Blackboard is committed to improving security features and resolving security vulnerabilities quickly and carefully. Such security vulnerability resolutions may lead to the release of a Security Advisory as well as any needed product update for our customers based on the context, severity, and timing of confirmed vulnerabilities. Below we have outlined the security enhancements and security vulnerabilities resolved in this release.
To learn more about specific security fixes for Service Pack (SP) 14, see Security Fix Release Notes for SP 14.
Security Logging for Test IP Address Filtering
The Test IP Address Filtering feature uses three new security event codes. These event codes support test-taking audit-ability. See Standard Security Event Codes.
|Event Code||Security Event||Example Single Row|
|36||User Starting an Assessment Violated IP Address Rule|| |
timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn
|37||User Taking or Finishing an Assessment Violated IP Address Rule||timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn |
|evt_name=User Taking or Finishing an assessment or Continue Attempt Violated IP Address Rule|sev=2|cat=assessments|outcome=success
|session_id=1000|msg=User taking or completing assessment course assessment <_3_1> violated IP Address rule. The violation was logged. May be an indicator of a potentially inadvertent test policy violation or a misconfigured IP Address rule.
|http_useragent=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)|act=logged
|38||IP Address Rule Overridden for an Assessment Attempt||timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn |
|evt_name=IP Address Rule Overridden for an assessment Attempt
|msg=Test administrator overrode a test policy violation for user <_2_1> for course assessment <_3_1> because it violated IP Address rule. May be an indicator of a potentially inadvertent test policy violation or a misconfigured IP Address rule.
|http_useragent=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)|act=logged
Changes to Security Logs
High-level security events are logged for auditing purposes. Events impacting security are assigned security specific event codes. These event codes are standardized within Learn.
The types of security events captured cover high-risk activities enabling the tracking and source identification of the event through analysis of logged source internet address, source session, user id, and event time.
Log entries are based on industry standards for identification and description of security events that may be the result of system attacks making them suitable for importing or use with third party tools for forensic analysis reporting. Additionally, the logs themselves provide the ability for identification of specific events as immediately visible in the logs.
The bb-security-authentication-log.txt security log was only utilized by Event Code 28 and had a filename redundant to the "bb-authentication-log.txt" Authentication Log. Event Code 28 has moved to the Central Security Log outlined below. Since this log is no longer actively logging any event codes, it is no longer used as of this release. The bb-authentication-log.txt Authentication Log remains unchanged.
New Central Security Log Location
The Central Security Log filename has been renamed in an effort to continually centralize security logging.
Before SP 14:
SP 14 and later:
New or Changed Event Codes
These Event Codes are part of the Standard Security Event Codes.
|Event Code||Security Event||Changes||Description|
|28||User Password Migration||Moved from "bb-security-authentication-log.txt" to "bb-security-log.txt"||On-login, user password hash migrated to new scheme successfully results in this event with outcome=success |
On-login, user password hash migration could not occur due to an exception results in this event with outcome=failure
|36||User Starting an Assessment Violated IP Address Rule||New Event for Test IP Address Filtering||Identifies intentional and unintentional violations to the IP Address value or range restrictions set on an Assessment. An assessment that begins with an IP Address value/range restriction only has a severity of "0"|
|37||User Taking or Finishing an Assessment Violated IP Address Rule||New Event for Test IP Address Filtering|| |
Identifies intentional and unintentional violations to the IP Address value or range restrictions set on an Assessment. An assessment that may start meeting the IP Address rule but then violates it during or at the completion of an assessment.
|38||IP Address Rule Overridden for an Assessment Attempt||New Event for Test IP Address Filtering||Test Proctors may need to override a given blocked attempt for a particular student if the IP Address/Range was not configured correctly by the Administrator. These exceptions would be logged.|