CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Flash Checks / 'certified' request
From:
"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Thu, 31 Aug 2006 11:08:29 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (149 lines) 
No, we definitely don't mind reads... :-)  Only writes or permission
changes - we are scared of those... :-)  

No, the reason I asked is to find out whether those particular features
are not useful or are lacking in some way that caused you to go to the
DB directly. 

Anyways, your explanation covers it. 

Thanks,
Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Michael Grinnell
Sent: Thursday, August 31, 2006 10:12 AM
To: [log in to unmask]
Subject: Re: Flash Checks / 'certified' request

Rajesh,

As I said in the original message, I plan on setting up RADIUS
accounting as soon as I can spare the time, but it's not number one on
the priority list right now (If you're really interested, I was having
trouble getting FreeRADIUS to compile with Oracle support, because
Oracle didn't want to install on my RHES right.  Other stuff came up and
I had to shelve it for right now.)  I chose to do snapshots because it's
easier to see exactly who was on at a specific time, rather than parsing
through the log files looking for start and stop times.  We have the
event log streaming to our syslog server, but it was easier this way.
It doesn't require any changes in the database to do this, so I didn't
think that Cisco would mind.

Michael Grinnell
Network Security Administrator
The American University


On Aug 31, 2006, at 12:50 PM, Rajesh Nair (rajnair) wrote:

> Michael,
>
> If what you are looking for is the info in user_info table, then any 
> reason why you would not use either syslog or RADIUS Accounting from 
> the CAM?
>
> Syslog will basically give you all events in "Event Log" (what you see

> in the GUI is what you get in Syslog) and you will have to filter out 
> only the "Authentication" events, but it will give you user MAC (if 
> available), user IP, Provider...
>
> RADIUS Accounting, on the other hand, only sends Login (Accounting
> START) and Logout (Accounting STOP) events and is customizable as to 
> what it should send in the START and STOP messages.
>
> -Rajesh.
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Michael Grinnell
> Sent: Wednesday, August 30, 2006 8:20 PM
> To: [log in to unmask]
> Subject: Re: Flash Checks / 'certified' request
>
> Alex,
>
> I don't know about "easier," but I can think of some alternative 
> methods.  One would be to install NetDisco (http://netdisco.org/) or a

> similar ARP table crawling program, then query its database for the IP

> <-> MAC pair.  Alternatively, we're doing regular snapshots of the 
> user_info table from cron, which gives us a historical record of who 
> was logged on to a specific machine at a specific time.  We do 
> snapshots every 15 minutes, but you could feasibly (see below) do them

> every minute if you wanted to.  It's then a simple matter of grep and 
> awk to determine IP <-> MAC <-> User mappings.  It's a brutish hack 
> that we put in place until I get a chance to setup RADIUS accounting 
> to Oracle...
> Yes, there are obvious race conditions in the script, and it's a bit 
> simplistic, but it does the job.  And at ~ 1.1 MB per dump (~ 141KB
> gzipped) it's possible to store months or even years of them...  For 
> "Certified Users" I think you need to dump mac_filter, user_info is 
> the "Online Users."
>
> Here's the crontab if you're interested.  It runs on the two HA CAMs.
> */15 * * * * /root/cca-user_info-backup.pl
>
> [root@ccam1 ~]# cat /root/cca-user_info-backup.pl #!/usr/bin/perl use 
> strict;
>
> use Fcntl;
> use Time::localtime;
>
> ### System defined variables
> my $tm;
> my $pg_dump_cmd = '/usr/bin/pg_dump -a -D -O -t user_info -x -h
> 127.0.0.1 -U postgres controlsmartdb'; # you can change the dump 
> output format if you like
>
> my @pg_dump = `$pg_dump_cmd`; # backticks are dangerous
>
> # Get time
> $tm = localtime(time);
>
> # Resolution of 1 minute is sufficient for our purposes my $file_time 
> = sprintf("%04d%02d%02d-%02d%02d", $tm->year+1900, $tm-  >mon+1, 
> $tm->mday, $tm->hour, $tm->min); my $file_name = 
> sprintf("/root/user_info/$file_time.txt"); # create a filename like 
> 20050823-2000.txt for August 23, 2005 8:00 pm
>
> # Print out the file
> sysopen (OUTPUTFILE, $file_name, O_WRONLY|O_TRUNC|O_CREAT, 0660)
>          or die "Failed to create file: $!"; print OUTPUTFILE 
> @pg_dump; close OUTPUTFILE;
> [root@ccam1 ~]#
>
> Here is how long it takes to run the dump:
> [root@ccam1 ~]# time /root/cca-user_info-backup.pl
>
> real    0m0.276s
> user    0m0.110s
> sys     0m0.019s
> [root@ccam1 ~]#
>
> HTH,
>
> Michael Grinnell
> Network Security Administrator
> The American University
>
>
> On Aug 30, 2006, at 8:26 PM, Alex Lanstein wrote:
>
> <snip>
>
>> then, from there, its a hop skip and a jump to get the IP or 
>> username.
>>
>> Of course, for this to work, the server must be on the same subnet as

>> the clients.
>>
>> Anyone know of an easier way to pull up this information?
>>
> <snip>

ATOM RSS1 RSS2