From 2eb75b2de22000358cb711ef7ba4aa5540da0f12 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 11 Mar 2025 08:52:57 +0100
Subject: [PATCH] mvc: send audit messsages emitted in the authentication
 sequence to proper channel and extend them with relevant event information.
 (ControllerRoot)

Although it is practical to know that a client is calling an endpoint unauthenticated, we would like to know which client it is and which endpoint it tries to access to easier detect abuse.
---
 .../app/controllers/OPNsense/Base/ControllerRoot.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
index 3162a3a66..717b44fe6 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
@@ -146,7 +146,11 @@ class ControllerRoot extends Controller
         $redirect_uri = "/?url=" . $_SERVER['REQUEST_URI'];
         if ($this->session->has("Username") == false) {
             // user unknown
-            $this->getLogger()->error("no active session, user not found");
+            $this->getLogger('audit')->error(sprintf(
+                "no active session, user not found (called \"%s\" @ %s)",
+                $_SERVER['REQUEST_URI'],
+                $_SERVER['REMOTE_ADDR']
+            ));
             $this->response->redirect($redirect_uri, true);
             $this->setLang();
             return false;
@@ -155,7 +159,9 @@ class ControllerRoot extends Controller
             && $this->session->get("last_access") < (time() - $session_timeout)
         ) {
             // session expired / cleanup session data
-            $this->getLogger()->error("session expired");
+            $this->getLogger('audit')->notice(sprintf(
+                "session expired (%s @ %s)", $this->session->get("Username"), $_SERVER['REMOTE_ADDR']
+            ));
             $this->session->remove("Username");
             $this->session->remove("last_access");
             $this->response->redirect($redirect_uri, true);
@@ -170,7 +176,7 @@ class ControllerRoot extends Controller
         // Authorization using legacy acl structure
         $acl = new ACL();
         if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
-            $this->getLogger()->error("uri " . $_SERVER['REQUEST_URI'] .
+            $this->getLogger('audit')->error("uri " . $_SERVER['REQUEST_URI'] .
                 " not accessible for user " . $this->session->get("Username"));
             $this->response->redirect("/", true);
             return false;