subject:"\[Freeipa\-users\] Logging of Who does What on IPA Server"

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-15 Thread Dmitri Pal

On 02/14/2013 08:51 AM, Simo Sorce wrote:
> On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
>> IPA is going to be very critical Server for any environment.
>> Do we have proper logging of who as locked whom, Who has created a
>> sudo policy, who has allowed access to whom etc ?
> You can see this information by querying LDAP directly.
>
> The 'creatorsName' attribute holds the identity of the user that created
> the object.
>
> The 'createTimestamp' attribute holds the time at which the object was
> created.
>
> The 'modifiersName' attribute holds the identity of the user that last
> modified the object.
>
> The 'modifyTimestamp' attribute holds the time at which the object was
> modified.
>
> All these attributes are operational, so you normally do not see them
> unless you explicitly ask for them during an ldap search. Some LDAP
> browsers allow you to add a list of attributes to ask for explicitly.
>
>
>
> To see these attributes for a user named foo for example you can run
> this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
> modifiersName modifyTimestamp"
>
> add a '*' at the end if you also want to fetch regular attributes.
> This command assumes you have kerberos credentials (-Y GSSAPI tells
> ldapsearch to use them to auth to the server).
>
> Simo.
>
I also recommend to look at Logstash as a solution to collecting and
correlating logs.
http://logstash.net/docs/1.1.9/

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Peter Brown

On 14 February 2013 19:37, Petr Spacek  wrote:

> On 14.2.2013 09:49, Martin Kosek wrote:
>
>> On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote:
>>
>>> IPA is going to be very critical Server for any environment.
>>> Do we have proper logging of who as locked whom, Who has created a
>>> sudo policy, who has allowed access to whom etc ?
>>>
>>>
>> Hello Rajnesh,
>>
>> the audit component of IPA collecting and processing audit information is
>> not
>> there yet. There is some information about our future direction in our
>> wiki:
>> http://freeipa.org/page/**Roadmap 
>>
>> As for logging who did what, you can check existing logs on your IPA
>> server(s)
>> which may have information you need for audit:
>>
>> LDAP access log (LDAP calls): /var/log/dirsrv/slapd-$INST/**access
>>
> Also note 389 audit capabilities!


If it can log to auditd I would just use that...
Is that possible?


>
>
>  http error log (IPA framework calls): /var/log/httpd/error_log
>>
>
> --
> Petr^2 Spacek
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Simo Sorce

On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
> IPA is going to be very critical Server for any environment.
> Do we have proper logging of who as locked whom, Who has created a
> sudo policy, who has allowed access to whom etc ?

You can see this information by querying LDAP directly.

The 'creatorsName' attribute holds the identity of the user that created
the object.

The 'createTimestamp' attribute holds the time at which the object was
created.

The 'modifiersName' attribute holds the identity of the user that last
modified the object.

The 'modifyTimestamp' attribute holds the time at which the object was
modified.

All these attributes are operational, so you normally do not see them
unless you explicitly ask for them during an ldap search. Some LDAP
browsers allow you to add a list of attributes to ask for explicitly.

To see these attributes for a user named foo for example you can run
this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
modifiersName modifyTimestamp"

add a '*' at the end if you also want to fetch regular attributes.
This command assumes you have kerberos credentials (-Y GSSAPI tells
ldapsearch to use them to auth to the server).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Petr Spacek


On 14.2.2013 09:49, Martin Kosek wrote:

On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote:

IPA is going to be very critical Server for any environment.
Do we have proper logging of who as locked whom, Who has created a
sudo policy, who has allowed access to whom etc ?



Hello Rajnesh,

the audit component of IPA collecting and processing audit information is not
there yet. There is some information about our future direction in our wiki:
http://freeipa.org/page/Roadmap

As for logging who did what, you can check existing logs on your IPA server(s)
which may have information you need for audit:

LDAP access log (LDAP calls): /var/log/dirsrv/slapd-$INST/access

Also note 389 audit capabilities!


http error log (IPA framework calls): /var/log/httpd/error_log


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Martin Kosek

On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote:
> IPA is going to be very critical Server for any environment.
> Do we have proper logging of who as locked whom, Who has created a
> sudo policy, who has allowed access to whom etc ?
> 

Hello Rajnesh,

the audit component of IPA collecting and processing audit information is not
there yet. There is some information about our future direction in our wiki:
http://freeipa.org/page/Roadmap

As for logging who did what, you can check existing logs on your IPA server(s)
which may have information you need for audit:

LDAP access log (LDAP calls): /var/log/dirsrv/slapd-$INST/access
http error log (IPA framework calls): /var/log/httpd/error_log

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Logging of Who does What on IPA Server

2013-02-13 Thread Rajnesh Kumar Siwal

IPA is going to be very critical Server for any environment.
Do we have proper logging of who as locked whom, Who has created a
sudo policy, who has allowed access to whom etc ?
-- 
Regards,
Rajnesh Kumar Siwal

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

Re: [Freeipa-users] Logging of Who does What on IPA Server

Re: [Freeipa-users] Logging of Who does What on IPA Server

Re: [Freeipa-users] Logging of Who does What on IPA Server

Re: [Freeipa-users] Logging of Who does What on IPA Server

[Freeipa-users] Logging of Who does What on IPA Server

6 matches

Site Navigation

Mail list logo

Footer information