[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP Change Log

To: Rich Graves <rgraves@carleton.edu>
Subject: Re: LDAP Change Log
From: William Froning <wfroning@aus.edu>
Date: Mon, 27 May 2013 07:53:23 +0400 (GST)
Cc: Zimbra Higher-Ed Admins <zimbra-hied-admins@sfu.ca>
In-reply-to: <1283538293.10846657.1369626696964.JavaMail.root@aus.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>

Hello Rich,

----- Original Message -----
> 
> If you have a lot of users and your server is heavily loaded, then
> maybe you should watch mailbox.log for ModifyPrefs (check tour log
> for exact message) and scan just those accounts. We don't bother.
> Running raw ldapsearch (without the zmprov ga Java overhead) is fast
> enough that we can search all accounts every few minutes.

I like this one. Currently I have a python script running a ldap query every 5 minutes, but if I only trigger it when I see ModifyPrefsRequest that would be better. Not sure why, but ModifyPrefs alone didn't seem to capture the changes I was testing in my preferences log.
 
> A terse account of other things we do is at:
> http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082

I've already stolen some of your ideas and square-pegged them into splunk. Thanks for that.

Thanks,
Will

P.S. This is a resend since I forgot to CC the list.

> On May 25, 2013, at 11:11 PM, William Froning < wfroning@aus.edu >
> wrote:
> 
> 
> 
> 
> Hello All,
> 
> I was wondering how you all are monitoring LDAP change events. I
> can't seem to find the right log (if it is even enabled) to watch
> for account changes that might suggest a compromised account.
> 
> We are running 7.2.1. Any assistance is welcome.
> 
> Thanks,
> Will
> 
> --
> Will Froning
> Information Security Manager
> Office of the Vice Chancellor for Finance and Administration
> 
> 
> American University of Sharjah
> 
> Tel +971 6 515 2124
> Mob +971 50 737 1599
> Fax +971 6 515 2120
> PO Box 26666, Sharjah
> United Arab Emirates
> http://www.aus.edu
> wfroning@aus.edu
> 

-- 
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration


American University of Sharjah

Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu

Prev by Date: Re: LDAP Change Log
Next by Date: Re: LDAP Change Log
Previous by thread: Re: LDAP Change Log
Index(es):
- Date
- Thread