| |
In addition to supporting AUDITCON in auditing volumes and containers, NetWare® servers also maintain and protect external audit trails that contain client audit records and client audit history.
For an explanation of these external audit trails, see Concepts of NetWare Auditing.
Figure 4, Figure 5, and Figure 6 show the client-server interactions for configuring external audit trails, appending audit records, and reviewing collected audit data. Each client workstation that uses the server's external audit trail must have its own workstation-based audit management tool to configure and manipulate the external audit trail.
WARNING: AUDITCON can manage external audit trails, but cannot generate reports or view the events stored in those audit trails (except for audit history events). There is no standard with respect to the events that are audited by the workstations or the formats of those audit records.
See the vendor's documentation provided with your client workstation for information on the specific utilities for viewing external audit data.
As shown in Figure 4 and Figure 6, AUDITCON interacts with the server's external audit trail by sending NCPTM messages to the server. AUDITCON enables auditing by creating an Audit File object for the external audit file and assigning rights to various workstation objects to append audit data to the corresponding audit file.
The workstation object can be linked to the Audit File object by setting the workstation object's Audit File Link property, and the Audit File object can be linked to audited workstations by setting the Audit File object's Audit Link List property (AUDITCON does not set up either the Audit File Link or Audit Link List for external audit trails).
Note that multiple workstations can share a single audit trail and that a workstation can simultaneously support multiple such audit trails.
The external audit trail is protected by configuring the Audit File object to define the NDS® objects that can append data to the audit file. (See Create External Audit Trail.) Generally, these objects are workstation network trusted computing base partitions. The NDS objects are also defined to read data from the audit file (generally, auditors of those workstations).
Users at client workstations can't access the external audit files using normal file management NCP programs. AUDITCON does not provide facilities to set up external audit trail protection; you can use NetWare Administrator to perform that task.
To examine audit data generated by workstations, you can use AUDITCON with a client-specific audit utility. AUDITCON reads the audit data from the external audit trail, displaying the audit history (audit trail management) events.
AUDITCON will also read the workstation-generated audit data from the external audit trail and put it in an ordinary file, where it can then be processed by a client-specific utility that has knowledge of the client audit event formats. AUDITCON can also perform complete backups of external audit files, just as it does for volume and container audit trails.
The specific procedures used to format records from an external audit trail are defined by your client vendor's audit management tool. If your client workstation uses external audit files to store workstation audit data, refer to your vendor's trusted facility information for these procedures.
| |