Novell Home

Monitoring ACL Changes on Objects

Novell Cool Solutions: Feature
By Armando A. Perez

Digg This - Slashdot This

Posted: 17 Feb 2005
 

The objective of this article is to show how to use IDM2 outside of data sharing and provisioning, to monitor critical parts of the tree. When changes are detected, the appropriate security people can be e-mailed or paged. To accomplish this, we will monitor ACL modifications on T, O, and OU objects.

So why is this important? When other monitor products can monitor activitity on these particular EDirectory objects, why bother to "morph" IDM2 to monitor these objects?

The reason is that it's quick, clean, and purposeful. With full-blown monitoring systems, you would need to do extensive testing and preparation, which can take weeks to implement. Our solution only took ONE hour to test and implement, without affecting the production NDS tree that's in use.

Here is how it works ...

Scenario

We have an IDVault tree and a production tree (typical IDM infrastructure). We use the NDS-to-NDS driver to sync users and OUs (SSL- enabled). Here are the details of how the objects, policies, and rules are implemented in these trees:

  1. On the production tree, we altered the subscriber filter to include the following objects:

  2. * DirXML-DriverSet Class - GUID and ACL attributes
    * Top Class - GUID and ACL Attributes
    * Organization Class - GUID and ACL Attributes
    * Organization Unit Class - GUID and ACL Attributes (the OU is also defined but is not used by this process)
  3. On the IDVault tree, in the publisher filter, the TOP, DirXML-DriverSet, and Organization classes are NOT defined. Therefore, these classes will not flow through to the IDVault tree and get vetoed. The Organization Unit has only the GUID and OU defined (used to sync OUs between trees).
  4. NO logic/policies/rules are located on the production tree.
  5. ALL of the policies and rules are located in the "Events Transformation" section of the publisher channel (very first policy), before the publisher filter. This is critical to understand, since all events are reviewed in the event transformation policy before they are dropped at the filter.
  6. The rules monitor for class type. If the incoming class type meets one of the defined monitored classes, rules are executed to send e-mails and pages to our security and Novell admins. Within the rules is logic that acquires the modifiersName attribute as well. This is used so that we can contact the modifier to confirm the change.
  7. This solution is "tamper proof" - if someone were to modify the ACL of the DirXML-DriverSet to alter the filter, the process would detect that change and report it ASAP.

This type of solution can be applied to ANY class/attribute/object that IDM can trap.

Rules

Below are the rules associated with the Security Policy (event transaction) in our IDVault.

<?xml version="1.0" encoding="UTF-8"?><policy>
  <rule>
    <description>TREE ROOT : Email if ACL changes</description>
      <conditions>
        <and>
          <if-class-name op="equal">Top</if-class-name>
		</and>
      </conditions>
      <actions>
        <do-send-email server="smtp.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">pagernumber@mypagercompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">DirXML T=realcompany Monitor</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML detected a change in the ACL of the 
T=realcompany object. Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.</token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor@realcompany.com</token-text>
          </arg-string>
        </do-send-email>
        <do-send-email server="mail.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">admin@mycompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">SECURITY - S100 - T=realcompany Monitor EMail</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML has detected a change in the ACL of the 
T=realcompany object. Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.  </token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor</token-text>
          </arg-string>
        </do-send-email>
        <do-veto/>
        <do-break/>
      </actions>
    </rule>
	
  <rule>
    <description>ORGANIZATION: Email if ACL changes</description>
      <conditions>
        <and>
          <if-class-name op="equal">Organization</if-class-name>
        </and>
      </conditions>
      <actions>
        <do-send-email server="smtp.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">pagernumber@mypagercompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">DirXML O=realcompany Monitor</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML detected a change in the ACL of the 
O=realcompany object. Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.</token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor@realcompany.com</token-text>
          </arg-string>
        </do-send-email>
        <do-send-email server="mail.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">admin@mycompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">SECURITY - S200 - O=realcompany Monitor EMail</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML has detected a change in the ACL of the 
O=realcompany object. Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.</token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor</token-text>
          </arg-string>
        </do-send-email>
        <do-veto/>
        <do-break/>
      </actions>
    </rule>

  <rule>
    <description>DirXML-DriverSet: Email if ACL changes</description>
      <conditions>
        <and>
          <if-class-name op="equal">DirXML-DriverSet</if-class-name>
        </and>
      </conditions>
      <actions>
        <do-send-email server="mail.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">admin@mycompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">SECURITY - S400 - </token-text>
            <token-src-dn/>
            <token-text xml:space="preserve"> Monitor EMail</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML has detected a change in the ACL of the </token-text>
            <token-src-dn/>
            <token-text xml:space="preserve"> object.  Modifier is </token-text>
            <token-src-attr class-name="User" name="modifiersName"/>
            <token-text xml:space="preserve">.  </token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor</token-text>
          </arg-string>
        </do-send-email>
        <do-veto/>
        <do-break/>
      </actions>
    </rule>

    <rule>
      <description>ORGANIZATION UNIT: Email if ACL changes</description>
      <conditions>
        <and>
          <if-class-name op="equal">Organizational Unit</if-class-name>
          <if-op-attr name="ACL" op="available"/>
        </and>
      </conditions>
      <actions>
        <do-send-email server="smtp.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">pagernumber@mypagercompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">DirXML OU Monitor</token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor@realcompany.com</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML has detected a change in the ACL of the </token-text>
            <token-src-dn/>
            <token-text xml:space="preserve"> object. Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.</token-text>
          </arg-string>
        </do-send-email>
        <do-send-email server="mail.realcompany.com">
          <arg-string name="to">
            <token-text xml:space="preserve">admin@mycompany.com</token-text>
          </arg-string>
          <arg-string name="subject">
            <token-text xml:space="preserve">SECURITY - S300 - </token-text>
            <token-src-dn/>
            <token-text xml:space="preserve"> Monitor EMail</token-text>
          </arg-string>
          <arg-string name="message">
            <token-text xml:space="preserve">DirXML has detected a change in the ACL of the </token-text>
            <token-src-dn/>
            <token-text xml:space="preserve"> object.  Modifier is </token-text>
            <token-src-attr name="modifiersName"/>
            <token-text xml:space="preserve">.</token-text>
          </arg-string>
          <arg-string name="from">
            <token-text xml:space="preserve">DirXML-Object-Monitor</token-text>
          </arg-string>
        </do-send-email>
        <do-break/>
      </actions>
    </rule>
  </policy>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell