find inactive accounts

[Ken Raeburn]

On Jan 20, 2010, at 00:41, Steve Glasser wrote:
> I know I can get users and login dates from krb5kdc.log, and I can
> find the last login date.

Be careful with that... if you're not doing some kind of preauth method, the AS_REQ messages in the log only indicate that someone tried to get an authenticator for that principal, not that they succeeded in decrypting it. (What does "log in" mean when dealing with cryptographic credentials and not access to a particular machine, anyways?)  You can check whether there were any TGS requests following for those principals, but if your environment lets people on without a TGS exchange and lets them access some data without Kerberos (maybe some service has its own password database? maybe some data was stored on a desktop workstation?), then you might miss some sessions.

>  However Kerberos logs dates as "month day",
> so to do date math for dates going back into last year is awkward at
> best.  So...
> 
> a) can I configure Kerberos to log "month day year"?
> b) is there a better way to do this audit?

There isn't a way to change the log format, no; not without going in and changing the code.  Note too that some of the fields are somewhat free-form.  Someone trying to mess with your log parsing could send in a bogus AS request for a principal name with spaces in it, for example.  They could try newlines, which could really mess things up, but those should be converted to "\n" before logging; other non-printing characters could show up though.

It may be worth looking into new auditing code specifically for recording, in an unambiguous and easy-to-process form, the information needed to comply with these regulations.  It's come up for discussion once or twice before, but perhaps not with the right audience, as it never seems to go anywhere....

Ken


-- 
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium