf15d03 for the full list.]
Change History (3)
comment:1 by , 9 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 9 years ago
Resolution: | duplicate |
---|---|
Status: | closed → new |
Unsure about correct process, but I reopened the original ticket. Should I set that to New instead?
comment:3 by , 9 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
I replied on the other ticket.
Duplicate of #20495. Feel free to continue the discussion there and reopen if you feel my closing was in error.