uid<-->username question

LC Bruzenak lenny at magitekltd.com
Thu Mar 5 17:14:54 UTC 2009 

On Thu, 2009-03-05 at 11:48 -0500, John Dennis wrote:
> LC Bruzenak wrote:
...
> > environment. I also have to ensure that the participating systems do not
> > reuse old UIDs or remove expired ones from their password file.
> >

> I think this approach is problematic. First of all the set of uid's from 
> a given machine is ephemeral. The contents of the passwd file needs to 
> be matched to a time interval matching the log data. Secondly, the 
> passwd file is sensitive data, you probably do not want to be shipping 
> that over the network and storing it without a lot of safeguards. 
> Thirdly, it's not just uid's that are have local context (machine local 
> and time local), gid's,  ip-addr -> hostname mapping, kernel version 
> dependent data encodings, etc. are just some of the data you won't be 
> able to interpret correctly at some point in the future on some 
> disassociated remote machine.

Good points John; thanks. Most of the things which apply to "normal"
use-cases illustrated by what you describe don't apply to me, and so for
the most people I realize what I need is silly.

My UIDs are by fiat not ephemeral. GIDs are not either. If a user's role
changes they get a new username with the associated GID.
IP<-->hostname mapping isn't via DHCP and won't be  in the foreseeable
future. Not sure about "kernel version dependent data encodings" but I
guess you mean future kernel audit event structure. That one is larger
then me anyway I think.

As I said, good points and I also agree that it is problematic. However,
given the timeline I'm working on I might have to assume some inadequacy
in order to meet schedule.

> 
> Because there are many problems with taking the audit log in it's 
> current form and storing it remotely for later analysis in IPA we are 
> not going to collect the audit log in it's default form. Instead we're 
> going to resolve (e.g. interpret using auparse terminology) all the data 
> on the local machine *before* we collect and store it. We plan on doing 
> this by writing a audispd plugin which resolves all the ambiguous local 
> data as it's generated (and hence before it's ever collected). This 
> solves both the locality of time and locality of host issues and 
> tremendously simplifies post-mortum analysis because the log data will 
> have been stripped of ambiguities and replaced with data that can simply 
> be read and used with no extra processing.
> 
> 

I think this is an excellent approach and when ready for action I'll
look to incorporate. So you are normalizing at the source. This is
essentially what I figured was a bigger effort than my suggested
kludge. 

Thanks for the info; I really appreciate it!
LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

More information about the Linux-audit mailing list