diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-December/001071.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-December/001071.html | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-December/001071.html b/zarb-ml/mageia-sysadm/2010-December/001071.html new file mode 100644 index 000000000..8536cfdf5 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-December/001071.html @@ -0,0 +1,123 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] ldap write log + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20ldap%20write%20log&In-Reply-To=%3C201012071505.12893.bgmilne%40multilinks.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="001033.html"> + <LINK REL="Next" HREF="001072.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] ldap write log</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20ldap%20write%20log&In-Reply-To=%3C201012071505.12893.bgmilne%40multilinks.com%3E" + TITLE="[Mageia-sysadm] ldap write log">bgmilne at multilinks.com + </A><BR> + <I>Tue Dec 7 15:05:12 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="001033.html">[Mageia-sysadm] ldap write log +</A></li> + <LI>Next message: <A HREF="001072.html">[Mageia-sysadm] ldap write log +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#1071">[ date ]</a> + <a href="thread.html#1071">[ thread ]</a> + <a href="subject.html#1071">[ subject ]</a> + <a href="author.html#1071">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Monday, 6 December 2010 19:26:56 Michael Scherer wrote: +><i> Hi, +</I>><i> +</I>><i> while discussing on irc, we came to the conclusion that it would be nice +</I>><i> to get some audit ( by sending mail ) when a user change group, or when +</I>><i> a user is promoted. +</I> +Where would we want this audit data to be stored? Only in the DSA ("LDAP +server")? Of course, not every single change (e.g. password change by +unprivileged user) is going to be of interest. While accesslog overlay can +limit what changes you want to see, I think this would prevent us for using it +for delta-syncreplication. + +Of course, plain accesslog info is not *that* easy to audit, so we might +prefer to have a view of it in CatDap (I've been looking for something to put +under "LDAP Admin" :-)). + +><i> A way to do that would be to use the accesslogs overlay, with a cronjob +</I>><i> to get data from it, and to send them by mail and/or store them too, if +</I>><i> needed. +</I> +There are other ways, such as syncrepl consumer which evaluates changes, and +could notify immediately (via any suitable medium). I have some code for such +a tool, but it would need to be more configurable than it is now. + +><i> What do you think ? +</I> +I probably need to try and write up more about what I want to do, and what is +done etc. in CatDap, but tools for account auditing etc. should probably be +available. In general it would be useful to the OpenLDAP community if it +weren't specific to Mageia (and, eventually I would like CatDap to get to the +point where it is useful to the OpenLDAP community in general). So, maybe an +accesslog frontend would be good. + +Auditlog may be simpler in some ways, but more difficult in others. + +><i> How long should we keep the log ? +</I> +Should there be regular audits? If so, we should ensure that we survive audit +intervals. Of course, audits are only feasible if the manpower available is +sufficient for the task, which implies making this as easy as possible. + +><i> Does someone see a problem, or a better idea ? +</I>><i> +</I>><i> Obviously, we will need to be careful about what is sent and where, for +</I>><i> privacy reason. +</I> +Well, I think we may want to consider two aspects: +-An automated process that informs relevant people of actions that may warrant +further investigation (e.g. "User xxx was promoted to objectClass yyy", or +"Member of super-privileged account sustained 100 password failures in 5 +minutes, and is locked out") +-A tool which allows searching on events in the case further investigation is +warranted + +We may need two different tools for this, that work in conjunction? + +E.g. if very limited information is sent out, but further information is +available (to users who already have privileges to access that information), I +don't think there are additional privacy concerns. + +P.S. I will be moving countries again at the end of this week, so I probably +won't have much time for CatDap work in the near future. + + +Regards, +Buchan +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="001033.html">[Mageia-sysadm] ldap write log +</A></li> + <LI>Next message: <A HREF="001072.html">[Mageia-sysadm] ldap write log +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#1071">[ date ]</a> + <a href="thread.html#1071">[ thread ]</a> + <a href="subject.html#1071">[ subject ]</a> + <a href="author.html#1071">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |