Audit in Kerberos
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Jan 22 20:31:12 EST 2010
On Jan 22, 2010, at 9:02 AM, krbdev-request at mit.edu wrote:
> 1. Where to store the audit info - in file or DB?
> Syslog seems to be an attractive option. However, only admin
> privileged users can access and interpret the log.
> DB log storage suggests more flexibility when users based on
> their access rights may review and analyze the accumulated log data.
> The drawback here is the worsened performance and scalability.
I think the main Kerberos DB is appropriate for info like last successful/failed usage info. A complete history should be external.
+1 to plugins and minimal built-in facility.
Configurable syslog or file (or NULL) destinations for the info with post-processing to implement the complete facility is the architecture I would expect to make sense, but I haven't thought too much about alternatives. If you want something other than XML I'd suggest comma-separated-values.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list