[Freeipa-devel] Audit ability

John Dennis jdennis at redhat.com
Mon Aug 25 12:21:46 UTC 2008 

Aldo Pietropaolo wrote:
> Hello freeIPA team,
>
> I have been in the identity management space now for more than 8 
> years. I am interested in your future features in regards to real time 
> monitoring of security events and how they map to the identity stored 
> in the directory service. This also brings up the topic of a real time 
> identity monitor interface extension to freeIPA. I have done some work 
> and research in this area and would like to entertain this as a 
> possible proposal and contribution for an freeIPA extension.

First, lets clarify vocabulary. In IPA when we use the term audit it 
encompasses a wide range of "log" data from a variety of sources. 
However the term audit is also used to refer to the kernel audit 
subsystem and it's user space components. In IPA's world kernel audit is 
just one of many audit sources.

Our primary focus for audit in the next release of IPA is centralized 
collection, storage, and search of data. We plan on collecting the data 
from a variety of sources, log files, streams, and via an API for IPA 
aware components. However, what is not on the immediate road map is real 
time monitoring and intrusion detection (IDS). Part of the reason is 
because the centralized collection and search of audit data is a large 
enough task in and of itself, but of equal importance is the fact the 
kernel audit team under the direction of Steve Grubb has added real time 
kernel audit support which feeds in the Prelude IDS. This gives a 
reasonably complete solution, albeit not under a single point of 
control. For more information concerning kernel audit IDS please see 
this:  http://people.redhat.com/sgrubb/audit. The current thinking is 
that real time IDS is a specialized technology with currently available 
solutions, but centralized collection of a wide variety of audit log 
data with search capability is not however there is a strong demand from 
enterprises for this functionality in order to meet regulatory requirements.

We expect the mapping of identity to be done via uid's on UNIX style 
systems because we expect uid's to be under the control of IPA and 
available in the directory server. We have not yet reached the point of 
designing how this would work for non-UNIX style systems.

We of course would love to hear about your proposals and possible 
contributions, do take a moment to follow-up and if I've failed to 
answer any of your questions please don't hesitate to ask.

Thank you for your interest in IPA.

John

-- 
John Dennis <jdennis at redhat.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080825/c6bc072e/attachment.htm>

More information about the Freeipa-devel mailing list