LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Flash Checks / 'certified' request
From:	Michael Grinnell <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Wed, 30 Aug 2006 23:19:35 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (80 lines)

Alex,

I don't know about "easier," but I can think of some alternative  
methods.  One would be to install NetDisco (http://netdisco.org/) or  
a similar ARP table crawling program, then query its database for the  
IP <-> MAC pair.  Alternatively, we're doing regular snapshots of the  
user_info table from cron, which gives us a historical record of who  
was logged on to a specific machine at a specific time.  We do  
snapshots every 15 minutes, but you could feasibly (see below) do  
them every minute if you wanted to.  It's then a simple matter of  
grep and awk to determine IP <-> MAC <-> User mappings.  It's a  
brutish hack that we put in place until I get a chance to setup  
RADIUS accounting to Oracle...  Yes, there are obvious race  
conditions in the script, and it's a bit simplistic, but it does the  
job.  And at ~ 1.1 MB per dump (~ 141KB gzipped) it's possible to  
store months or even years of them...  For "Certified Users" I think  
you need to dump mac_filter, user_info is the "Online Users."

Here's the crontab if you're interested.  It runs on the two HA CAMs.
*/15 * * * * /root/cca-user_info-backup.pl

[root@ccam1 ~]# cat /root/cca-user_info-backup.pl
#!/usr/bin/perl
use strict;

use Fcntl;
use Time::localtime;

### System defined variables
my $tm;
my $pg_dump_cmd = '/usr/bin/pg_dump -a -D -O -t user_info -x -h  
127.0.0.1 -U postgres controlsmartdb'; # you can change the dump  
output format if you like

my @pg_dump = `$pg_dump_cmd`; # backticks are dangerous

# Get time
$tm = localtime(time);

# Resolution of 1 minute is sufficient for our purposes
my $file_time = sprintf("%04d%02d%02d-%02d%02d", $tm->year+1900, $tm- 
 >mon+1, $tm->mday, $tm->hour, $tm->min);
my $file_name = sprintf("/root/user_info/$file_time.txt"); # create a  
filename like 20050823-2000.txt for August 23, 2005 8:00 pm

# Print out the file
sysopen (OUTPUTFILE, $file_name, O_WRONLY|O_TRUNC|O_CREAT, 0660)
         or die "Failed to create file: $!";
print OUTPUTFILE @pg_dump;
close OUTPUTFILE;
[root@ccam1 ~]#

Here is how long it takes to run the dump:
[root@ccam1 ~]# time /root/cca-user_info-backup.pl

real    0m0.276s
user    0m0.110s
sys     0m0.019s
[root@ccam1 ~]#

HTH,

Michael Grinnell
Network Security Administrator
The American University

On Aug 30, 2006, at 8:26 PM, Alex Lanstein wrote:

<snip>

> then, from there, its a hop skip and a jump to get the IP or username.
>
> Of course, for this to work, the server must be on the same subnet  
> as the clients.
>
> Anyone know of an easier way to pull up this information?
>
<snip>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU