[Freeipa-devel] Audit ability
John Dennis
jdennis at redhat.com
Mon Aug 25 12:21:46 UTC 2008
Aldo Pietropaolo wrote:
> Hello freeIPA team,
>
> I have been in the identity management space now for more than 8
> years. I am interested in your future features in regards to real time
> monitoring of security events and how they map to the identity stored
> in the directory service. This also brings up the topic of a real time
> identity monitor interface extension to freeIPA. I have done some work
> and research in this area and would like to entertain this as a
> possible proposal and contribution for an freeIPA extension.
First, lets clarify vocabulary. In IPA when we use the term audit it
encompasses a wide range of "log" data from a variety of sources.
However the term audit is also used to refer to the kernel audit
subsystem and it's user space components. In IPA's world kernel audit is
just one of many audit sources.
Our primary focus for audit in the next release of IPA is centralized
collection, storage, and search of data. We plan on collecting the data
from a variety of sources, log files, streams, and via an API for IPA
aware components. However, what is not on the immediate road map is real
time monitoring and intrusion detection (IDS). Part of the reason is
because the centralized collection and search of audit data is a large
enough task in and of itself, but of equal importance is the fact the
kernel audit team under the direction of Steve Grubb has added real time
kernel audit support which feeds in the Prelude IDS. This gives a
reasonably complete solution, albeit not under a single point of
control. For more information concerning kernel audit IDS please see
this: http://people.redhat.com/sgrubb/audit. The current thinking is
that real time IDS is a specialized technology with currently available
solutions, but centralized collection of a wide variety of audit log
data with search capability is not however there is a strong demand from
enterprises for this functionality in order to meet regulatory requirements.
We expect the mapping of identity to be done via uid's on UNIX style
systems because we expect uid's to be under the control of IPA and
available in the directory server. We have not yet reached the point of
designing how this would work for non-UNIX style systems.
We of course would love to hear about your proposals and possible
contributions, do take a moment to follow-up and if I've failed to
answer any of your questions please don't hesitate to ask.
Thank you for your interest in IPA.
John
--
John Dennis <jdennis at redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080825/c6bc072e/attachment.htm>
More information about the Freeipa-devel
mailing list