[ Team LiB ] [ Team LiB ]

6.6 Auditing

Although it is certainly important to ensure that your machines are secure from outside attack, you also need to periodically audit the activity of your KDC to look for any malicious activity. Depending on your KDC vendor, the amount of logging that occurs by default can vary from none Windows 2000s default configuration to a lot Heimdal MIT. In this section, we will examine the information that KDCs log, how to enable logging on your KDC, and how to read and understand the resulting log files. The logging facilities built in to these KDC implementations not only serve auditing purposes, but they play a big role in debugging issues that may arise during the operation of your Kerberos system. First, lets take a look back at the Kerberos protocol exchange. At each point where the KDC is contacted, the KDC usually provides an option to log that information to a file.

6.6.1 Enabling Logging

Each KDC has different auditing options, and different procedures for enabling auditing. 6.6.1.1 MIT To enable logging in the MIT KDC, the krb5.conf file can contain a [logging] stanza with several variables that control where the logging output goes. Here are the variables: kdc The kdc variable controls where the log for the KDCs authentication service and Ticket Granting Service is sent. The logs produced in the file specified in the KDC variable contain all of the transactions between users, servers, and the KDC. admin_server The admin_server variable controls where the logs for the kadmin server are sent. The logs produced in the file specified in the admin_server variable contain all of the transactions between Kerberos administrators and the KDC that are performed through the kadmin interface. Each option can take several different arguments, depending on the type of file, device, or syslog facility you wish the logs to be sent to. If you want logs sent to several destinations, you can list them, one at a time, on separate lines. FILE= filename FILE :filename These options send the specified logs to a file called filename. In the first form with a =, the file is overwritten each time the KDC starts. The second form, specified with a :, indicates that the file will be appended to each time the KDC starts. STDERR This option specifies that the logs should be sent to the standard error output of the KDC. CONSOLE This option specifies that the logs be sent to the console of the KDC machine. [ Team LiB ] [ Team LiB ]

Chapter 7. Applications

Establishing a Kerberos realm and creating KDCs for your realm is only the beginning of creating a Kerberos-based authentication infrastructure. To enjoy the benefits of Kerberos, you, as the network administrator, also have to install Kerberos-enabled services and client software. This chapter illustrates how to enable Kerberos support in several popular server packages and the corresponding client programs. [ Team LiB ] [ Team LiB ]