Difference between revisions of "Projects/Audit"
m (→Events) |
m (→Events) |
||
| Line 17: | Line 17: | ||
== Events == |
== Events == |
||
| ⚫ | |||
| + | This section details the list of the events, the content of the log entries and the level of the event (minimum, basic or detailed). |
||
| − | This section details the list of the events, the content of the log entries and their nature. The latter indicates if the event should be classified as an alert or just a warning on some detected activity. Potentially, the events can be further categorized into some logical groups (for example, policy related events, general KDC events, security violation, etc). |
||
| + | Each record must contain at least the timestamp of the event, the event id (type), and the status of the event (success or failure). |
||
| + | Startup and shutdown of the audit system must be recorded by audit system. |
||
| − | {| class="wikitable" |
||
| − | |- |
||
| − | ! Event |
||
| − | ! Nature |
||
| − | ! Log entries |
||
| − | |- |
||
| − | |- |
||
| − | | Ticket requested || G || CPN, RSN, RLife, IPList, Rport |
||
| − | |- |
||
| − | | Ticket issued/renewed || || |
||
| − | |- |
||
| − | |Ticket is forwardable || || |
||
| − | |- |
||
| − | |Constrained delegation || || |
||
| − | |- |
||
| − | |Service ticket requested || || |
||
| − | |- |
||
| − | | Service ticket renewed|| || |
||
| − | |- |
||
| − | | Password modified/expired || || |
||
| − | |- |
||
| − | | KDC referral activity|| || |
||
| − | |- |
||
| − | | Configuration changed|| || |
||
| − | |- |
||
| − | | Policy allowed/disallowed event X|| || |
||
| − | |- |
||
| − | | Replay attack detected|| E|| |
||
| − | |- |
||
| − | |} |
||
| − | where "G" stands for general "good" activity, while 'E' denotes an alert/error; |
||
| + | Categories: |
||
| − | CPN - client principal name; |
||
| + | |||
| − | RSN - requested service name; |
||
| ⚫ | |||
| − | RLife - requested lifetime; |
||
| − | IPList - IP addresses of hosts to use the ticket for; |
||
| − | Rport, Lport - remote and local ports; |
||
== Design details == |
== Design details == |
||
Revision as of 17:43, 13 July 2012
Purpose
The primary focus of this project will be on creating an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. The initial set of the audible events will be identified. Also, the special attention will be paid to the content of the log entries so they would be relevant and useful for effective audit analysis.
Requirements
The new audit system should be:
- build-time enabled;
- run-time pluggable;
- simple, so it could be easily replaced with the OS specific implementations;
- if possible, record the i18n- and l10n-ready log messages.
Events
This section details the list of the events, the content of the log entries and the level of the event (minimum, basic or detailed).
Each record must contain at least the timestamp of the event, the event id (type), and the status of the event (success or failure). Startup and shutdown of the audit system must be recorded by audit system.
Categories:
TODO
Design details
TODO
Test implementation
We will use libaudit module available on Fedora, Debian, Suse for the first round.
