Evening, We've been asked to start forwarding CAS (3.5.2) audit logs to a security monitoring system (an SIEM), specifically those from com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager.
Since these contain IMO password-equivalent data (TGTs, STs), I'm thinking it makes sense to 'sanitize' prior to forwarding. However, for tracking down the occasional odd claim of CAS being broken, there is still utility in recording the TGTs and STs in local CAS server logs. Ideas I'm tossing around at the moment to tackle this include (1) attempting to extend/modify Inspektr AbstractStringAuditTrailManager to create two views of the audit data (one sanitized, one not) and logging separately cf. two appender-ref entries in log4j.xml, or perhaps (2) get rsyslog (v5.8.10, RedHat 6 here) to split the log stream (whether direct from log4j SyslogAppender or via polling cas.log) and figure out how to 'sanitize' the remote stream. Suggestions? I wasn't sure offhand if this was better posed as a CAS question or an Inspektr question. Thanks! Tom. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
