Novell Home

Taking Stock of Your System: Secrets to a Successful NDS and File System Audit

Novell Cool Solutions: Feature
By Aaron Clauson

Digg This - Slashdot This

Posted: 13 Oct 1999
 

Aaron is a certified techy with a degree in Electronics Engineering, and he also has both his CNE and MCSE certifications. He lives and works for ACT Network Integrators in Perth, Australia, but he's not all bits and bytes. No...when he's not working, you'll find him playing hockey (field not ice), or hanging out with friends in the pubs—rumor has it he frequents them all.

As part of a recent project, we had to collect data on all aspects of NDS and the file system. We were upgrading the hardware, and we needed to have the NDS and file system information as a fallback in case something went awry. We started with approximately twenty servers, and consolidated those into just six. As you might guess, part of this hardware upgrade involved moving the data from the old servers to the new servers. Of course, there are a number of ways you can do this, such as doing a backup and restore using an SMS compliant backup program, or you can simply do a direct copy across the network. We did a direct copy.

With that said, the direct copy method is not issue free. (Is anything?) No, using the direct copy method, we had to deal with the issue of transferring the trustee information to the new locations. And luckily there are a several utilities, such as TCOPY, NETCOPY (from the JRB Utils package), and TBackup, that you can use to smooth the process and do the copy. Before we started the data transfer, we decided that we should do an audit of the file system, so we'd have a reference if there was a discrepancy or problem after the move. In addition, we figured this would enable us to clean up rights prior to the move too.

Auditing Methods

Because we'd never gone through this process before, it seemed like a daunting task to say the least. First, we ascertained that the trustee information was actually stored in the file system itself in the Directory Entry Table (DET) and not in NDS. Then the hunt began for a utility capable of getting all the required info out. At this stage, we were aware of the RIGHTS command, and we knew that it could be used to provide the trustees and Inherited Right Filters (IRFs) for individual files and directories, but like a few other people that we heard from in the Novell Support forums, we found the RIGHTS output to be quite limiting, because we couldn't put it directly into a CSV format for import into Excel.

One of the suggestions we got from the folks in the Novell Support forums was to use BindView to export all the info, so we downloaded an evaluation copy of this program. We also followed up on another suggestion to use TBackup, a Novell utility. In a nutshell, here's a list of the options we discovered:

  • BindView
  • TBackup
  • RIGHTS Command
  • NWAdmin (Object by Object, not very practical)

As far as we could tell, the first three methods all use the same mechanism, the RIGHTS command, but they produce output that is formatted differently. For this reason, we decided not to use BindView for our project because of the extra cost. In our opinion, BindView's strengths seem to lie in an overall NDS security audit and analysis, which was not the goal of this project.

RIGHTS Method

RIGHTS is a command line utility that ships with NetWare, and you can find it in SYS:Public directory. To get the trustee rights for all directories and files on a volume, here are the commands we used:

cd
rights . /T /S

The following is a sample of the type of output this command generates:

HURRY\SYS:MAIL
No group trustees have been assigned.
----------
Other trustees:
OZ
[ C ]
HURRY\SYS:MAIL\B9000001
No group trustees have been assigned.
----------
Other trustees:
HURRY.SVR.OZ [ RWCEMF ]
HURRY\SYS:MAIL\BA000001
User trustees:
Admin.OZ [ RWCEMF ]
---------- No group trustees have been assigned.

If you also need the IRFs (in our case we didn't worry about them), then the commands would look like this:

cd
rights . /F /S

As you can see, you get the maximum amount of information using RIGHTS, but along with all that information, comes the maximum difficulty of getting the data into Excel or a similar program. So...we decided to look into option B: the TBackup method.

TBackup Method

TBackup is, as the name suggests, used to backup trustee rights and the IRFs for the required files and directories. This utility produces output as batch file called TRestore.bat. Here's a typical example of the output:

cx .OZ
cd SYS:
rights . S /F
rights BACKOUT.TTS S /F
rights .\SYSTEM S /F
rights PUBLIC RF /NAME="OZ."
rights .\MAIL S /F
rights MAIL C /NAME="OZ."
rights .\DELETED.SAV S /F
rights .\CDROM$$.ROM S /F

As you can see, this output is much easier to import into a CSV file, and it seems to have all the required info. But on closer inspection there is one field missing that, although possibly not that important, proved invaluable for us as we sorted the data. If you look at the example output of the RIGHTS command, each trustee entry has a line classifying it as a User, Group or Other trustee assignment. This info is very helpful when cleaning up NDS, and it's also useful in sorting the data. Therefore, our preferred method was to use the RIGHTS command for the sake of this extra field.

Text Formatting of RIGHTS Output

Once you have the output from the RIGHTS command, all that's left to do is to format the output into a CSV file. Here's an example of the required output text:

Obj Type Path Object Rights
U,SERVER1\VOL1:APPS\GROUPWSE,john.orga.orgb,[ R F ]
Obj Type is U = User
G = Group
O = Other

Once again...there are as many methods to do this as there are programming languages, macros, and so on, but the method we used was Perl, which is arguably the best text manipulation language available. The only problem was we had no Perl skills, so I proceeded to learn Perl. I was surprised at how easy Perl is to use, and grateful to find common sense syntax—as compared to some other languages.

My original effort was about 150 lines of script, which although very clunky, did the job. We achieved our goal of completely auditing the file system and importing over 20,000 trustee entries into Excel where it could be sorted and used for future reference as well as clean up and consolidation before the move. This audit also identified some rather large security problems such as S rights to SYS volumes for non admin users, but these were easily identified and remedied once the data was collected, sorted, and available for easy review.

Recently, I revisited the script with two months more Perling under my belt, and the result is the following 10 line script which does the same job as the previous 150 liner. Needless to say, I'm proud of this lean little Perl script:

while(<>)
{chomp;
if ( /\\.+:/){ $Path=$_}
if (/trustees:/)
{ if (/User/) {$Type='U'}
if (/Group/) {$Type='G'}
else {$Type='O'}}
if (/\[/)
{($Obj,$Rig)=split(/\s{2,}/,substr($_,5),2);
print "$Type,$Path,$Obj,$Rig\n"}}

Here's an example of how you'd use this script from a DOS prompt:

perl sort.pl < volaudit.txt > sorted.txt

Summary and Parting Words of Advice

We achieved our goal of auditing the file system and NDS using free (the boss never complains about this) and readily available software. The process we used can be broken down into a couple easy-to-follow steps:

  1. DOS command with file re-direction,
    cd
    rights . /T /S > volaudit.txt
  2. Formatting of output into a CSV file,
    perl sort.pl < volaudit.txt > sorted.txt

    Perl can be easily obtained for Win32 platforms from www.activestate.com.

Very Interesting and Useful Aside: Perl and NDSm

Once I had gained a bit of proficiency in Perl, I began playing around with NDSm module from Steinar Kleven. Basically, this module enables access to the Novell NDS APIs in Perl scripts. (I know a lot of people get turned off when you start mentioning programming, so I like to label any coding I do as scripting. This raises fewer problems with the boss—a script gets a job done whereas a program often becomes a work of art.)

Because this NDSm module allows you to get info out of (or put into) NDS, it gives you the ability to do some really cool things. One of the things that we have used it for is to Audit NDS. By extracting the Access Control List (ACL) for every single object in the tree we are able to import that info into Excel for sorting, similar to the file system audit but for NDS objects. (By the way, we found some very interesting assignments!) Another cool use, is to automate the whole file system audit process. After the first audit of about 40 volumes, I got sick of mapping drives and joining text files, and such. Using NDSm, I was able to change the script so that it searched through NDS for every volume object. Upon finding a volume object, it attempted to map a drive, and if successful the script proceeded to run the RIGHTS command and sort the output all in one go. This resulted in one nice big file that was ready to go instead of 40 individual ones.

Basically if you need to automate a task in relation to NDS and none of the existing utilities seem to do quite what you want, then Perl and NDSm are (in my humble opinion) definitely the way to go.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell