per item configuration change auditing

server/src/main/java/password/pwm/PwmApplication.java

@@ -315,32 +315,7 @@ public class PwmApplication
         {
             LOGGER.error( "error outputting log to debug: " + e.getMessage() );
         }
-        
-        // detect if config has been modified since previous startup
-        try
-        {
-            final String previousHash = readAppAttribute( AppAttribute.CONFIG_HASH, String.class );
-            final String currentHash = pwmEnvironment.getConfig().configurationHash( this.getSecureService() );
-            if ( previousHash == null || !previousHash.equals( currentHash ) )
-            {
-                writeAppAttribute( AppAttribute.CONFIG_HASH, currentHash );
-                LOGGER.warn( "configuration checksum does not match previously seen checksum, configuration has been modified since last startup" );
-                if ( this.getAuditManager() != null )
-                {
-                    final String modifyMessage = "configuration was modified directly (not using ConfigEditor UI)";
-                    this.getAuditManager().submit( new AuditRecordFactory( this ).createUserAuditRecord(
-                            AuditEvent.MODIFY_CONFIGURATION,
-                            null,
-                            null,
-                            modifyMessage
-                    ) );
-                }
-            }
-        }
-        catch ( Exception e )
-        {
-            LOGGER.debug( () -> "unable to detect if configuration has been modified since previous startup: " + e.getMessage() );
-        }
+
 
         if ( this.getConfig() != null )
         {

server/src/main/java/password/pwm/config/stored/ConfigurationReader.java

@@ -25,11 +25,15 @@ import password.pwm.PwmApplication;
 import password.pwm.PwmApplicationMode;
 import password.pwm.PwmConstants;
 import password.pwm.bean.SessionLabel;
+import password.pwm.bean.UserIdentity;
 import password.pwm.config.Configuration;
+import password.pwm.config.StoredValue;
 import password.pwm.error.ErrorInformation;
 import password.pwm.error.PwmError;
 import password.pwm.error.PwmOperationalException;
 import password.pwm.error.PwmUnrecoverableException;
+import password.pwm.svc.event.AuditEvent;
+import password.pwm.svc.event.AuditRecordFactory;
 import password.pwm.util.java.FileSystemUtility;
 import password.pwm.util.java.JavaHelper;
 import password.pwm.util.java.StringUtil;
@@ -46,6 +50,7 @@ import java.nio.file.StandardCopyOption;
 import java.time.Instant;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 /**
  * Read the PWM configuration.
@@ -263,6 +268,11 @@ public class ConfigurationReader
             }
         }
 
+        if ( pwmApplication != null && pwmApplication.getAuditManager() != null )
+        {
+            auditModifiedSettings( pwmApplication, storedConfiguration, sessionLabel );
+        }
+
         try
         {
             outputConfigurationFile( storedConfiguration, pwmApplication, sessionLabel, backupRotations, backupDirectory );
@@ -273,6 +283,34 @@ public class ConfigurationReader
         }
     }
 
+    private static void auditModifiedSettings( final PwmApplication pwmApplication, final StoredConfiguration newConfig, final SessionLabel sessionLabel )
+            throws PwmUnrecoverableException
+    {
+        final Set<StoredConfigItemKey> changedKeys = StoredConfigurationUtil.changedValues( newConfig, pwmApplication.getConfig().getStoredConfiguration() );
+
+        for ( final StoredConfigItemKey key : changedKeys )
+        {
+            if ( key.getRecordType() == StoredConfigItemKey.RecordType.SETTING
+                    || key.getRecordType() == StoredConfigItemKey.RecordType.LOCALE_BUNDLE )
+            {
+                final Optional<StoredValue> storedValue = newConfig.readStoredValue( key );
+                if ( storedValue.isPresent() )
+                {
+                    final Optional<ValueMetaData> valueMetaData = newConfig.readMetaData( key );
+                    final UserIdentity userIdentity = valueMetaData.map( ValueMetaData::getUserIdentity ).orElse( null );
+                    final String modifyMessage = "configuration record '" + key.getLabel( PwmConstants.DEFAULT_LOCALE )
+                            + "' has been modified, new value: " + storedValue.get().toDebugString( PwmConstants.DEFAULT_LOCALE );
+                    pwmApplication.getAuditManager().submit( new AuditRecordFactory( pwmApplication ).createUserAuditRecord(
+                            AuditEvent.MODIFY_CONFIGURATION,
+                            userIdentity,
+                            sessionLabel,
+                            modifyMessage
+                    ) );
+                }
+            }
+        }
+    }
+
     private void outputConfigurationFile(
             final StoredConfiguration storedConfiguration,
             final PwmApplication pwmApplication,

server/src/main/java/password/pwm/http/servlet/configmanager/ConfigManagerServlet.java

@@ -29,7 +29,6 @@ import password.pwm.PwmApplication;
 import password.pwm.PwmConstants;
 import password.pwm.config.stored.ConfigurationProperty;
 import password.pwm.config.stored.ConfigurationReader;
-import password.pwm.config.stored.StoredConfigItemKey;
 import password.pwm.config.stored.StoredConfiguration;
 import password.pwm.config.stored.StoredConfigurationFactory;
 import password.pwm.config.stored.StoredConfigurationModifier;
@@ -56,10 +55,6 @@ import password.pwm.http.servlet.configguide.ConfigGuideUtils;
 import password.pwm.i18n.Admin;
 import password.pwm.i18n.Config;
 import password.pwm.i18n.Display;
-import password.pwm.svc.PwmService;
-import password.pwm.svc.event.AuditEvent;
-import password.pwm.svc.event.AuditRecord;
-import password.pwm.svc.event.AuditRecordFactory;
 import password.pwm.util.LDAPPermissionCalculator;
 import password.pwm.util.i18n.LocaleHelper;
 import password.pwm.util.java.JavaHelper;
@@ -77,7 +72,6 @@ import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.zip.ZipOutputStream;
 
 @WebServlet(
@@ -326,26 +320,6 @@ public class ConfigManagerServlet extends AbstractPwmServlet
                     pwmRequest.getSessionLabel()
             );
 
-            final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
-            if ( pwmApplication.getAuditManager() != null && pwmApplication.getAuditManager().status() == PwmService.STATUS.OPEN )
-            {
-                final Set<StoredConfigItemKey> configurationDifferential = StoredConfigurationUtil.changedValues(
-                        pwmApplication.getConfig().getStoredConfiguration(),
-                        storedConfiguration );
-                final String modifyMessage = "Configuration Changes: " + StoredConfigurationUtil.changeLogAsDebugString(
-                        storedConfiguration,
-                        configurationDifferential,
-                        PwmConstants.DEFAULT_LOCALE
-                );
-                final AuditRecord auditRecord = new AuditRecordFactory( pwmApplication ).createUserAuditRecord(
-                        AuditEvent.MODIFY_CONFIGURATION,
-                        pwmRequest.getUserInfoIfLoggedIn(),
-                        pwmRequest.getSessionLabel(),
-                        modifyMessage
-                );
-                pwmApplication.getAuditManager().submit( auditRecord );
-            }
-
             contextManager.requestPwmApplicationRestart();
         }
         catch ( Exception e )

server/src/main/java/password/pwm/util/localdb/LocalDB.java

@@ -21,6 +21,7 @@
 package password.pwm.util.localdb;
 
 import password.pwm.util.java.ClosableIterator;
+import password.pwm.util.java.JavaHelper;
 
 import java.io.File;
 import java.io.Serializable;
@@ -116,35 +117,39 @@ public interface LocalDB
         /**
          * Used for various pwm operational data.
          */
-        PWM_META( true ),
-        SHAREDHISTORY_META( true ),
-        SHAREDHISTORY_WORDS( true ),
+        PWM_META( Flag.Backup ),
+        SHAREDHISTORY_META( Flag.Backup ),
+        SHAREDHISTORY_WORDS( Flag.Backup ),
         // WORDLIST_META(true), // @deprecated
-        WORDLIST_WORDS( true ),
+        WORDLIST_WORDS( Flag.Backup ),
         // SEEDLIST_META(true), // @deprecated
-        SEEDLIST_WORDS( true ),
-        PWM_STATS( true ),
-        EVENTLOG_EVENTS( true ),
-        EMAIL_QUEUE( true ),
-        SMS_QUEUE( true ),
-        RESPONSE_STORAGE( true ),
-        OTP_SECRET( true ),
-        TOKENS( true ),
-        INTRUDER( true ),
-        AUDIT_QUEUE( true ),
-        AUDIT_EVENTS( true ),
-        USER_CACHE( true ),
-        TEMP( false ),
-        SYSLOG_QUEUE( true ),
-        CACHE( false ),
-
-        REPORT_QUEUE( false ),;
+        SEEDLIST_WORDS( Flag.Backup ),
+        PWM_STATS( Flag.Backup ),
+        EVENTLOG_EVENTS( Flag.Backup ),
+        EMAIL_QUEUE( Flag.Backup ),
+        SMS_QUEUE( Flag.Backup ),
+        RESPONSE_STORAGE( Flag.Backup ),
+        OTP_SECRET( Flag.Backup ),
+        TOKENS( Flag.Backup ),
+        INTRUDER( Flag.Backup ),
+        AUDIT_QUEUE( Flag.Backup ),
+        AUDIT_EVENTS( Flag.Backup ),
+        USER_CACHE( Flag.Backup ),
+        TEMP(  ),
+        SYSLOG_QUEUE( Flag.Backup ),
+        CACHE(  ),
+        REPORT_QUEUE( ),;
 
         private final boolean backup;
 
-        DB( final boolean backup )
+        private enum Flag
         {
-            this.backup = backup;
+            Backup,
+        }
+
+        DB( final Flag... flag )
+        {
+            this.backup = JavaHelper.enumArrayContainsValue( flag, Flag.Backup );
         }
 
         public boolean isBackup( )