Audit in Kerberos

Zhanna Tsitkova tsitkova at
Thu Jan 21 15:04:21 EST 2010

I would like to re-introduce the idea of extending the  Kerberos  
security policy by  adding an Audit feature to track the activity on  
the KDC side.

This would include such events, both successes and failures,  as  
ticket request, ticket issued/renewed, is ticket forwardable, kdc  
referral activity,  password modified/expired, constarained delegation  
(for future) etc.

There are few problems that must be addressed
1. Where to store the audit info - in file or DB?
     Syslog seems to be an attractive option. However, only admin  
privileged users can access and interpret the log.
     DB log storage suggests more flexibility when  users based on  
their access rights may review and analyze the accumulated log data.  
The drawback here is the worsened performance and scalability.
2. What format should be used to store the messages. If the messages  
are stored in the syslog they need to be suitable for db uploading.  
XML or text? (XML format would result into the rapid file-size growth  
but , if stored remotely may be not a problem)
3. Make this feature plugable.
4. Some vendors have their own in-house audit mechanisms incorporated  
in the Kerberos code. Should we introduce our own daemons to  
monitor,alert, interpret, archive and cleanup or sanitization  of the  
accumulated log data or should we relay on the OS capabilities?

Any feedback and opinions and recommendations are greatly appreciated.


Zhanna Tsitkova
tsitkova at

More information about the krbdev mailing list