[Mageia-sysadm] ldap write log

Buchan Milne bgmilne at multilinks.com
Tue Dec 7 15:05:12 CET 2010 

On Monday, 6 December 2010 19:26:56 Michael Scherer wrote:
> Hi,
> 
> while discussing on irc, we came to the conclusion that it would be nice
> to get some audit ( by sending mail ) when a user change group, or when
> a user is promoted.

Where would we want this audit data to be stored? Only in the DSA ("LDAP 
server")? Of course, not every single change (e.g. password change by 
unprivileged user) is going to be of interest. While accesslog overlay can 
limit what changes you want to see, I think this would prevent us for using it 
for delta-syncreplication.

Of course, plain accesslog info is not *that* easy to audit, so we might 
prefer to have a view of it in CatDap (I've been looking for something to put 
under "LDAP Admin" :-)).

> A way to do that would be to use the accesslogs overlay, with a cronjob
> to get data from it, and to send them by mail and/or store them too, if
> needed.

There are other ways, such as syncrepl consumer which evaluates changes, and 
could notify immediately (via any suitable medium). I have some code for such 
a tool, but it would need to be more configurable than it is now.

> What do you think ?

I probably need to try and write up more about what I want to do, and what is 
done etc. in CatDap, but tools for account auditing etc. should probably be 
available. In general it would be useful to the OpenLDAP community if it 
weren't specific to Mageia (and, eventually I would like CatDap to get to the 
point where it is useful to the OpenLDAP community in general). So, maybe an 
accesslog frontend would be good.

Auditlog may be simpler in some ways, but more difficult in others.

> How long should we keep the log ?

Should there be regular audits? If so, we should ensure that we survive audit 
intervals. Of course, audits are only feasible if the manpower available is 
sufficient for the task, which implies making this as easy as possible.

> Does someone see a problem, or a better idea ?
> 
> Obviously, we will need to be careful about what is sent and where, for
> privacy reason.

Well, I think we may want to consider two aspects:
-An automated process that informs relevant people of actions that may warrant 
further investigation (e.g. "User xxx was promoted to objectClass yyy", or 
"Member of super-privileged account sustained 100 password failures in 5 
minutes, and is locked out")
-A tool which allows searching on events in the case further investigation is 
warranted

We may need two different tools for this, that work in conjunction?

E.g. if very limited information is sent out, but further information is 
available (to users who already have privileges to access that information), I 
don't think there are additional privacy concerns.

P.S. I will be moving countries again at the end of this week, so I probably 
won't have much time for CatDap work in the near future.


Regards,
Buchan

More information about the Mageia-sysadm mailing list