#26629: Login failures should be logged -------------------------------------+------------------------------------- Reporter: jacobian | Owner: nobody Type: New | Status: new feature | Component: | Version: 1.9 contrib.auth | Keywords: login security Severity: Normal | logigng Triage Stage: | Has patch: 0 Unreviewed | Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -------------------------------------+------------------------------------- Login failures [*] should emit logging messages. There are a couple of good reasons for this:
- Many compliance regimes (all those deriving from NIST-800-53, so FISMA, PCI, HIPAA, etc) require logging of failed login attempts. - It'll makes integration with a SIEM easier out of the box. [*] we may want to log successes, too, or have a configuration option or somesuch. I tend to think successes are noise, but reasonable people disagree on that point. [One of a series of bugs from a discussion I had with @mallyvai about improving the security of Django's admin - see https://gist.github.com/mallyvai/bcb0bb827d6d53212879dff23cf15d03 for the full list.] -- Ticket URL: <https://code.djangoproject.com/ticket/26629> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/051.0301dc2d3511d313652e35c6727dc0e0%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.