Novell Home

Configuring and Using Novell Audit with Novell SecureLogin

Novell Cool Solutions: AppNote
By Girish Mutt, Prakash Panda

Digg This - Slashdot This

Posted: 5 Apr 2006
 

Introduction

The main objective of this AppNote is to provide an overview of how to use Novell Audit services on eDirectory for Novell SecureLogin (NSL)-related events. This AppNote is a guide for enabling Novell Auditing services for SecureLogin events, so you can review system activity with respect to NSL. This is useful for finding possible issues and troubleshooting with the help of real-time monitoring, so you can assess and act on events as they occur. This will be very useful, as Novell Audit supports real time notifications also.

About NSL and Novell Audit

As NSL is the most versatile Single-Sign On (SSO) used with eDirectory, it's important to be able to track NSL system activity by real-time monitoring. It's also vital to be able to analyze logged events whenever issues arise. To address these reasons, NSL can now be integrated with the Novell Auditing system. With the new NSL 6.0 release, there is a support for a set of events related to SecureLogin client, LDAP authentication, and Secure workstation that are logged in the auditing system.

The data collected through the Novell Auditing system will empower you to keep track of the various NSL events, such as user login, password changes, and device removal activity (in case you are using advanced authentication mechanisms with NMAS). By default, all the event logging for NSL is disabled, so it needs to be turned ON on the Platform Agent side. THat will enable those events to start get registered on the Secure Logging Server. The Channel drivers on the Secure Logging Server can log the events to any of the following means of storage:

  • JDBC-enabled database
  • Flat file in the file system
  • MySQL database
  • Oracle database
  • Microsoft SQL Server database
  • Syslog database

Note: In this AppNote we emphasize how you can use Novell Audit with a normal text file (flat file) to register events. Other methods require a specific setup based on the means of storage being used.

In order to use the Novell Audit system, you need to configure the eDirectory server to function as a Secure Logging Server and the Windows SecureLogin client to act as a Platform agent in the Novell Audit System architecture. The following steps must be followed to integrate the Novell SecureLogin system with the Novell Audit system:

1. Configuring eDirectory server as a Secure Logging Server.

2. Configuring Novell SecureLogin client as a Platform Agent.

Configuring eDirectory server as a Secure Logging Server

In order to configure the Secure Logging Server, the following minimum requirements must be met on the eDirectory server:

  • NICI 2.6.5 or later
  • eDirectory 8.7 or 8.8
  • iManager 2.5 or 2.6 (2.6 is preferred)
When all the above minimum requirements are met on the eDirectory server you can install the Novell Audit Starter Pack to install all the Novell Audit dependent server components. This will complete the installation of the the server component in the Novell auditing system. The Secure Logging Server manages the flow of information to and from the Novell auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. On NetWare, Linux, and Solaris systems, the Secure Logging Server object can be created automatically in the Logging Services container during installation or it can be created manually anywhere in the tree after installation.

iManager Configuration

The following configuration should be done through iManager in order to use the eDirectory server as a Secure Logging server:

1. Log in to iManager.

2. In the left panel select Auditing and Logging, and then Logging Server Options.

3. Browse to the location where logging server object is there and select it.

Figure 1: Selecting the logging server object

4. In the General tab, go to Configuration.

5. Choose "File.Channels.Logging Services" as the Log Channel so that events are registered in a flat text file.

Figure 2: Selecting "File.Channels.Logging Services" as the Log Channel

6. Go to the Log Applications under Logging Server Options and check Applications to create new Log Application for Novell SecureLogin(NSL) auditing, as shown in the figure below.

7. Click New Log Application to create New Log application on container Applications.

8. Click OK to continue.

Figure 3: Creating the New Log Application

9. To create New Log Application, make sure the user provides the following information:

  • Log Application Name: user-defined (for example, NSLNsure)
  • Import LSC file

Note: The Log Schema (LSC) file is available in NSL. In the Tools folder, select the securelogin.lsc file and click OK while importing the LSC file. The New Log Application will be listed under Applications container list with the name defined by the user.

Figure 4: Importing the NSL Log Schema file

7. Click the Channels tab.

8. Check the File box and choose Edit Channel.

9. In Modify Object, click on the configuration. This will give you the option to change the log file Location as shown in the figure below. The default log file Location is sys:/etc/logdir.

10. Click Apply after making the necessary changes.

Figure 5: Modify Object window for editing file channel details

11. Restart the directory server to make the changes effective.

Configuring Novell SecureLogin client as a Platform Agent

The Platform Agent - logevent - is the client portion of the Novell auditing system. It receives logging information and system requests from authenticated applications and transmits the information to the Secure Logging Server.

If the connection between the Platform Agent and the Secure Logging Server fails, applications continue to log events to the local Platform Agent, just as always. The Platform Agent simply switches into Disconnected Cache mode; that is, it begins sending events to the Logging Cache module. The Logging Cache module then writes the events to the Disconnected Mode Cache until the connection is restored. The Platform Agent related configurations are stored in a simple, text-based configuration file. The default location of this file is C:\<Windows Directory>\logevent.cfg. This file can be used to define the path to the local cache file and other files.

Once the Secure Logging eDirectory server is ready, you need to set up Windows running the SecureLogin client to use as a Platform Agent. This will report the events to the Secure Logging Server. Follow the steps below to install the Platform Agent on the SecureLogin client.

Note: Before installing, make sure the version of Client Nsure Audit agent and server Nsure Audit agent are compatible.

1. From the Novell Audit build folder, run naudit_win32.exe to start the installation of the Platform Agent. The Install Wizard will start.

2. Click Next to continue.

3. Click Yes to accept the license agreement and continue.

4. Enter the necessary customer information - user name and company name - and click next.

5. The Install Wizard will ask for Destination folder where setup will install the files. Click Next to continue with default location, or change the location and click Next.

6. Select Custom Installation and click Next.

7. From the list of features, select only Platform Agent and un-check the rest of the features.

Figure 6: Feature selection dialog

8. Enter the IP address of the Directory server.

9. At the end of the installation, click Finish.

Configuring the Registry Keys to enable the Event Logging

For NSL events to get logged in the Secure Logging Server, you need to add certain registry keys:

1. From the Start Menu, go to Run and enter the command "regedit" to edit the Regisrty keys for the client.

2. In the Registry Editor, go to the the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Nmas\MethodData\

3. Go to the Secure Workstation folder and right-click "New".

4. Choose String Value to create a new string named "SwAudit". This key is required to enable Event Logging for all the Secure Workstation-related events.

Figure 7: Creating a new string value

Figure 8: Created string value in Registry Editor

The above Registry settings cause the following events to be logged into the Novell Audit system:

  • Event ID00330041: Inactivity Timeout
  • Event ID00330042: Device Removal
  • Event ID00330044: Manual Lock event

5. In the Registry Editor, go to the the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\

6. Go to the LDAP folder and right-click to go to "New."

7. Choose String Value to create a new string named "LdapAudit". This key is required to enable Event Logging for all LDAP-related events.

Figure 9: Creating a new string value

The above Registry setting cause the following events to be logged into the Novell Audit system:

  • Event ID00330021: NSL user login
  • Event ID00330022: LDAP user password change
  • Event ID00330023: Workstation unlocked by different user

8. Log off from the SecureLogin Windows client and log in again for new Registry settings to take effect.

After this, all events related to SecureLogin client, LDAP authentication and Secure workstation will be logged in the auditing system, in the log file specified by the user.

Conclusion

The purpose of this AppNote is to provide a complete and detailed approach to integrate the Novell Audit system with NSL. Using this AppNote you can enable NSL for event logging with the Novell Audit system.

Glossary of Terms

  • NSL - Novell SecureLogin
  • LDAP - Lightweight Directory Access Protocol
  • LSC - Log Schema
  • NICI - Novell International Cryptographic Infrastructure


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell