Novell Documentation: NetWare 6 - Auditing in a Client-Server Network

Auditing in a Client-Server Network

Within the NetWare client-server environment, client and server components provide cooperating audit mechanisms to support your organization's auditing policy.

The audit architecture described in this section addresses

Information flows from user and administrator actions to protected audit trails within the server

Means for specifying and reviewing audit configuration data

Flows of audit information from the audit trails to a client for post-processing

Figure 4 shows the architecture of the client and server software used by an auditor to configure the server's auditing mechanisms. There are no server-based utilities for this task; instead, auditors use client-based utilities (AUDITCON, for example) to enable auditing and to specify audit preselection parameters (which events, users, and files to audit).

This text describes how to use AUDITCON. You are not required to use AUDITCON for NetWare audit administration. You can use any third-party tool in its place, as long as that tool has been included in your client workstation's Trusted Computing Base (TCB). See the documentation provided by your client vendor to determine what tool or tools can be used for NetWare audit administration.

The server's protected software (operating system, server, and NDS) stores this information in the associated volume, container, or external audit trail. It uses the configuration information to selectively audit events that have been specified by an auditor.

Figure 4
Audit Configuration Interactions

As shown in Figure 5, protected code in the server generates audit events to audit trails protected by the server. The operating system records console commands in volume SYS: audit trail.

The server processes client file, queue, and server NetWare Core Protocol^TM (NCP^TM) messages and, based upon the current audit configuration (preselected events, users, and files), generates audit events to the appropriate volume container.

The NDS software processes incoming NCP messages and, based on the current configuration of preselected events and users, generates audit events to the appropriate container audit trail. The server also provides a mechanism for trusted client programs to record data in an external audit trail.

Figure 5
Audit Generation Flow

Figure 6 shows the architecture of the client and server software used by an auditor to perform audit processing. There are no server-based utilities for processing the server's audit trails; instead, auditors use client-based utilities (such as AUDITCON) to review audit trails and to display selected audit events.

In addition, if a client component stores its audit events in a server-provided external audit trail, the client must provide a client-specific utility for post-processing of those audit events after they are extracted from the server audit trail by AUDITCON.

Figure 6
Audit Post-Processing Flow