logo_kerberos.gif

Difference between revisions of "Projects/Audit"

From K5Wiki
Jump to: navigation, search
(Project page skeleton.)
 
(State the purpose of the project)
Line 1: Line 1:
 
{{project-early}}
 
{{project-early}}
   
  +
== Purpose ==
   
== Pluggability ==
 
  +
The primary focus of this project will be on creating an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. The initial set of the audible events will be identified. Also, the special attention will be paid to the content of the log entries so they would be relevant and useful for effective audit analysis.
  +
 
== Requirements ==
   
* Run-time pluggable. Registered via plugin framework. The "audit" subsection of [plugins] in kdc.conf points to the module.
 
  +
The new audit system should be:
* Build-time enabled using --with-audit-pl configure flag.
 
  +
  +
* build-time enabled;
  +
* run-time pluggable;
 
* simple, so it could be easily replaced with the OS specific implementations;
  +
* if possible, record the i18n- and l10n-ready log messages.
   
   
 
== Events ==
 
== Events ==
   
* Ticket requested
 
  +
TODO.
* Ticket issued
 
* Ticket renewed
 
* Ticket is forwardable
 
* Constrained delegation
 
* Service ticket requested
 
* Service ticket renewed
 
* Password modified
 
* Password expired
 
* KDC referral activity
 
* Replay attack detected
 
* Policy allowed/disallowed XYZ events
 
   
(When/if assigning the numbers to the events, consider using odd numbers for errors and other "bad" things and even numbers for informational messages.)
 
  +
This section details the list of the events, the content of the log entries and their nature. The latter indicates if the event should be classified as an alert or just a warning on some detected activity. Potentially, the events can be further categorized into some logical groups (for example, policy related events, general KDC events, security violation, etc).
   
  +
{| class="wikitable"
  +
|-
  +
! Event
  +
! Nature
  +
! Log entries
  +
|-
  +
|-
 
| Ticket requested || G ||
  +
|-
 
| Ticket issued/renewed || ||
  +
|-
 
|Ticket is forwardable || ||
  +
|-
 
|Constrained delegation || ||
  +
|-
 
|Service ticket requested || ||
  +
|-
 
| Service ticket renewed|| ||
  +
|-
 
| Password modified/expired || ||
  +
|-
 
| KDC referral activity|| ||
  +
|-
  +
| Configuration changed|| ||
  +
|-
 
| Policy allowed/disallowed event X|| ||
  +
|-
 
| Replay attack detected|| E||
  +
|-
  +
|}
   
== Requirements ==
 
  +
where "G" stands for general "good" activity, while 'E' denotes an alert/error.
 
* Should be simple, so it could be easily replaced with the OS specific implementations.
 
* If possible, make the log messages i18n-ready
 
   
 
== Design details ==
 
== Design details ==
   
We will use *libaudit* module available on Fedora, Debian, Suse for the first round.
 
  +
TODO
  +
  +
== Test implementation ==
  +
 
We will use libaudit module available on Fedora, Debian, Suse for the first round.

Revision as of 15:17, 5 July 2012

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

The primary focus of this project will be on creating an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. The initial set of the audible events will be identified. Also, the special attention will be paid to the content of the log entries so they would be relevant and useful for effective audit analysis.

Requirements

The new audit system should be:

  • build-time enabled;
  • run-time pluggable;
  • simple, so it could be easily replaced with the OS specific implementations;
  • if possible, record the i18n- and l10n-ready log messages.


Events

TODO.

This section details the list of the events, the content of the log entries and their nature. The latter indicates if the event should be classified as an alert or just a warning on some detected activity. Potentially, the events can be further categorized into some logical groups (for example, policy related events, general KDC events, security violation, etc).

Event Nature Log entries
Ticket requested G
Ticket issued/renewed
Ticket is forwardable
Constrained delegation
Service ticket requested
Service ticket renewed
Password modified/expired
KDC referral activity
Configuration changed
Policy allowed/disallowed event X
Replay attack detected E

where "G" stands for general "good" activity, while 'E' denotes an alert/error.

Design details

TODO

Test implementation

We will use libaudit module available on Fedora, Debian, Suse for the first round.