Novell Home

AppNote: Novell Audit Guide - Configuration and Implementation

Novell Cool Solutions: AppNote
By Blair Thomas, Jeremy Carter

Digg This - Slashdot This

Posted: 2 Jun 2005
 

Introduction

This guide helps you learn how to configure and implement Novell Audit. You will also learn how to deploy Novell Audit in a variety of configurations. These configurations are based on optimum methods learned from the authors' consulting experience.

The basic components of Novell Audit are the show in the figure below. The Novell Audit Platform Agents are installed on each server or system and collect the events that get triggered on the local system. The events are then sent to the Novell Audit Logging Server that routes the events to a specific channel or notification. The channel component of the Logging Server enables you to log the events to a database or monitoring system. The notification component of the Logging Server enables you to filter specific events and send them to an e-mail system or a database, or use a variety of other options.

Figure 1 - Novell Audit components

The out-of-the-box installation installs one flat-file channel, as shown in the following figure. The individual Platform Agents for each server also need to be installed.

Figure 2 - Default installation: one flat-file channel

From this base installation, you can add a MySQL channel to collect logs to a database or add a notification channel to send alerts to an SMTP/e-mail system. You can also add or create separate databases to separate the collection of eDirectory and File system events, as shown in the following figure.

Figure 3 - Adding a MySQL channel

Installation

To install Novell Audit, follow these steps:

  1. Install the Secure Logging Server (Engine).
  2. Install and configure the data store (MySQL).
  3. Configure the logging server to send data to the data store.
  4. Install the Platform Agent(s).
  5. Configure the platform agents to send data to the logging server.
  6. Define which events an application will send to the platform agent (not applicable for all applications).
  7. Configure the query tools in iManager.
  8. Create notification channels that send filtered data to additional data stores (optional).

Installing Novell Audit on SLES9

1. Download and copy Nsure_Audit_103_Linux_EVAL.tar.gz to the Linux machine.

2. Extract the .tar file:

linux:~/NOVELL # ls
.. Nsure_Audit_103_Linux_EVAL.tar.gz
linux:~/NOVELL # tar -zxvf Nsure_Audit_103_Linux_EVAL.tar.gz
Linux/EULA.txt
Linux/naudit_install.pdf
Linux/novell-AUDTauditplugin-1.0.3-26.i586.rpm
Linux/novell-AUDTedirinst-1.0.3-26.i586.rpm
Linux/novell-AUDTlogserver-1.0.3-26.i586.rpm
Linux/novell-AUDTplatformagent-1.0.3-26.i586.rpm
Linux/novell-mdb-1.0-5.i386.rpm
Linux/pinstall.lin
Linux/Readme.txt
linux:~/NOVELL #

3. Change directory to the Linux directory and run the installation script "pinstall-lin":

linux:~/NOVELL # cd Linux/
linux:~/NOVELL/Linux # ./pinstall.lin

4. Accept the license agreement to continue the installation.

5. For the installation menu, choose to install all (default).

Choose one of the following options:

[P]latform Agent
[E]directory Instrumentation and Platform Agent
[S]ecure Logging Server and Platform Agent
[A]ll
[Q]uit
Default: All

The installation will now install the Multi Directory Database (MDB), which is a login module used by logevent. Next, the script will install the Platform Agent, followed by the instrumentation. Lastly, the Secure Logging Server is installed.

Auditext will be loaded after the Secure Logging Server is installed. This will extend the schema, and setup the SLS objects in eDirectory. You will be prompted with the authentication screen, then the options available.

6. Choose the option to "Add Schema Extensions", then "Configure This Server".

         --------------------------------------------
         |     Log in as the administrator   -      |
         |                                          |
         | Administrator name:                      |
         |                                          |
         | Password:                                |
         |                                          |
         --------------------------------------------

----------------------------------------------------------------------------- 
| Please enter admin user DN (e.g. Admin.AcmeCorp)                          |
| Press <TAB> to switch fields, <ENTER> to accept                           |
-----------------------------------------------------------------------------


             -----------------------------
             | Add Schema Extensions     |
             | Remove Schema Extensions  |
             | Configure This Server     |
             | Exit AuditExt             |
             -----------------------------

-----------------------------------------------------------------------------
| Press <TAB> or the arrow keys to switch fields, <ENTER> to accept,        |
| <SPACE> to switch between options                                         |
-----------------------------------------------------------------------------

7. After Auditext has loaded, you will be prompted with the question shown below. Press "Y" to start the eDirectory instrumentation.

Starting Novell Audit:

lengine is not loaded.

Press 'Y' to start the eDirectory instrumentation
or any other key to skip.
Starting Novell Audit:
y
Trying to stop any currently running instrumentation...
Module auditds is not loaded

Starting eDirectory instrumentation...

Finshed loading eDirectory instrumentation

Novell Audit installation completed successfully.
linux:~/NOVELL/Linux #

The platform agent is loaded when eDirectory is loaded. You can load and unload the platform agent on Linux manually using the following command:

linux:~/NOVELL # ndstrace -c "load auditds"

or

linux:~/Novell # ndstrace -c "unload auditds"

Configuration Steps

Configuring the Plug-in for iManager

1. Log into iManager as a user that has admin rights, or is the collection owner for the tree.

Figure 4 - iManager: Installing the Module Package

2. Select the location of the naudit.npm and choose install. This may take a few minutes.

3. After the installation has finished, restart Tomcat on the iManager server.

Configuring the Secure Logging Server

The Secure Logging Server can be configured using iManager. The plugin installed a new role with several tasks. To begin configuration, follow the following steps:

  1. Log into iManager as admin, or a member of the "Auditing and Logging" role.
  2. Choose the "Auditing and Logging" role, and select "Logging Server Options".
  3. Using the browse button, locate the Secure Logging Server object within the tree. By default this should have been placed at the root of the tree under the "Logging Services Container".

Figure 5 - Finding the Secure Logging Server object

You should now see the summary screen for Novell Audit. Here there are configuration options for channels, notifications, and the log applications. Next to each configured channel, notification, and log application there is a green or red button that indicates if the item is enabled, or disabled. To change the status, you can click to enable/disable this feature for the Secure Logging Server.

Figure 6 - Secure Logging Server options

Sending data to a MySQL Channel

To enable logging to a MySQL channel, a database and user account will need to be created on the MySQL server. To create the Secure Logging Server channel, use the following steps:

  1. In the Novell Audit Summary screen in iManager, choose the "Channels" tab.
  2. Click the "Channels" checkbox and choose the "New Channel" link. You will be prompted with a popup box that asks you what channel you want to create.
  3. Give this channel a name and choose the MySQL channel for the channel type.
  4. Click OK to create the channel.

Note: Do not use spaces, apostrophes, or any special characters in the name.

Figure 7 - Naming the MySQL channel

5. You will see the configuration options for the newly created MySQL channel. Enter the following information for the connection parameters:

  • Host: IP address or DNS host name for the database server
  • Name: Name of the database to which the logging server writes events. The default database name is "naudit." (The MySQL driver will automatically create this database the first time the logging server loads this channel).
  • Table: Name of the table that this channel will write information to. The MySQL driver will automatically create the table the first time the logging server loads this channel.
  • User: User name of the user created in MySQL
  • Password: Password for the MySQL user.
  • CREATE TABLE Options: Customize the default table structure using standard SQL Create Table commands.
  • SQL Expiration Commands: Use SQL Expiration commands to automate database maintenance.
  • Expire at specified time or interval: Frequency at which the expiration command script is executed
  • .

Figure 8 - Configuring the MySQL channel

With the channel created, you will need to tell the Secure Logging Server to send events to this channel instead of to the default log file channel.

6. In the Novell Audit Summary screen in iManager, click the General tab to return to the summary screen.

7. Click on the Configuration link at the top of the summary screen.

8. For the Log Channel location, use the Browse button to select your MySQL channel from the tree. This should have been created in the Logging Services.Channels container.

Figure 9 - Setting the Log Channel location

9. Click Apply to save the changes to the Secure Logging Server.

10. Restart the Secure Logging Server. You can do so in Linux using the following command:

linux:~ # /etc/init.d/novell-naudit restart

Configuring Specific Events

Novell Audit provides hundreds for events that can be captured for each type of system or solution. The challenge for administrators is to select from the hundreds of events the ones that are critical and important to you and the operation of the systems. The following tables show the more critical events for each type of system.

NetWare Events

Property Label Description
NetWare Alert NetWare has issued an alert.
Server Down A server has been shut down.
Protocol Bound A protocol has been bound.
Protocol Unbound A protocol has been unbound.
Module (NLM) Loaded A module has been loaded.
Module (NLM) Unloaded A module has been unloaded.
Volume Mounted A volume has been mounted.
Volume Dismounted A volume has been dismounted.
Connection Cleared A connection has been cleared.
Login A login has occurred.

File System Events

Property Label Description
File Delete A file has been deleted.
File Open A file has been opened.
File Create A file has been created.
File Create/Open A file has been created and opened.
File Rename A file has been renamed.
File Close A file has been closed.
File Salvaged A deleted file has been salvaged.
File Purged A deleted file has been purged.
Directory Create A directory has been created.
Directory Remove A directory has been removed.
Directory Modified A directory entry has been modified.
Namespace Entry Changed A namespace name has been changed.
Namespace Modified The namespace information of an entry has been changed.
DOS Info Modified DOS attributes of an entry have been changed.
Trustee Added/Modified/Removed Trustee information has been changed.

eDirectory Events

Meta Events

Property Label Description
ACL Changed
Login Enabled
Login Disabled
Intruder Detected

Object Events

Property Label Description
Create A new eDirectory object has been created.
Delete An existing eDirectory object has been deleted.
Rename An existing eDirectory object has been renamed.
Move (Source) This event specifies the placement of a eDirectory object into its new location in the Directory tree. (This is the first of two events reported for a move operation. The second is DSMoveSourceEntry.) This also generates DSAddValue (DSAttribute) events for all of the values associated with the object.
Move (Destination) This event specifies the deletion of a eDirectory object from its original location in the Directory tree. (This is the second of two events reported for a move operation. The first is DSMoveDestEntry.)
Move (Subtree) A container and its subordinate objects have been moved.
Backlink SEV A backlink operation has updated an object's Security Equivalence Vector.
Backlink Operator A backlink operation has changed an object's console operator privileges.
Delete Subtree A container and its subordinate objects have been deleted.
Move Tree (Start) A Move Subtree operation has started.
Move Tree (End) A Move Subtree operation has finished.
Name Collision A name collision (two entries with the same name) has occurred.
DSA Read A Read operation has been performed on an entry.
Login A user has logged in.
Change Password A user's password has changed.
Logout A user has logged out.
Remove An entry has been removed from a container.
Verify Password A password has been verified.
Backup An entry has been backed up.
Restore An entry has been restored.
Remove Assoc. Directory A file directory associated with an entry has been removed.
DSStream A stream attribute has been opened or closed.
List Subordinates A List Subordinate Entries operation has been performed on a container object.
List Containable Classes A List Containable Classes operation has been performed on an entry.
Mutate Entry A Mutate Entry operation has been performed on an entry.
Read Attribute An entry's attributes have been read.
Read References The references on a given object have been read.
Create Backlink A backlink has been created.
Check Console Operator An object has been checked for Console Operator rights.
Add Property An attribute (property) has been added to an object.
Delete Property An attribute (property) has been removed from an object.
Add Group Member A member has been added to a Group object.
Delete Group Member A member has been deleted from a Group object.
Read Object Info A Read Object Info operation has been performed on an object.
Search A Search operation has been performed.
Remove Backlink A backlink has been removed.
Change Security Equals An object's Security Equals attribute has been changed.
Add Entry An entry has been added beneath a container.
Modify RDN A rename operation has been performed.
Allow Login A user has been allowed to log in.

Attribute Events

Property Label Description
Add Value A value has been added to an object attribute.
Delete Value A value has been deleted from an object attribute.
Delete Attribute An attribute has been deleted from an object. This generates DSDeleteValue events for values associated with the attribute. The DSDeleteValue events occur after the DSDeleteAttribute event.
Compare Attribute Value A Compare operation has been performed on an attribute.
Modify Object An attribute has been modified on an object.

Schema Events

Property Label Description
Update Class Definition A schema class definition has been updated.
Update Attribute Definition A schema attribute definition has been updated.
Schema Synchronized The schema has been synchronized.
Define Attribute An attribute definition has been added to the schema.
Remove Attribute An attribute definition has been removed from the schema.
Remove Class A class definition has been removed from the schema.
Define Class A class definition has been added to the schema.
Modify Class A class definition has been modified.
Synchronized Schema The schema has been synchronized.
Update Schema An Update Schema operation has been performed.
Start Update Schema A Start Update Schema operation has been performed.
End Update Schema An End Update Schema operation has been performed.
New Schema Epoch A new schema epoch has been declared.

Connection Events

Property Label Description
Remote Server Down A remote server has gone down.
NCP Retry Expended The number of retries for an NCPTM request has been expended.
Remote Connection Cleared A remote connection has been cleared.
Connected To Address A connection has been established with a particular address.

Agent Events

Property Label Description
Module State Changed The eDirectory module's state has changed.
Local Agent Opened The local Directory agent has been opened.
Local Agent Closed The local Directory agent has been closed.
DSA Bad Verb An incorrect verb number was given in a DSAgent request.
NLM Loaded An NLMTM has been loaded.
DS Counters Reset The internal eDirectory counters have been reset.
DS Reloaded eDirectory has been reloaded. Create Namebase The Directory namebase has been created.
CRC Failure A CRC failure has occurred when fragmented NCP requests were reconstructed.
Connection State Changed The connection state has changed.
End Namebase Transaction An End Namebase Transaction debug message has been sent.

Miscellaneous Events

Property Label Description
Close Stream A Stream attribute has been closed.
Check SEV The Security Equivalence Vector has been checked.
Update SEV The Security Equivalence Vector has been updated.
Delete Unused External Reference An unused external reference has been deleted.
Recertified Public Key An entry's public key has been certified.
Generated CA Keys Certificate of Authority keys have been generated.

Bindery Events

Property Label Description
Set Bindery Context The bindery context has been set on the server.
Create Bindery Object A bindery object has been created.
Delete Bindery Object A bindery object has been deleted.
Error Via Bindery An error was returned via the Bindery.
Change Property Security Security for a bindery object's property has been changed.
Change Object Security A bindery object's security has been changed.
Open Bindery The Bindery has been opened.
Close Bindery The Bindery has been closed.

Replica Events

Property Label Description
No Replica Pointer A replica exists that has no replica pointer associated with it.
Inbound Sync End Inbound synchronization has finished.
New Master Set A new master replica has been designated.
Partition State Change Request A partition state change has been requested.
Lost Entry eDirectory has encountered a lost entry. A lost entry is an entry for which updates are being received, but no entry exists on the local server.
Purge Entry Failed A purge operation on an entry has failed.
Purge Start A purge operation has started.
Purge End A purge operation has ended.
FlatCleaner End A Flatcleaner operation has completed.
One Replica A partition has been encountered that has only one replica. Novell recommends that each partition have at least three replicas for greater fault-tolerance.
Limber Done A Limber operation has completed.
Outbound Sync (Server) Start Outbound synchronization has begun from a particular server.
Outbound Sync (Server) End Outbound synchronization from a particular server has finished.
Added Replica A replica of a partition has been added to a server.
Removed Replica A replica of a partition has been removed from a server.
Changed Replica Type A partition replica's type has been changed.
Received Replica Updates A replica has received an update during synchronization.
Repaired Timestamps A replica's time stamps have been repaired.
Sent Replica Updates A replica has sent an update during synchronization.
Inspected Entry An Inspect Entry operation has been performed on an entry.
Resent Entry A Resend Entry operation has been performed on an entry.
Merged Entries Two entries have been merged.
Updated Replica An Update Replica operation has been performed on a partition replica.
Start Update Replica A Start Update Replica operation has been performed on a partition replica.
End Update Replica An End Update Replica operation has been performed on a partition replica.
EntryIDs Swapped A Swap Entry ID operation has been performed.

Partition Events

Property Label Description
Referral Created A referral has been created.
Split Done A Split Partition operation has completed.
Sync Partition Start Synchronization of a partition has begun.
Sync Partition End Synchronization of a partition has finished.
Join Done A Join Partitions operation has completed.
Partition Locked A partition has been locked.
Partition Unlocked A partition has been unlocked.
Lumber Done A Lumber operation has completed.
Backlink Procedure Done A backlink process has completed.
Server Renamed A server has been renamed.
Synthetic Time Issued To bring eDirectory servers into synchronization, synthetic time has been invoked.
Server Address Changed A server's address has changed.
Split Partition A partition has been split.
Join Partitions A parent partition has been joined with a child partition.
Abort Partition Operation A partition operation has been aborted.
Merge Trees Two eDirectory trees have been merged.
Create Subref A subordinate reference has been created.
List Partitions A List Partitions operation has been performed.
Sync Partition A Synchronize Partition operation has been performed on a partition replica.
Change Tree Name The tree name has been changed.
Start Join A Start Join operation has been performed.
Abort Join A Join operation has been aborted.
Move Tree A Move Tree operation has been performed.
Partition State Changed A partition's state has changed.
Low Level Join A low-level join has been performed.
Orphaned Partition An orphan partition operation has been performed. This operation has four variations: Create, Remove, Link, and Unlink.
Low Level Split A low-level partition split has been performed.

Setting Up Novell Audit to Send E-mail on Specific Events

The next step is to select a few very critical events that, when triggered, will send an e-mail to one or more administrators. For example, if the events Server Down and Volume Dismount are triggered, an e-mail could be sent to the administrator of the NetWare server.

Setting Up the E-mail Channel

  1. In the Novell Audit Summary screen in iManager, click the Channels tab.
  2. Click the "Channels" checkbox and choose the "New Channel" link. You will be prompted with for the name of the channel you want to create.
  3. Give this channel a name and choose the SMTP channel for the channel type.
  4. Click OK to create the channel.

Figure 10 - Configuring the SMTP channel

You will then see the configuration options for the newly created SMTP channel.

Configuring the SMTP Server

You must now configure the SMTP server and the email message. The settings are described below.

  • Host: The IP address or DNS host name for the SMTP server
  • User: The user name for the e-mail account the SMTP channel uses to connect to the SMTP server. The user name is only required if SMTP Authentication is enabled on the SMTP server.
  • Password: The password for the e-mail account the SMTP channel uses to connect to the SMTP server. The password is only required if SMTP Authentication is enabled on the SMTP server.
  • Sender: The name that appears in the From: line for all messages sent from this SMTP Channel object. For example, the sender could be "Your Logging Server."
  • Recipient: The e-mail addresses to which all events directed through this SMTP Channel object are sent.
  • Subject (optional): The text that appears in the Subject line for all messages sent from this SMTP Channel object. The subject line can contain up to 255 characters as well as event variables. The SMTP driver replaces these variables with a value from the event's designated field.
  • Message (optional): The text that appears in the message body for all messages sent from this SMTP Channel object. The message body can be up to 64KB; however, for performance reasons, this is not recommended. The message body may contain event variables. The SMTP driver replaces these variables with a value from the event's designated field.

Figure 11 - Setting up e-mail notifications

Finding a List of Default Product Events

These events can be used in the e-mail subject and message fields. Use the following procedure:

  1. Log into iManager as admin, or a member of the "Auditing and Logging" role.
  2. Choose the "Auditing and Logging" role, and select "Query Options".
  3. In the Product Events screen, click the plus icon next to the product name to expand a list of the application's associated events. Click on an event to view the event ID, description, and field definitions. The following is an example of the server down event:

Figure 12 - Viewing event information

Sample Notification

The last step to enable e-mail notifications is to trigger them on a specific event. The following steps will walk you through the notification setup.

1. In the Novell Audit Summary screen in iManager, choose the Notifications tab.

2. Click the Notifications checkbox and choose the New Notification link. You will be prompted for the name, and to indicate if this is a notification or heartbeat.

3. Give this notification a name and click the notification radio button.

Figure 13 - New Notification dialog

4. Click OK to create the notification, and you will see the configuration options for the newly created notification.

5. Enter the following information for the connection parameters to match on the server going down, and the volume dismounted:

Figure 14 - New Notification configuration settings

6. Select the channel to notify if the above criteria are met. Use the Browse button to locate the SMTP channel that was created earlier.

7. Click Apply to save the changes.

8. Restart the Secure Logging Server. You can do so in Linux using the following command:

linux:~ # /etc/init.d/novell-naudit restart


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell