[Freeipa-devel] Feedback requested on Audit piece of IPA

David O'Brien daobrien at redhat.com
Thu Jul 17 01:19:39 UTC 2008 

Karl Wirth wrote:
> Hi,
>
> Currently we identified that audit system in general can be targeted to:
> *Collect data from different sources
> *Consolidate data into a combined storage
> *Provide effective tools to analyze collected data
> *Archive collected data including signing and compression
> *Restore data from archives for audit purposes or analyses
>
> We need your feedback on a couple of questions:
> 1) Should we store structured log data for analysis, original log data,
> or both
> - To do analysis of the log data, it would be better to structure it and
> store it.
> - But structured data is not the same as the original log file that it
> was taken from.   Do we need the original log file format for reasons of
> compliance or can we throw it away?
> - Storing both parsed and unparsed data will have significant storage
> impact.
>   
I'm just a beginner but my first reaction here is How is this going to 
affect a forensics situation? Shouldn't we always have access to 
untouched/raw data? We can parse it and create whatever structure is 
required on demand, but if we do it immediately and trash the original 
data, there's no going back.
> 2) Should we parse the data into a structure format locally or back on
> IPA server?
> - Parsing locally and passing both parsed and original log data will
> increase network traffic but reduce load on server
>
> 3) What is the scope of what should be included in the audit data in
> addition to what we will get from syslog, rsyslog, auditd, etc.  Those
> will give us data like user access to a system, keystrokes, etc.  What
> beyond that is needed.  For example, is the following needed: Files user
> accessed on a system
>
> Regards,
> Karl
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>   


-- 

David O'Brien
IPA Content Author
Red Hat Asia Pacific

"We couldn't care less about comfort. We make you feel good."
Federico Minoli CEO Ducati Motor S.p.A.

More information about the Freeipa-devel mailing list