On 6/20/19 1:16 PM, Yegui Cai wrote:
> Does KDC generate audit logs by any chance? If not, would there be any plan
> to do so?
The KDC currently generates log messages like this (for a successful
AS-REQ):
Jun 06 11:26:50 small-gods krb5kdc[14165](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 18.9.55.42: ISSUE:
authtime 1559834810, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
u...@krbtest.com for krbtgt/krbtest....@krbtest.com
Where they go is determined by the [logging] section in kdc.conf, as
described in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#logging
If this is not what you mean, can you describe in more detail what you
mean by audit logs, and how they would differ from the existing KDC logs?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
