#26629: Login failures should be logged
-------------------------------------+-------------------------------------
Reporter: jacobian | Owner: nobody
Type: New | Status: new
feature |
Component: | Version: 1.9
contrib.auth | Keywords: login security
Severity: Normal | logigng
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Login failures [*] should emit logging messages. There are a couple of
good reasons for this:
- Many compliance regimes (all those deriving from NIST-800-53, so FISMA,
PCI, HIPAA, etc) require logging of failed login attempts.
- It'll makes integration with a SIEM easier out of the box.
[*] we may want to log successes, too, or have a configuration option or
somesuch. I tend to think successes are noise, but reasonable people
disagree on that point.
[One of a series of bugs from a discussion I had with @mallyvai about
improving the security of Django's admin - see
https://gist.github.com/mallyvai/bcb0bb827d6d53212879dff23cf15d03 for the
full list.]
--
Ticket URL: <https://code.djangoproject.com/ticket/26629>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.0301dc2d3511d313652e35c6727dc0e0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
