[31953] in Kerberos
Re: find inactive accounts
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Wed Jan 20 01:04:15 2010
Mime-Version: 1.0 (Apple Message framework v1077)
From: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <c789fd71001192141q7d0be6a7vb96febc25157c457@mail.gmail.com>
Date: Wed, 20 Jan 2010 01:04:04 -0500
Message-Id: <D6122B11-5BA5-4100-BE1F-0B0205F2C1C8@mit.edu>
To: Steve Glasser <sgla9347@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jan 20, 2010, at 00:41, Steve Glasser wrote:
> I know I can get users and login dates from krb5kdc.log, and I can
> find the last login date.
Be careful with that... if you're not doing some kind of preauth method, the AS_REQ messages in the log only indicate that someone tried to get an authenticator for that principal, not that they succeeded in decrypting it. (What does "log in" mean when dealing with cryptographic credentials and not access to a particular machine, anyways?) You can check whether there were any TGS requests following for those principals, but if your environment lets people on without a TGS exchange and lets them access some data without Kerberos (maybe some service has its own password database? maybe some data was stored on a desktop workstation?), then you might miss some sessions.
> However Kerberos logs dates as "month day",
> so to do date math for dates going back into last year is awkward at
> best. So...
>
> a) can I configure Kerberos to log "month day year"?
> b) is there a better way to do this audit?
There isn't a way to change the log format, no; not without going in and changing the code. Note too that some of the fields are somewhat free-form. Someone trying to mess with your log parsing could send in a bogus AS request for a principal name with spaces in it, for example. They could try newlines, which could really mess things up, but those should be converted to "\n" before logging; other non-printing characters could show up though.
It may be worth looking into new auditing code specifically for recording, in an unambiguous and easy-to-process form, the information needed to comply with these regulations. It's come up for discussion once or twice before, but perhaps not with the right audience, as it never seems to go anywhere....
Ken
--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
