Auditing Feature in Kerberos

K.G. Gokulavasan kgokulavasan at novell.com
Thu Feb 16 06:07:51 EST 2006 

Hi,
   For the file log plugin, we considered XML format(Manual - No
dependency on XML libraries)  and text format(data in human readable
format). Following are the advantages and disadvantages of both
approaches:

XML:

Advantage:
1) Since it is in standard format, it can be parsed using any XML
parser and consumed by any applications which understands XML.

Disadvantage:
1) Because of tags and aligning, the file size will be very huge and
because of that the file will reach the maximum allowed limit soon.

TEXT:
Advantage:
1) File size will be manageable and won't be huge.

Disadvantages:
1) Parsing will be very difficult.
2) Extending it for additional audit information will be very difficult
(the tools written for one format won't be useful if the audit data are
extended).


Please provide your comments.

Regards,
 Gokul.



>>> Sam Hartman <hartmans at mit.edu> 2/13/06 5:20:14 PM >>>
>>>>> "K" == K G Gokulavasan <kgokulavasan at novell.com> writes:

    K> Hi, We thought of using Berkeley DB since it was already used
    K> by KDC.  

So, newer versions of the berkeley db code cannot be used because of
licensing issues.  The main problem is that it would create problems
for people like Sun who do not always distribute source.

    K> But if it has licensing issues, which other databases
    K> can be used? or shall we go for file based audit log?



I think MIT would probably not be interested in a db-based audit log
unless there is significantly more demand than we've seen on the list.
We'd be happy to accept a plugin interface for audit logs and if you
managed to define the plugin interface so that it did not depend on
k5-int.h then third parties could easily distribute audit plugins for
their favorite databasess.

We would be happy to accept a file log plugin that did not introduce
significant new build dependencies.

we would consider but might well reject a file plugin that introduced
a build dependency on an XML library.

We're working on an example of a plugin interface that does not depend
on k5-int.h.  Ken's branch is evolving in that direction.

--Sam

More information about the krbdev mailing list