In Openfire 3.5.0, we have added two new features to address security concerns! One of these features is security auditing. We've had packet auditing in Openfire for quite some time now, but that only addresses communication amongst users of your Openfire server. What the security auditing functionality provides is logging of administrative activities performed via the Admin Console. Any action you perform that changes the server's configuration, adds, removes, or edits users and groups, or any number of things, will be logged into the security auditor database. On top of that, we've implemented this via provider functionality just like the user providers. What this means is that if you have a custom place you'd like to be logging audit events, or perhaps wanted to write some sort of sms event triggering implementation, you can do that and plug it into the existing infrastructure.
Beyond the security auditing, we have implemented the ability to lock out (disable) accounts. By default, you can lock out accounts for certain periods of time, use delayed starts, or lock them out until manually unlocked. You will find the option to lock out a user while viewing their account in the admin console. Just like with the security auditor, the implementation uses a provider, so that you can implement whatever source you might have for disabled accounts.
The APIs should be pretty flexible and enable developers to build whatever solutions they might need around these two concepts! I will be posting some more details in the Openfire Dev forum in the near future to go over some of the details and other API improvements. We hope that you will enjoy the new functionality when 3.5.0 is released!