[Mageia-sysadm] ldap write log
Buchan Milne
bgmilne at multilinks.com
Tue Dec 7 15:05:12 CET 2010
On Monday, 6 December 2010 19:26:56 Michael Scherer wrote:
> Hi,
>
> while discussing on irc, we came to the conclusion that it would be nice
> to get some audit ( by sending mail ) when a user change group, or when
> a user is promoted.
Where would we want this audit data to be stored? Only in the DSA ("LDAP
server")? Of course, not every single change (e.g. password change by
unprivileged user) is going to be of interest. While accesslog overlay can
limit what changes you want to see, I think this would prevent us for using it
for delta-syncreplication.
Of course, plain accesslog info is not *that* easy to audit, so we might
prefer to have a view of it in CatDap (I've been looking for something to put
under "LDAP Admin" :-)).
> A way to do that would be to use the accesslogs overlay, with a cronjob
> to get data from it, and to send them by mail and/or store them too, if
> needed.
There are other ways, such as syncrepl consumer which evaluates changes, and
could notify immediately (via any suitable medium). I have some code for such
a tool, but it would need to be more configurable than it is now.
> What do you think ?
I probably need to try and write up more about what I want to do, and what is
done etc. in CatDap, but tools for account auditing etc. should probably be
available. In general it would be useful to the OpenLDAP community if it
weren't specific to Mageia (and, eventually I would like CatDap to get to the
point where it is useful to the OpenLDAP community in general). So, maybe an
accesslog frontend would be good.
Auditlog may be simpler in some ways, but more difficult in others.
> How long should we keep the log ?
Should there be regular audits? If so, we should ensure that we survive audit
intervals. Of course, audits are only feasible if the manpower available is
sufficient for the task, which implies making this as easy as possible.
> Does someone see a problem, or a better idea ?
>
> Obviously, we will need to be careful about what is sent and where, for
> privacy reason.
Well, I think we may want to consider two aspects:
-An automated process that informs relevant people of actions that may warrant
further investigation (e.g. "User xxx was promoted to objectClass yyy", or
"Member of super-privileged account sustained 100 password failures in 5
minutes, and is locked out")
-A tool which allows searching on events in the case further investigation is
warranted
We may need two different tools for this, that work in conjunction?
E.g. if very limited information is sent out, but further information is
available (to users who already have privileges to access that information), I
don't think there are additional privacy concerns.
P.S. I will be moving countries again at the end of this week, so I probably
won't have much time for CatDap work in the near future.
Regards,
Buchan
More information about the Mageia-sysadm
mailing list