IPA API audit

We just merged a basic audit feature for #FreeIPA's API use. It forces recording of any use of IPA API operations on IPA servers through the systemd journal. The journal entries have more details than just a string you see in Apache's log and we use that in journal -x to generate an explanation of the journal entry. Should make use of API more discoverable and also help with auditing of operations.

More information can be found at https://freeipa.readthedocs.io/en/latest/designs/audit-ipa-api.html

Below are two examples of how this audit looks like. First, what is recorded in the journal:

This is a simple record for an equivalent of deleting a user through IPA API on the server directly (hence, a mark that says '[autobind]' there). systemd journal is capable to translate that entry into a human-readable text, with the help of a message catalog we provided. When you'd use one, the output is self-explanatory:

It gives references to the general IPA API documentation and to explanation of this specific IPA command ('user_del'). It gives you a link to the community mailing list, for possible support requests and discussions. Finally, it explains both the format of the log message and inserts specific properties you see there while doing so. I hope this new feature would be useful.

systemd journal has few more interesting features that we might use in future. For example, it allows to create a separate namespace for the group of systemd services and then any attempt to log to the journal from them will be directed into that custom journal. This allows one to collect log entries from multiple services into the same journal without interweaving them with the rest of the system's activity (which can be quite noisy). But it could also be used to relocate a journal off a read-only locations. The latter would be very useful for containerized setups which often done with read-only images.