Audit in Kerberos
epeisach at mit.edu
Thu Jan 21 15:47:04 EST 2010
On 1/21/2010 3:04 PM, Zhanna Tsitkova wrote:
> I would like to re-introduce the idea of extending the Kerberos
> security policy by adding an Audit feature to track the activity on
> the KDC side.
> This would include such events, both successes and failures, as
> ticket request, ticket issued/renewed, is ticket forwardable, kdc
> referral activity, password modified/expired, constarained delegation
> (for future) etc.
> There are few problems that must be addressed
> 1. Where to store the audit info - in file or DB?
> Syslog seems to be an attractive option. However, only admin
> privileged users can access and interpret the log.
Not all OS's protect the syslog information. The advantage/disadvantage
of syslog is that it pushes the info out fast using UDP (I believe) and
then the syslogd manages it. Messages can get lost if the disk fills, etc.
> DB log storage suggests more flexibility when users based on
> their access rights may review and analyze the accumulated log data.
> The drawback here is the worsened performance and scalability.
There are a number of newer databases out there that show better
performance than the DB we have (tokyocabinet and I think there is
> 2. What format should be used to store the messages. If the messages
> are stored in the syslog they need to be suitable for db uploading.
> XML or text? (XML format would result into the rapid file-size growth
> but , if stored remotely may be not a problem)
I do not personally like xml - but I would not want a binary format.
> 3. Make this feature plugable.
Definite - then you can have the syslog, db, xml, mysql, sqlite, remote
reporting, etc plugins as needed.
> 4. Some vendors have their own in-house audit mechanisms incorporated
> in the Kerberos code. Should we introduce our own daemons to
> monitor,alert, interpret, archive and cleanup or sanitization of the
> accumulated log data or should we relay on the OS capabilities?
This is an os issue. If you are using syslogd - O/S vendors have their
own tools to cleanup the files - do not reinvent the wheel. On the
other hand - providing a tool for groveling the logs, send alerts, etc
periodically would be useful. But there might be something out there
that does that already for say an xml structured file (heck I bet nagios
could do this). I would say - don't reinvent the wheel there - but if
there is a standard monitoring program that can be extended - with their
own plugin system - then write the plugin.... Heck - just googling - I
found sawmill - which looks nice
> Any feedback and opinions and recommendations are greatly appreciated.
In short - give people options w/ plugins - but provide some rudimentary
More information about the krbdev