[Freeipa-devel] policy enforcement mechanics
Dmitri Pal
dpal at redhat.com
Mon Jul 21 14:19:10 UTC 2008
Ahmed Kamal wrote:
> Hi everyone,
>
> Is there any document or wiki page that describes exactly how policy
> enforcement is going to be handled in freeIPA.
Not yet. We are working on it. We will announce it as soon as we have it
ready for everybody to look at and comment.
> I'm basically interested in stuff like controlling unusual application
> behavior, like what if I allow vim to a user, and the user does
> ":bash" to get a shell ?
The activity of the user will be captured via audit system. We are
looking into monitoring file access.
> Also, about auditing .. Would it be possible to audit the whole
> session of a user (all files he touched/changed, all commands he used) ?
>
We will be collecting information from different sources.
Including :
* Our client that will provide authentication and host based access
control (all supported platforms)
* Syslog (All platforms)
* Rsyslog (TBD)
* Auditd (Linux only). Auditd has capability to do keystroke logging so
we will be able to capture this too.
* Other sources with some customarily defined parsing mechanisms. This
is under design and we do not have a clear picture of this part yet.
Thank you
Dmitri
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Dmitri Pal
Engineering Manager
Red Hat Inc.
More information about the Freeipa-devel
mailing list