1 files changed, 123 insertions, 0 deletions

diff --git a/zarb-ml/mageia-sysadm/2010-December/001071.html b/zarb-ml/mageia-sysadm/2010-December/001071.html
new file mode 100644
index 000000000..8536cfdf5
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/2010-December/001071.html
@@ -0,0 +1,123 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [Mageia-sysadm] ldap write log
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20ldap%20write%20log&In-Reply-To=%3C201012071505.12893.bgmilne%40multilinks.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="001033.html">
+   <LINK REL="Next"  HREF="001072.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[Mageia-sysadm] ldap write log</H1>
+    <B>Buchan Milne</B> 
+    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20ldap%20write%20log&In-Reply-To=%3C201012071505.12893.bgmilne%40multilinks.com%3E"
+       TITLE="[Mageia-sysadm] ldap write log">bgmilne at multilinks.com
+       </A><BR>
+    <I>Tue Dec  7 15:05:12 CET 2010</I>
+    <P><UL>
+        <LI>Previous message: <A HREF="001033.html">[Mageia-sysadm] ldap write log
+</A></li>
+        <LI>Next message: <A HREF="001072.html">[Mageia-sysadm] ldap write log
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#1071">[ date ]</a>
+              <a href="thread.html#1071">[ thread ]</a>
+              <a href="subject.html#1071">[ subject ]</a>
+              <a href="author.html#1071">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On Monday, 6 December 2010 19:26:56 Michael Scherer wrote:
+&gt;<i> Hi,
+</I>&gt;<i> 
+</I>&gt;<i> while discussing on irc, we came to the conclusion that it would be nice
+</I>&gt;<i> to get some audit ( by sending mail ) when a user change group, or when
+</I>&gt;<i> a user is promoted.
+</I>
+Where would we want this audit data to be stored? Only in the DSA (&quot;LDAP 
+server&quot;)? Of course, not every single change (e.g. password change by 
+unprivileged user) is going to be of interest. While accesslog overlay can 
+limit what changes you want to see, I think this would prevent us for using it 
+for delta-syncreplication.
+
+Of course, plain accesslog info is not *that* easy to audit, so we might 
+prefer to have a view of it in CatDap (I've been looking for something to put 
+under &quot;LDAP Admin&quot; :-)).
+
+&gt;<i> A way to do that would be to use the accesslogs overlay, with a cronjob
+</I>&gt;<i> to get data from it, and to send them by mail and/or store them too, if
+</I>&gt;<i> needed.
+</I>
+There are other ways, such as syncrepl consumer which evaluates changes, and 
+could notify immediately (via any suitable medium). I have some code for such 
+a tool, but it would need to be more configurable than it is now.
+
+&gt;<i> What do you think ?
+</I>
+I probably need to try and write up more about what I want to do, and what is 
+done etc. in CatDap, but tools for account auditing etc. should probably be 
+available. In general it would be useful to the OpenLDAP community if it 
+weren't specific to Mageia (and, eventually I would like CatDap to get to the 
+point where it is useful to the OpenLDAP community in general). So, maybe an 
+accesslog frontend would be good.
+
+Auditlog may be simpler in some ways, but more difficult in others.
+
+&gt;<i> How long should we keep the log ?
+</I>
+Should there be regular audits? If so, we should ensure that we survive audit 
+intervals. Of course, audits are only feasible if the manpower available is 
+sufficient for the task, which implies making this as easy as possible.
+
+&gt;<i> Does someone see a problem, or a better idea ?
+</I>&gt;<i> 
+</I>&gt;<i> Obviously, we will need to be careful about what is sent and where, for
+</I>&gt;<i> privacy reason.
+</I>
+Well, I think we may want to consider two aspects:
+-An automated process that informs relevant people of actions that may warrant 
+further investigation (e.g. &quot;User xxx was promoted to objectClass yyy&quot;, or 
+&quot;Member of super-privileged account sustained 100 password failures in 5 
+minutes, and is locked out&quot;)
+-A tool which allows searching on events in the case further investigation is 
+warranted
+
+We may need two different tools for this, that work in conjunction?
+
+E.g. if very limited information is sent out, but further information is 
+available (to users who already have privileges to access that information), I 
+don't think there are additional privacy concerns.
+
+P.S. I will be moving countries again at the end of this week, so I probably 
+won't have much time for CatDap work in the near future.
+
+
+Regards,
+Buchan
+</PRE>
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message: <A HREF="001033.html">[Mageia-sysadm] ldap write log
+</A></li>
+	<LI>Next message: <A HREF="001072.html">[Mageia-sysadm] ldap write log
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#1071">[ date ]</a>
+              <a href="thread.html#1071">[ thread ]</a>
+              <a href="subject.html#1071">[ subject ]</a>
+              <a href="author.html#1071">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
+mailing list</a><br>
+</body></html>