diff --git a/admin_manual/configuration_files/encryption_configuration.rst b/admin_manual/configuration_files/encryption_configuration.rst index fbba40ae0..11305ed6a 100644 --- a/admin_manual/configuration_files/encryption_configuration.rst +++ b/admin_manual/configuration_files/encryption_configuration.rst @@ -16,7 +16,8 @@ server. technical information about the impact. For maximum security make sure to configure external storage with "Check for - changes: Never". This will let ownCloud ignore new files not added via ownCloud, + changes: Never". This will let ownCloud ignore new files not added via +ownCloud, so a malicious external storage administrator could not add new files to the storage without your knowledge. Of course, this is not wise if your external storage is subject to legitimate external changes. @@ -65,7 +66,8 @@ storage. it is better to use other encryption tools, such as file-level or whole-disk encryption. - Note also that SSL terminates at or before Apache on the ownCloud server, and + Note also that SSL terminates at or before Apache on the ownCloud server, +and all files will exist in an unencrypted state between the SSL connection termination and the ownCloud code that encrypts and decrypts files. This is also potentially exploitable by anyone with administrator access to your @@ -127,7 +129,8 @@ log-out and log-in again." Share owners may need to re-share files after encryption is enabled; users trying to access the share will see a message advising them to ask the share owner to re-share the file with them. For individual shares, un-share and -re-share the file. For group shares, share with any individuals who can't access +re-share the file. For group shares, share with any individuals who can't +access the share. This updates the encryption, and then the share owner can remove the individual shares. @@ -271,3 +274,47 @@ their back-end password, and then, of course, notify the user and give them their new password. .. _upgrading_encryption_label: + +Encryption migration to ownCloud 8.0 +------------------------------------ + +When you upgrade from older versions of ownCloud to ownCloud 8.0, you must +manually migrate +your encryption keys with the *occ* command after the upgrade is complete, like +this +example for CentOS: *sudo -u apache php occ encryption:migrate-keys* You must +run *occ* as +your HTTP user. See :doc:`../configuration_server/occ_command` to learn more +about *occ*. + +Encryption migration to ownCloud 8.1 +------------------------------------ + +The encryption backend has changed in ownCloud 8.1 again, so you must take some +additional steps to migrate encryption correctly. If you do not follow these +steps you may not be able to access your files. + +Before you start your upgrade, put your ownCloud server into +``maintenance:singleuser`` mode (See :doc:`../maintenance/enable_maintenance`.) +You must do this to prevent users and sync clients from accessing files before +you have completed your encryption migration. + +After your upgrade is complete, follow the steps in +:ref:`enable_encryption_label` to +enable the new encryption system. Then click the **Start Migration** button on +your Admin page to migrate your encryption keys, or use the ``occ`` command. We +strongly recommend using the ``occ`` command; the **Start Migration** button is +for admins who do not have access to the console, for example installations on +shared hosting. This example is for Debian/Ubuntu Linux:: + + $ sudo -u www-data php occ encryption:migrate + +This example is for Red Hat/CentOS/Fedora Linux:: + + $ sudo -u apache php occ encryption:migrate + +You must run ``occ`` as your HTTP user; see +:doc:`../configuration_server/occ_command`. + +When you are finished, take your ownCloud server out of +``maintenance:singleuser`` mode. diff --git a/admin_manual/enterprise_logging/enterprise_logging_apps.rst b/admin_manual/enterprise_logging/enterprise_logging_apps.rst index 30e09773d..32d1ebd0c 100644 --- a/admin_manual/enterprise_logging/enterprise_logging_apps.rst +++ b/admin_manual/enterprise_logging/enterprise_logging_apps.rst @@ -2,36 +2,20 @@ Enterprise Logging Apps ======================= -There are two enterprise logging apps available to ownCloud Enterprise -Subscription customers: **Log file sharing** and **Log user actions**. The **Log -file sharing** app records the file sharing activity of your users, and **Log -user actions** records user logins and logouts. + +The **Log user and file sharing actions** app (``apps/admin_audit``) records the +file sharing activity of your users, file tagging, and user logins and logouts. .. figure:: images/logging-1.png - :alt: The two enterprise logging apps on the Apps page. + :alt: Enterprise logging app on the Apps page. -These two apps work together, and should be enabled together. Your logging -level must be set to at least **Info, warnings, errors, and fatal issues** on -your ownCloud admin page, or ``'loglevel' => 1`` in ``config.php``. - -View your logfiles on your admin page. This shows which logging app recorded -the entries, timestamps, usernames, and their activities: - -.. figure:: images/logging-3.png - :alt: Graphical log example. - -Click the **Download logfile** button to dump the plain text log, or open the -logfile directly in a text editor. The default location is -``owncloud/data/owncloud.log``. This is what the raw log looks like:: - - {"reqId":"uaG6sHiutvgzVUCUXM3W","remoteAddr":"::1","app":"admin_audit", - "message":"Rename \"\/molly\/files\/server-and-enterprise-installation\" to - \"\/molly\/files\/shared\/server-and-enterprise-installation\" by user molly, - owner: molly","level":1,"time":"2015-10-21T22:07:14+00:00"} - {"reqId":"Krsnp8BgtLCtuT4zLTWs","remoteAddr":"::1","app":"admin_audit", - "message":"Rename \"\/molly\/files\/shared\/San%20Francisco.jpg\" to - \"\/molly\/files\/shared\/SanFrancisco.jpg\" by user molly, owner: - molly","level":1,"time":"2015-10-21T22:07:25+00:00"} +Your logging level must be set to at least **Info, warnings, errors, and fatal +issues** on your ownCloud admin page, or ``'loglevel' => 1`` in ``config.php``. -See :doc:`../configuration_server/logging_configuration` for more information -on logging. +View your logfiles on your admin page. Click the **Download logfile** button to +dump the plain text log, or open the logfile directly in a text editor. The +default location is ``owncloud/data/owncloud.log``. + +See :doc:`../configuration_server/logging_configuration` and +:doc:`../enterprise_file_management/files_tagging` for more information on +logging and tagging. diff --git a/admin_manual/enterprise_logging/images/logging-1.png b/admin_manual/enterprise_logging/images/logging-1.png index 30e50730b..02cef3b6d 100644 Binary files a/admin_manual/enterprise_logging/images/logging-1.png and b/admin_manual/enterprise_logging/images/logging-1.png differ diff --git a/admin_manual/enterprise_logging/images/logging-3.png b/admin_manual/enterprise_logging/images/logging-3.png deleted file mode 100644 index 18c3fb254..000000000 Binary files a/admin_manual/enterprise_logging/images/logging-3.png and /dev/null differ diff --git a/admin_manual/whats_new_admin.rst b/admin_manual/whats_new_admin.rst index ffa4ee76a..94dce38c7 100644 --- a/admin_manual/whats_new_admin.rst +++ b/admin_manual/whats_new_admin.rst @@ -30,4 +30,12 @@ ownCloud has many improvements. Some of our new features are: if auto-migration during upgrade fails, and new commands for creating addressbooks and calendars (:ref:`dav_label`) * New optional second name attribute in the LDAP app, so that user names appear - as ``User Foo (optional 2nd attribute)`` (:ref:`ldap_directory_settings`) + as ``User Foo (optional 2nd attribute)`` (:ref:`ldap_directory_settings`) + +Enterprise Only +--------------- + +* Advanced tagging management with the Workflow app + (:doc:`enterprise_file_management/files_tagging`) +* Advanced authentication backends (:doc:` + enterprise_external_storage/enterprise_only_auth`)