Novell Home

Alert E-mails in Audit when Trustee Rights Change

Novell Cool Solutions: Tip
By Steve Law

Digg This - Slashdot This

Posted: 5 Jul 2006
 

Problem

I need to set up NSure Audit to generate an alert e-mail whenever someone changes Trustee rights on a server with the Netware agent running.

Solution

This principle applies to any kind of auditable event. You will need a mail server that relays SMTP messages from your logging server to any email address.

Step 1: Create a notification object in the Notifications container.

Description: I called mine "Trustee events to SMTP"

Rule:

If eventid matches Netware Trustee Added
OR If eventid matches Netware Trustee Modified
OR If eventid matches Netware Trustee Removed
END

Notification Channel:

Point this notification object to the channel object (which you are about to create) that sends the emails (e.g., SMTP Notes.Channels.Logging Services.blah, etc.).

Step 2: Create an SMTP channel object in the Channels container.

Create this as an SMTP Channel and complete the fields as follows:

  • HOST: [ip address or hostname of your mail relaying server]
  • User: [id and password if authentication to your mail server is required]
  • Password: [as above]
  • Sender: NSure@vertex.co.uk [Note: This is a fake sender address just so the recipient knows where it came from, but it must be in email format or the smtp relay server may reject it, and no email will be sent - that's what happened to us, anyway].
  • Recipient: support@vertex.co.uk [where the emails will be sent]
  • Subject: Trustee change [title of the emails]

Message:

[Note: The documentation of the variables that can be used is patchy. To produce the ouput below, I used trial and error: looking at Trustee events using LReport, matching the key data to the useable variables, and trying out different format values. Some variables just produce a NULL ouput in the email, even though they appear in the LReport event. Others appear in raw format rather than translated into English. You can include your own text with the variables so the resulting email reads more easily. See the example of the kind of email it produces, further down.]

Type of event:  $SE
Event id:   $NI
Agent Type/Event:   $SO
Severity:   $SL
NSure Agent host server:   $SF   $IR
Time of event:   $TC
Originator/instigator:   $SB
Originator IP address:   $I1
Object modified:   $SD
Target file/folder:   $SU
Rights granted/modified/removed:   $N2 [See NSure Audit documentation for 
what this value means]

Step 3: Finalize

1. Apply the new SMTP channel.

2. Click OK.

3. Reload Lengine.nlm on your logging server to activate the changes.

Every time the Notification object detects a Trustee Add/Modify or Remove event (or whatever event you asked it to watch for), an email alert is generated - something like this:

************************************************************************
From:   NSure@Vertex.com
To:  support@vertex.com
Subject:  Trustee change


Type of event:  Trustee events - to SMTP
Event id:   655375
Agent Type/Event:   NetWareInst\Trustee
Severity:   (null)
NSure Agent host server:   Netware1   10.41.11.97
Time of event:   14:49:59
Originator/instigator:   .BG34.VERTEX.WEST.UK.OURCO
Originator IP address:   10.31.21.139
Object modified:   .CN=USER1.OU=VERTEX.OU=WEST.OU=UK.O=OURCO.T=VERTEX_TREE.
Target file/folder:   DATA:\IS\CGI\temp
Rights granted/modified/removed:   219 (See NSure Audit documentation)
****************************************************

This event is saying: account BG34 modifed the file rights of USER1.VERTEX.WEST.UK.OURCO to the folder DATA:\IS\VERTEX\temp. The actual rights changed are represented by 219; see TID 10099007 for an explanation of this code.

Obviously, the Notification object can be configured to monitor almost any kind of attribute change to any eDir event. See TID 10095244 for info on how to generate alerts for specific accounts becoming locked or a lockout being cleared on specific accounts.

Note: This solution was tested in an environment with the Novell Audit Starter pack 1.0.3 on NetWare 6.5 SP3.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell