Audit logging

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Audit logging

Yegui Cai
Hi community.
Does KDC generate audit logs by any chance? If not, would there be any plan
to do so?
Thanks,
Yegui
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Audit logging

Greg Hudson
On 6/20/19 1:16 PM, Yegui Cai wrote:
> Does KDC generate audit logs by any chance? If not, would there be any plan
> to do so?

The KDC currently generates log messages like this (for a successful
AS-REQ):

Jun 06 11:26:50 small-gods krb5kdc[14165](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 18.9.55.42: ISSUE:
authtime 1559834810, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[hidden email] for krbtgt/[hidden email]

Where they go is determined by the [logging] section in kdc.conf, as
described in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#logging

If this is not what you mean, can you describe in more detail what you
mean by audit logs, and how they would differ from the existing KDC logs?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Audit logging

Yegui Cai
In my opinion, audit logging can be a subset of the loggings KDC has. But
sometimes, software can have audit loggings separately.

On Thu, Jun 20, 2019 at 1:40 PM Greg Hudson <[hidden email]> wrote:

> On 6/20/19 1:16 PM, Yegui Cai wrote:
> > Does KDC generate audit logs by any chance? If not, would there be any
> plan
> > to do so?
>
> The KDC currently generates log messages like this (for a successful
> AS-REQ):
>
> Jun 06 11:26:50 small-gods krb5kdc[14165](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 18.9.55.42: ISSUE:
> authtime 1559834810, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> [hidden email] for krbtgt/[hidden email]
>
> Where they go is determined by the [logging] section in kdc.conf, as
> described in
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#logging
>
> If this is not what you mean, can you describe in more detail what you
> mean by audit logs, and how they would differ from the existing KDC logs?
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos