Hi, TGTs (and STs) are very valuable information as they represent user identities (and accesses to applications). These information must be well protected against attackers. That said, if someone has reached your logs system, it's certainly not the only bad thing he can do.
To answer your question, I tend to think that it's a matter of person / organization / skill. I'm a developer and far from being a sys guy, so I would go for the custom AuditTrailManager. Best regards, Jérôme 2013/12/13 Tom Poage <[email protected]> > Evening, > > We've been asked to start forwarding CAS (3.5.2) audit logs to a > security monitoring system (an SIEM), specifically those from > com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager. > > Since these contain IMO password-equivalent data (TGTs, STs), I'm > thinking it makes sense to 'sanitize' prior to forwarding. However, for > tracking down the occasional odd claim of CAS being broken, there is > still utility in recording the TGTs and STs in local CAS server logs. > > Ideas I'm tossing around at the moment to tackle this include (1) > attempting to extend/modify Inspektr AbstractStringAuditTrailManager to > create two views of the audit data (one sanitized, one not) and logging > separately cf. two appender-ref entries in log4j.xml, or perhaps (2) get > rsyslog (v5.8.10, RedHat 6 here) to split the log stream (whether direct > from log4j SyslogAppender or via polling cas.log) and figure out how to > 'sanitize' the remote stream. > > Suggestions? I wasn't sure offhand if this was better posed as a CAS > question or an Inspektr question. > > Thanks! > Tom. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
