Versions Compared

Old Version 4

changes.mady.by.user Benn Oshrin

Saved on

compared with

New Version 5

changes.mady.by.user Benn Oshrin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(info) Per-credential store instructions are needed for exporting failed authentication records via syslog.
(info) Some credential store-specific plugins may need to be developed.

Syslog Accumulator

Syslog is a (near) real time protocol, potentially generating a significant amount of traffic. An existing product such as rsyslog (GPL v3) could be used as the accumulator, as it is high performance, can be made highly available, can write to a database, and is modular.

(info) Optimized modules for failed authentication counting could be developed.
(info) Reference instructions for installation and configuration could be developed.

Database

A relatively simple schema can track failed authentication events as reported to the Accumulator. A basic table would track

Column

Description

rowid

ID of this row

subject

ID of the credential

service

ID of the service generating the failure event

ip_address

Originating IP address of the failure event

timestamp

Time of the failure event

An additional table is required to track when a count should be reset (perhaps due to a password change). A simple method would be to have a separate table to track the current count. Such a table should probably be managed by the Accumulator, as relying on stored procedures can have concurrency implications.

Column

Description

rowid

ID of this row

subject

ID of the credential

current_count

Current count

A table that tracks reset events (relying on database or application logic to calculate the current count) would also be viable. This table would be managed by the Monitor.

Column

Description

rowid

ID of this row

subject

ID of the credential

reset_timestamp

Timestamp of count reset event

Monitor

The final component is the Monitor, responsible for determining when thresholds are reached and taking appropriate action, as well as managing reset events. The most portable approach may be for the Monitor to periodically poll the database for counts, and then fire off events as appropriate. (It may be possible to leverage database trigger mechanisms to push events to the Monitor, but this is unlikely to be achievable in a cross-platform way.)

The Monitor would likely provide

  • A polling mechanism to retrieve current counts
  • Support for different thresholds to trigger different actions
    • Notifications
    • Credential expiration
    • IAQ revocation (potentially without a credential being expired)
  • API services
    • Pull current state for a subject (useful, say, for integration with SSO or self-service tools)
    • Reset counter (eg: on password change)
  • User Interface
    • Administer/configure Monitor
    • Reporting on current counts and events

(info) The Monitor would likely need to be developed (presumably as an Open Source project).