Configuring Auditing

This section describes how you can use AUDITCON's container audit configuration menu to define

• Which NDS events are audited
• How audit files are handled (size, threshold, rollover handling)
• How to set audit passwords
• How to disable auditing
• How to recover from audit file overflow

Auditing Configuration Prerequisites

• See General Prerequisites.
• To change the auditing configuration, you must have the Write right to the Audit Policy property of the Audit File object associated with the container you want to audit. If audit passwords are enabled at the server and you have logged in with the correct password, AUDITCON will also permit you to change the audit configuration.

  If the audit file is configured for level 2 passwords, and you don't have NDS access, then you must have the level 2 password to modify the auditing configuration. If you've logged in with a level 1 password, AUDITCON prompts for the level 2 password after each operation. See Controlling Access to Online Audit Data for information on password levels.

• Determine what actions you want to perform (for example, which events to audit, how large you want the audit file to be) before you run AUDITCON.

Procedure

1. Choose Auditing Configuration from the Available audit options menu (1101).

   AUDITCON displays menu 1497, 1498, or 1499, which list more configuration options, depending on the setting of the ALLOW AUDIT PASSWORDS option and whether you have sufficient rights to the Audit File object. See Getting Started for the definition of sufficient rights.

   Table 14 summarizes the algorithm AUDITCON uses to determine which menu it will display, based on the above two variables.

   
   Table 14. Container Audit Configuration Menu Selection

   Allow Audit Passwords = ON	Sufficient Rights	Menu
   Yes	Yes	1497
   Yes	No	1498
   No	Yes	1499
   No	No	1499

   Figure 74
   Menu 1497: Auditing Configuration
   

   Figure 75
   Menu 1498: Auditing Configuration
   

   Figure 76
   Menu 1499: Auditing Configuration
   

2. Choose the desired configuration option, and press Enter.

   These configuration submenus are addressed in the following sections.

   WARNING:  When you make changes to the container audit configuration, you might receive a message that AUDITCON was unable to update the Audit File object. If this occurs, it is possible that your configuration changes could be lost.

   Configuration of each container audit trail must be performed on a single server which holds a replica of the audit trail. It doesn't matter which one you pick, but all auditors of the container must use that one copy. Failure to use a single copy for configuration can cause unexpected results and/or loss of configuration changes.

Audit by DS Events

This section describes how you preselect the NDS events to be audited in the container audit file. Preselection is the operation of telling the server, in advance, which types of audit events you want the server to record in an audit file. By preselecting the events that are important in your organization, you conserve disk space for recording other audit events.

NOTE:  By default, the events you select will be recorded for all users of the container. If you only want to audit actions of certain users, you should set the User restrictions flag in the User restriction menu, and then preselect the specific users whose actions you want to record using the Audit by user menu.

You cannot generate audit reports for events or users that were not preselected for auditing when the event occurred. For example, if you need to review logins by a user two weeks ago, but you did not have logins preselected at that time, you will not be able to generate an audit report for these events. You must balance your need for certain audit information with the resources required to audit those events.

Prerequisites

• See General Prerequisites and the Auditing Configuration Prerequisites.

Procedures

1. Choose Audit by DS events from the Auditing configuration menu (1497, 1498, or 1499).

   AUDITCON displays menu 1401 which lists the NDS events that you can preselect for auditing. These events are usually associated with user actions performed at client workstations, and the audit record includes the identity of the user that requested the service.

   Figure 77
   Menu 1401: Audit by DS Events
   

   The following additional events can be displayed by scrolling the Audit by DS events screen.

   Change security equivalence

   Change station restriction

   Clear NDS statistics

   Close bindery

   Compare attribute value

   Create backlink

   Create bindery property

   Disable user account

   Enable user account

   End replica update

   End schema update

   Inspect entry

   Intruder lockout change

   Join partitions

   List containable classes

   List partitions

   List subordinates

   Log in user

   Log out user

   Merge entries

   Merge trees

   Modify class definition

   Modify entry

   Move entry

   Mutate entry

   Open bindery

   Open stream

   Read entry

   Read references

   Receive replica update

   Reload NDS software

   Remove attribute from schema

   Remove backlink

   Remove bindery property

   Remove class from schema

   Remove entry

   Remove entry directory

   Remove member from group property

   Remove partition

   Remove replica

   Rename object

   Rename tree

   Repair time stamps

   Resend entry

   Send replica update

   Send/receive NDS fragmented request/reply

   Split partition

   Start partition join

   Start replica update

   Start schema update

   Synchronize partitions

   Synchronize schema

   Update replica

   Update schema

   User locked

   Verify console operator

   Verify password

   WARNING:  In addition to the events that are preselected for auditing, container audit trails also include pseudo-events that establish the context for reviewing audit events. For example, the server records logins and logouts for users in other containers, even if logins and logouts are not selected for the current container.

2. Determine the list of events that you want to audit. Move the cursor to each event and press F10 to toggle it to OFF or ON.

   You can press F8 to toggle all events to ON or OFF.

3. When you have set and reviewed the audit event configuration, press Esc.

4. Choose Yes to save the changes and return to menu 1497, 1498, or 1499, or No to leave the audit events unchanged.

   If level 2 passwords are enabled, AUDITCON will prompt for the level 2 password before making the change.

Audit by User

By default, selected container events are recorded for all users. If you want to preselect by user for container events, then you must use the User restriction menu to set the User restrictions flag for the container to Yes. The User restriction menu is reached from the Auditing Configuration Menu.

NOTE:  If an auditor has rights to audit any volume or container in the network, that auditor is able to enable or disable auditing for any user in the Directory tree.

When you select a user for container auditing, the selection applies to all volumes and containers on all servers in the network. You cannot select user BOB for auditing of events on container LAB1.ENGR.ACME without also having BOB audited for events on all other volumes and all other containers in the network.

WARNING:  The server keeps user audit flags in the associated User objects in NDS, but does not save that information when you back up NDS. If you ever restore NDS from a backup, the audit flags will be lost. You must keep a manual record of all users you've preselected for auditing to restore that information.

Table 15 shows a sample form for recording which users have been marked for auditing. You must keep a record of all such users for recovery purposes. If NDS is ever restored from a full backup, you will use this list to reconstruct your audit settings. Failure to keep such a record and use it can result in loss of audit data.

Table 15. Sample Format for User Auditing Settings

NOTE:  Because NDS is a distributed system and some servers might be offline at any given time, selecting a user for auditing might involve a long delay before NDS can synchronize this information throughout the network.

Prerequisites

• SeeGeneral Prerequisites and Auditing Configuration Prerequisites.
• You do not need specific rights to a User object in the NDS database to set the audit flag for that user.

Procedures

1. Choose Audit by user from the Auditing configuration menu (1497, 1498, or 1499).

   AUDITCON displays menu 1420, which lists containers that can hold User objects.

   Figure 78
   Menu 1420: Audit Directory Tree Users
   

2. Choose the container that holds the User objects and press Enter.

   AUDITCON expands the menu to list the objects in that container.

3. To preselect a user for volume and container auditing, use the up and down arrow keys to scroll within the window. Choose a user and press F10 to toggle the user audit flag to ON or OFF.

   You can preselect users in other containers by selecting the container, which will then show the users in that container. Non-User objects (for example, Organizational Unit objects) are displayed, but you cannot toggle the audit flag for those objects.

4. When you have set and reviewed the audit event configuration, press Esc.

5. Choose Yes to save the changes and return to menu 1420, or choose No to leave the audit events unchanged.

Audit Options Configuration

Prerequisites

• See General Prerequisites and Auditing Configuration Prerequisites.

Procedures

1. Choose Audit options configuration from the Auditing configuration menu (1497, 1498, or 1499).

   AUDITCON displays menu 1430, which defines the current audit configuration for the container audit trail.

   Figure 79
   Menu 1430: Audit Configuration
   

   The following list describes the available configuration parameters for container auditing. The first ten parameters (Audit file maximum size through Force dual-level audit passwords) are the same for container auditing and volume auditing. For more information on these parameters, refer to the description of the corresponding volume configuration parameters in Audit Options Configuration.

   The line Force dual-level audit passwords is omitted if the ALLOW AUDIT PASSWORDS console parameter is OFF.

   WARNING:  When computing the overflow audit file size for a container audit trail, you must use the maximum value for the number of service processes on all servers where the container is stored. That is, if the container is stored on servers A, B, and C, you must use the highest value for the number of service processes in your calculation. Otherwise, your value might not be large enough and you could lose some audit data.

   The server provides three options for handling container audit file overflow. The options, as shown in Table 16, Overflow Options, are Archive audit file, Disable audited events, and Disable event recording.

   
   Table 16. Overflow Options

   Archive audit file	With this setting, the server archives the current audit file and creates a new audit file. If necessary (because the maximum number of old online audit files already exists), the server deletes the oldest of the old online audit files.
   Disable audited events	With this setting, the server disables all audited NDS events when the current audit file has reached the Audit file maximum size or the server cannot write to the current audit file (for example, it is out of disk space). The server doesn't attempt to roll over to a new audit file, even if audit files and disk space are available. In this overflow state, any event that is preselected for auditing is disabled; however, events that are not preselected are still permitted. For example, if logins are preselected for auditing, any attempt to log in to an object in the container (except by an auditor) will fail. This is the only overflow option that guarantees that you will not lose audit data. Consequently, if collection of audit data is of the utmost importance, then you should use this setting, even though it might inconvenience users when they are unable to log in to perform other NDS actions.
   Disable event recording	With this setting, the server turns off auditing and stops entering new audit records into the current audit file when it reaches the maximum size limit or when an unrecoverable write error occurs for the audit file. The server doesn't attempt to roll over to a new audit file, even if there is disk space for archiving the current audit file. You must reset the current audit file to re-enable event recording. Until you re-enable event recording, users can access the NDS container without any audit coverage.
   Minutes between warning messages	The server sends warnings to the console at this frequency if the audit file is full and the overflow option is configured to either Disable audited events or Disable event recording. If you have the Archive audit file option configured, then a warning message is sent when the audit file is almost full, but there is no additional message when the archive occurs.

2. Move the cursor to the field you want to change and enter the new configuration value.

   For numeric fields (for example, Audit file maximum size), type the new value into the field over the previous value, then press Enter. For Yes/No settings, type Y or N to change the value. Depending upon your change, the server might modify other values on the configuration screen. For example, if you set Automatic audit file archiving to No, the server will blank out the entries for Days between audit archives and Hour of day to archive.

   If you enable Force dual-level audit passwords, AUDITCON will immediately prompt you (twice) to enter the new level 2 password.

3. Review the settings on the current screen, and change any settings as needed.

4. When you are finished, press Esc to exit the menu.

5. Choose Yes to save the changes and return to menu 1497, 1498, or 1499, or choose No to leave the audit configuration unchanged.

WARNING:  Audit files consume disk resources that might be needed by other users. Before you define the number and size of audit files, discuss your projected disk space requirements with an administrator for each server that holds a replica of the container.

Change Audit Passwords

Controlling Access to Online Audit Data describes the use of the password-based mechanism for accessing audit files. This section describes how to change both level 1 and level 2 passwords. This section is applicable only if the ALLOW AUDIT PASSWORDS option is set to ON.

This procedure assumes that the auditor (not the system administrator) is the one performing these procedures and that the administrator has previously established the passwords and has shared them with the auditor. The auditor can change the level 1 password after logging in to the container.

Prerequisites

• See General Prerequisites and Auditing Configuration Prerequisites.

Procedures

1. To change the level 1 password, choose Change audit password from the Auditing configuration menu (1497, 1498, or 1499).

2. Enter the current (level 1) audit password as prompted by AUDITCON.

   AUDITCON does not echo any password information to the screen.

   If dual-level passwords are enabled, AUDITCON prompts you to enter the level 2 password before you can change the level 1 password. AUDITCON allows you to change the level 2 password using the same procedure used to change the level 1 password.

3. Enter the new (level 1) audit password when prompted by AUDITCON.

   AUDITCON prompts you twice for the new password. This ensures that the auditor did not make an error when entering the password.

   AUDITCON does not check the password for length, alphanumeric characters, or other characteristics of strong passwords, nor does it ensure that it is different from the previous password. Uppercase and lowercase characters are treated identically.

WARNING:  If you use audit passwords to control access to the audit file, be sure not to reuse your server password as the audit password.

Set Audit Passwords

Controlling Access to Online Audit Data describes the use of the password-based mechanism for accessing audit files. This section describes how to set level 1 passwords and level 2 passwords (if level two passwords are enabled).

Prerequisites

• See General Prerequisites and Auditing Configuration Prerequisites.

Procedures

1. To set the level 1 password, choose Set audit password from the Auditing configuration menu (1497, 1498, or 1499).

   AUDITCON prompts you to enter the new (level 1) container password.

2. Enter the new password as prompted by AUDITCON.

   AUDITCON does not echo any password information to the screen

   If dual-level passwords are enabled, AUDITCON prompts you to set the level 2 password before you can set the level 1 password. AUDITCON allows you to set the level 2 password using the same procedure used to change the level 1 password.

   AUDITCON then prompts you to reenter the new password.

3. Reenter the new password when prompted by AUDITCON.

   This ensures that the auditor did not make an error when entering the new password.

   AUDITCON does not check the password for length, alphanumeric characters, or other characteristics of strong passwords, nor does it ensure that it is different from the previous password. Uppercase and lowercase characters are treated identically.

   If dual-level passwords are enabled, AUDITCON prompts for you to enter the level 2 password before it will change the level 1 password.

WARNING:  If you use audit passwords to control access to the audit file, be sure not to reuse your server password as the audit password.

NOTE:  If you use a password to control access to an audit file, and forget the audit password, then you must use the rights-based as described in Controlling Access to Online Audit Data. Once you have access to the audit trail, you can reset the password as described in this section.

Disabling Container Auditing

When you disable container auditing, you stop the server from recording audit events to the container audit file, but you do not delete the Audit File object for the container audit trail. The Audit File object remains, and is reused (to provide an initial configuration) if you re-enable auditing for the container.

After container auditing has been disabled, it can be re-enabled using the Enable External Auditing menu (see Enabling Container Auditing).

Prerequisites

• See General Prerequisites and Auditing Configuration Prerequisites.

Procedure

1. Choose Disable container auditing from the Auditing configuration menu (1497, 1498, or 1499).

2. Choose Yes and press Enter to disable auditing, or choose No to continue auditing.

   AUDITCON returns to menu 1010.

User Restriction

This menu provides for setting the following audit control flags in the current container's Audit File object Audit Policy.

• User Restriction. By default, when you preselect a container event (see Audit by DS Events), the events you select are audited for all users. However, if you set the User restriction flag, the server audits only those users that have been specifically preselected for auditing (see Audit by User).

• Audit NOT_LOGGED_IN. Before a user logs in to NDS, the server permits the user to perform limited searches through the Directory. By default, the server does not audit these unauthenticated user events. However, if you set the Audit NOT_LOGGED_IN users flag, the server will record these events in the current container audit file.

These flags pertain only to the currently selected container and do not affect other container or volume audit files. Unlike the per-user audit flag (which is global across the network), the User restriction and Audit NOT_LOGGED_IN users flags must be set individually for each volume and container. The two flags are independent of each other, so you can set either flag without affecting the other.

WARNING:  If you set the User restrictions flag to Yes, you must also preselect those users you want audited, using the procedures shown in Audit by User or Audit by User. Setting the User restrictions flag to Yes without preselecting any users will mean that no container events will be recorded in the audit trail.

If you set the User restrictions flag to Yes but leave the Audit NOT_LOGGED_IN users flag set as No, then actions of unauthenticated users will not be audited.

Unlike the per-user audit flag (which is global across the network), the User restrictions and Audit NOT_LOGGED_IN users flags must be set individually for each volume and container and apply only to that volume or container.

Prerequisites

• See General Prerequisites and Auditing Configuration Prerequisites.

Procedures

1. Choose User restriction from the Auditing configuration menu (1497, 1498, or 1499).

   AUDITCON displays menu 1480, which allows you to select the user restriction parameters for the container.

   Figure 80
   Menu 1480: User Restriction
   

2. Review the settings on the current screen, and change any settings as required.

   Press Y to set a value to Yes or press N to set the value to No.

3. When you are finished, press Esc to exit the menu.

4. Choose Yes to save the changes and return to menu 1497, 1498, or 1499, or choose No to leave the user restrictions configuration unchanged.