Audit Starter Pack: Installation, Configuration and Usage Instructions
Novell Cool Solutions: AppNote
Digg This -
Posted: 29 Aug 2007
These instructions only cover the installation of the Novell Audit Starter Pack. Novell Audit is designed to integrate with several database applications (i.e., Microsoft SQL Server database, Oracle database, etc). These instructions only cover the use of MySQL since it is included in the Novell OS.
- MySQL Application Installation The specific location to install MySQL will depend on your environment. You will need to consider server load, available disk space, etc.
- If a previous version of MySQL server is running, it is shut down.
- Put in the NW 6.X SPX Products Disk.
- Launch the "X session" by typing startx at the server prompt.
- Choose "Novell - Install" and browse to the Postinst.ni file.
- Click on the "Clear All" button, check the MySQL option and then click the Next button.
- Click the "Copy Files" button and follow the Wizard (make sure you remember the password the installation prompts you to create, it's independent from all eDir passwords).
Once the installation is completed, reboot the server. Once reloaded, the server will display a "MySQL Server" screen.
- MySQL Database Configuration You will need to configure the MySQL database next.
- From the server console type the following commands:
- Once in the database, type the following commands (Don't forget the semicolons ";"):
- Install Novell Audit Copy the Audit2.0.2 application to a location on the appropriate server(s) (i.e., ServerName_SYS:\Patches\NAAS2). (This application can be found from the following location: http://download.novell.com/index.jsp) For a complete first-time or upgrade installation, Novell recommends you select all the options. This server will then become the Primary server [mine was the same one with the MySQL database].
- At the server, load NWConfig.
- Select the "Product Option" and press enter.
- Then, select the "Install a Product not Listed" option and press enter.
- Highlight any previous selection, press enter and then press the F3 key.
- Now change the path to the location of the Audit2.0.2 update folder and press enter. This opens the "Installation" screen.
- Select/unselect the options to be installed on the server and press the F10 key.
- Accept the "License Agreement" and continue the installation.
- Once installed, you will be warned about updating (configuring) the Logevent.CFG file.
" On the "Secure Logging Server", you can leave the loopback address.
" On all other server, open the Logevent.cfg with a text editor; enter the IP address of the "Secure Logging Server", and save your changes.
- Then return to the Server Console NWConfig screen and press enter to continue.
- Select Yes to start the logging eDirectory and NetWare events.
- Complete the installation and close NWConfig.
- The "Secure Logging Server" will display the "Novell Nsure Audit Console" if the -d option has been set (See Step 6. on page 14).
- Logging Server Options You must now configure the NAudit Channel using iManager. Once you have logged into iManager you must:
- Select the Auditing and Logging -> Logging Server Options option.
- Click on the browse button, find and select the Logging Server.Logging Services object and click OK. Normally, the "Logging Services" will be found at the root of the tree.
- Select the Channels Tab and check mark the "channels" box.
- Drop down the "Channel Actions" option and select the New option.
- Enter a "Channel Name" as shown and select the Chanel Type: MySQL Channel.
- Then click the OK button.
- Now enter the appropriate information as shown and click the OK button.
(Remember to enter the "Password" you used in step 2.b. above.)
- Now, select the "General" tab in iManager, choose the "Configuration" option, enter the "Configuration" information as shown and click the OK button.
NOTE: If the General Tab isn't available or some of the options are visible, use instructions in step 4.i. below to add the appropriate "Attributes" to the "ServerConfigBook.naudit.Role Based Service" object.
- If the Nsure Audit "General" tab is missing or appropriate "Attributes" are not available, use the following to update the object (See TID 10095721). Open iManager, expand the "Directory Administration" option and select the "Modify Object" option.
- Search for and select the "ServerConfigBook" object.
- Find and double click on the "rbsPageMembership" attribute in the "Valued Attributes" list
- This opens the "Edit Attribute" dialog box were you will probably only see the following attributes:
- Configure Query Options You must now configure the "Query Options" and establish you link to the database.
- Select "Query Options" link and then the Databases tab. Click on the "New" option.
- Enter the appropriate database information and click the OK button. (Remember to enter the "Password" you used in step 2.b. above.)
- Restart the Novel Audit Services You will need to restart the service on all the servers.
- On all the other servers, type the following command: Auditstp. (Note: On the Master server, you may want to add a line to "Unload" the lengine.nlm.)
- At the "Main Audit" server console type the following command: Auditsvr
You should be presented with a blue screen that shows the Audit Console. If you don't get the console, check the logger screen for any clues. (Note: You must edit the NCF file to include the "-d" switch.)
- On all the servers, type the following command: Auditagt
- Set Audit Logging Options You must set the audit logging you want per server. To do this, complete the following:
- Open iManager and choose the Directory Administration -> Modify Object option.
- Click the browse button, search for and select the actual NCP server object (not the Logging Server object) and click the OK button.
- Now select the "Novel Audit" tab and check the Login and Logout boxes on both the "Netware" and "eDirectory" sections.
You may also want to check the Intruder Detected and Login Failed options on the eDirectory section.
- Then click the Apply or OK button to save your settings.
- Run Query Reports You can now retrieve logging data from the MySQL database. This is done by selecting the Audit and Logging - Query option.
- Select the appropriate option (All, All Last Hour, Count, Distribution) and click the "Run Query" button. The results of the query will be displayed.
- You can either click Finish or Export or Print the Query Results. If you click Export, you can save it as HTML, Comma Delimited Text, or Tab Delimited Text file.
- The HiWord is the four-digit hex value assigned to the current application. All Application IDs are assigned through Novell Developer Support and are maintained in the Novell Audit central registry. Before instrumenting a new application, developers should obtain an AppID through Novell Developer Support (http://developer.novell.com/devres/ss/resource.htm).
- The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, these values are assigned in ascending order.
- Emergency events cause the system to shut down.
- Alert events require immediate attention.
- Critical events might cause parts of the system to malfunction.
- Error events are errors that can be handled by the system.
- Warnings are negative events that do not represent a problem.
- Notices are positive or negative events that an administrator can use to understand or improve the use and operation of the current system.
- Info represents positive events of any importance.
- Debug events are used by support technicians or engineers to debug the current system.
- 0: None
- 1: Slash Notation
- 2: Dot Notation
- 3: LDAP Notation
- MySQL Tools Install the MySQL Administration program on your work. Go to the "MySQL" organization WEB page (http://www.mysql.com/products/tools/) and download the following file:
mysql-gui-tools-5.0-r12-win32.msiOnce downloaded, double-click on this file and install the standard options. This includes the MySQL Administrator and Browser(Version 1.2.12).
- MySQL Administrator Once installed, open the Administrator program.
- Enter the 1) Stored Connection, 2) Server Host (IP Address), Username, and 4) Password.
- Click the OK button to open the "MySQL Administrator" program.
- "Backup Project" Function. Click on the "New Project" button to create a "Backup Project" for the naudit database. Enter the "Project Name", add the "naudit" Schemata to the "Backup Content", and click on the "Save Project" button.
- Click on the "Advanced Options" tab and configure as shown or desired.
- Click on the "Schedule" tab and set the "Target folder" desired.
- Now click on the "Execute Backup Now" button to backup the database.
NOTE: For now, I've not been able to get the "Scheduled" backup to work. You must manually backup the database.
- Query Browser. Open the MySQL Query Browser program.
- Enter the 1) Stored Connection, 2) Server Host (IP Address), Username, and 4) Password.
- Once the browser is opened, double-click on the "naudit - log" icon in the Schemata window. This will enter the "Select" command shown in the execute pane.
- Now click on the "Execute" button to generate the "Resultset 1" results.
- Once generated, click on the "File - Export Resultset - Export As Excel File?" menu option.
This opens the "Save result set to file ?" dialog box. Enter the "File name:" as shown or desired and click the Save button.
- Once you've confirmed that the file has been successfully exported, change the Query statement as shown and click on the "Execute" button. This will "empty" the MySQL database on the Master NSure Audit database.
- NSure Audit Database I've created an Access Database that Imports the Excel File created in step 11.a.3 above. The database consists of two MDB files, the "NSureAudit.mdb" and "NSureAudit Tables.mdb".
- Database Setup You can place the "NSureAudit Tables.mdb" file anywhere. If you place it in a different location than the "Front-End" "NSureAudit.MDB" file, you will need to Re-link the tables.
(NOTE: Be sure to place the "Save NAudit Data File.xls" file in the same location as the "Front-End" database file.)
- Open the "NSureAudit.MDB" database.
- Select the "Tools-Database Utilities-Linked Table Manager" menu option (Figure 1).
- When the "Linked Table Manager" dialog box (Figure 2) appears, check the "Always prompt for new location" box, press the "Select All" button and then press the "OK" button.
- Browse to the location were you placed the "Back-End" and double click on the database.
- Click the "OK" button when the process completes successfully
- Change the "Database Location" on the MainMenu to reflect the location of the "Front-End" database and the "Save NAudit Data File.xls" files. (NOTE: Be sure to leave off the trailing "\" from the "Location".)
- Visual Basic References Open any of the "Modules" in the database (close the MainMenu and click on the "Moduals" object link on the left of the database screen.
- Once open, select the "Tools -> References" option. This will display the "References - NSureAudit" dialog box. Ensure your database shows the listed references (This graphic shows those references for an Access 2003 application.)
- Reports I've created two reports as of now. If you just run the report they will list all records in the database. If you select an "Originator" from the dropdown field, the report will only list the records of the selected "Originator".
NOTE: One major consideration. Don't load MySQL on a server that will be Audited for File type actions. This may cause a major loop problem!
Once you've decided on the server, complete the following on that server. (Note: I'm installing all applications on a NetWare 6.5 SP5 server. This application could be loaded on a Linux, Solaris or Windows server.) See the following URL for detailed instructions: www.novell.com/documentation/oes/web_mysql/index.html?page=/documentation/oes/web_mysql/data/bookinfo.html.
Aries>mysql -u root -p Enter Password: <Enter the Step 1.e Password>
mysql>create database naudit; mysql>grant all on naudit.* to auditusr@'%' identified by 'novell';
NOTE: This creates the user 'auditusr' with a password of novell.
SYS:\ETC\logevent.cfg **************************************************************************** # Novell Audit Platform Agent configuration # # LogHost - Specifies the IP address or DNS name of the Secure # Logging Server (SLS). . . . . # NOTE: Some options may not be available in all versions of Novell Audit. # LogHost=XXX.XXX.XXX.XXX ****************************************************************************
naudit.scChannelsPage naudit.scFiltersPage naudit.scAppsPage
You need to add the following IDs to the rbsPageMembership attribute, in addition to the ones above:
naudit.scGeneralPage naudit.scSummaryPage naudit.scStatusPage naudit.scMemoryPage
Once you have added the above four values, click on the "OK" and then "Apply" buttons.
NOTE: If you are missing the naudit.scChannelsPage, naudit.scFiltersPage, or naudit.scAppsPage add the missing values. You need to have all seven values within RBS to get this to function properly.
Result Column definitions.
|Component|| The component string is formatted like a DOS pathname, with a backslash ( \ ) separating component parts.
\eDirectory\Database\Lookup \iChain\Connection Manager\Authentication \<app>l\POP3\Authentication
The first part of the component string is the Application Identifier. The Application Identifier is the string the logging application uses to identify itself to the logging server. The Application Identifier is stored in the application's certificate and Application object.
When the Secure Logging Server authenticates an application's connection with the Platform Agent, it associates the Application Identifier with that connection. Thereafter, it automatically adds the Application Identifier to the component string for every event coming from that connection.
For more information on application certificates and authentication, see Chapter 9, "Security and Non-Repudiation," on page 199.
The subsequent portions of the component string are defined by the application. Typically, they identify modules within the application, types of events, etc.
The intent of the component string is to facilitate queries across various products and events. For example, using wildcard characters, you can search for all iChain? violations (\ichain\*\violations), all iChain events (\ichain\*), or violations from every logging application (*\violations). You can also use the component string to filter events event chains. See Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.
For a listing of the Novell Audit, eDirectory? and NetWare? component strings, see Section A.2, "Component Strings," on page 227.
|EventID||The EventID is comprised of two elements: the HiWord and the LoWord.
|GroupID||An ID that can be used to identify related events.|
|Log Level (Severity)|| The log level is an indicator of the severity of the reported event.
|IP Address|| The IP address of the Platform Agent that logged the event.
By default, Novell Audit stores IP address values in network byte order.
|Client Timestamp||The time the Platform Agent received the event from the logging application.|
|ClientMS The event count field.
When a logging application makes a connection to the Platform Agent, the Secure Logging Server begins counting the events the come over that connection. The count begins at 0 for the initial event and increments by one for every event. If the logging application is restarted, the event count is reset to 0.
Novell Audit Report uses this field to determine how many events are missing if the event signatures are not to valid. For more information, see Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.
|Server Timestamp||The time the logging server received the event.|
|Text1||The value of this field depends upon the event. It can contain any text string up to 255 characters.
The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see "CVR Channel Driver" on page 104.
|Text2||The value of this field depends upon the event. It can contain any text string up to 255 characters.
The Text2 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see "CVR Channel Driver" on page 104.
|Text3||The value of this field depends upon the event. It can contain any text string up to 255 characters.|
|Value1||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Value2||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Value3||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Mime hint||This field identifies the type of data contained in the Data field.|
|Target||This field captures the event target.
All eDirectory events store the event's object in the Target field.
|Target Type||This field specifies which predefined format the target and originator are represented in. Defined values for this type are currently:
|Originator||This field captures who or what caused the event to happen.|
|Sub Target||This field captures the sub-component of the target which was affected by the event.
All eDirectory events store the event's attribute in the Sub Target field.
|Data Size||This field identifies the size of the data contained in the Data field.|
|Data||The value of this field depends upon the event. The default size of this field is 3072 characters. You can configure the size of this field in the LogMaxBigData value in logevent.cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see "Logevent" on page 40.
The maximum size of the Data field is defined by the database where the data is logged. Thus the size varies for each database that is used. If the size of the data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field.
If an event has more data than can be stored in the String and Numeric Value fields, it is possible to store up to 3 KB of binary data in the Data field.
|Signature||The event signature.
Novell Audit digitally signs each event that is logged to the data store. To sign an event, the logging application or the Platform Agent hashes the event data and signs the hash with the Logging Application's private key. The signature is then stored as part of the event. This signature allows the auditor or investigator to determine if an event has been changed.If event chaining is enabled, each event's signature includes its own data as well as the signature from the previous event. This allows auditors to determine if an event has been deleted or if the sequence of events has been changed.
Event chaining is enabled in the Platform Agent's configuration file, logevent. or information on configuring this option, see "Logevent" on page 40. For information on validating events in Novell Audit Report, see Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com