Auditing Feature in Kerberos
greg@enjellic.com
greg at enjellic.com
Thu Mar 23 17:42:09 EST 2006
On Mar 23, 9:35am, Sam Hartman wrote:
} Subject: Re: Auditing Feature in Kerberos
Hi Sam, thanks for the note.
> >>>>> "greg" == greg <greg at enjellic.com> writes:
>
> greg> On Mar 22, 6:33am, "K.G. Gokulavasan" wrote: } Subject: Re:
> greg> Auditing Feature in Kerberos
>
> >> Hi,
>
> greg> Good morning to everyone.
>
> >> I think auth_time + principal_name can be used to link the TGT
> >> and service ticket issued by TGS. The same information can be
> >> used for auditing. Is this fine or is there a better way to
> >> link the TGT and service ticket issued by TGS?
>
> greg> Place a hook in the AS_REQ/TGS_REQ routines. Define an
> greg> ad_type to hold a serial number which gets incremented for
> greg> each AS_REQ and returned in the TGT. Look for the serial
> greg> number in the TGT when processing the TGS_REQ.
> You could do this.
> Why would you want to?
Accuracy of implementation perhaps.
> I believe that auth_time+principal_name is sufficient.
It may be but it does fail a direct correllation requirement. If the
IP address is implemented in the payload the ad_data strategy also
allows pinning the audit trail to the KDC which issued the ticket.
It all comes down to whether or not it is sufficient to answer the
audit question with 'we think it might be' or 'it is'.
I have found that people concerned with audit trails can be
surprisingly pedantic in their assurance requirements.
Greg
}-- End of excerpt from Sam Hartman
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"There's nothing in the middle of the road 'cept yellow lines and
squashed armadillos."
-- Mike Hightower
More information about the krbdev
mailing list