Hi,
I got a question regarding integration of auditd on freeipa clients.
What I want to achieve is full audit logging, like auditd provides, on the freeipa clients.
we tried to hook auditd up with the currently deployed ipa via kerberos, but had no luck so far.
we tried to reuse the already present kerberos authentication to transmit the auditdata in a secure way, but auditd needs the principal name to be "host/$hostname@REALM" whereas freeipa requires "$foo/$fqdn@REALM", so it seems we can't use kerberos tickets from ipa?
(see also this ML Thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html)
it's very sad to see this divergent development, given that both projects are heavily developed by redhat, maybe this can get fixed? If I can help with this (even if you just need bug reports opened), please tell me so.
In the mean time I would like to ask about the status of this project page:
https://www.freeipa.org/page/Session_Recording
Is this already implemnted? So far I couldn't find any practical examples on how to configure freeipa with auditd on freeipa clients :(
If you know of any other working solution, please share!
Thanks in advance
Hi Sven,
On 06/02/2017 12:52 PM, Sven Kieske via FreeIPA-users wrote:
In the mean time I would like to ask about the status of this project page:
https://www.freeipa.org/page/Session_Recording
Is this already implemnted? So far I couldn't find any practical examples on how to configure freeipa with auditd on freeipa clients :(
If you know of any other working solution, please share!
I'm working on the Session Recording project and so far we have no solution integrated with FreeIPA, although we have plans for it.
We have terminal I/O logging working in tlog, we're finishing its integration with SSSD, and we built aushape tool to stream audit events in JSON for storage in ElasticSearch. We're starting work on the WebUI playback (we have playback on terminal only so far). We're getting end-to-end recording-playback solution working first and then we'll start on integration.
Check out my talk at FOSDEM'17, along with the slides:
https://fosdem.org/2017/schedule/event/session_recording/
If you'd like to set something up yourself, read
https://github.com/Scribery/tlog/blob/master/README.md
and
https://github.com/Scribery/aushape/blob/master/README.md
I'll be glad to answer any other questions you might have about Session Recording.
I'm also going to set up a blog with updates on the project to which you'll be able to subscribe. I can notify you when it's done, if you'd like.
Nick
freeipa-users@lists.fedorahosted.org
-
Nikolai Kondrashov -
Sven Kieske