This section provides an overview of the Novell Nsure™ Audit Report auditing system and reviews auditing fundamentals.
The following topics are included:
Novell Nsure Audit is a centralized, cross-platform auditing service. It collects event data from multiple applications across multiple platforms and writes the data to a single, non-repudiable data store. Nsure Audit is also capable of creating filtered data stores. Based on criteria you define, Nsure Audit captures specific types of events and writes those events to secondary data stores.
Using the query and report generating tools included with Nsure Audit Report, you can then evaluate the information in your data stores to determine resource access, usage patterns, and overall compliance with organizational policies and regulations.Although queries and reports are invaluable in reviewing system activity, sometimes you need to know what is happening on your system as it happens. Therefore, Nsure Audit provides real time notifications and real-time monitoring so you can assess and act on events as they occur.
To some extent, Nsure Audit can even automate the process of responding to events in real-time. The Critical Value Reset (CVR) channel allows you to flag Directory attributes with reset policies. If the value of a given attribute is changed, the CVR channel resets the value as per the policy defined in the CVR Channel object. For example, if your organization has a policy prohibiting security equivalence, you can create a CVR Channel object that automatically resets the Security Equals attribute to a null value if it is ever reset by an administrator.
Novell Nsure Audit provides the tools you need to audit your organization's compliance with internal and external policies and regulations; however, the use of secure logging technology such as Novell Nsure Audit does not, in itself, provide a complete auditing solution. Auditing is actually a human-driven process and Novell Nsure Audit is simply a tool that facilitates that process.
Therefore, a complete auditing strategy requires several actions:
Define your organization's security and usage policies. That is, determine what resources your users are allowed to access, what rights they have to those resources, and so forth.
Log the events relevant to those policies. Configure notification filters to notify you in real time when a policy violation occurs. You can also use notification filters to route the events to the Critical Value Reset (CVR) channel to trigger an automated response to the violation. Perform regular compliance audits. This entails querying the data store for events relevant to your policies and then manually reviewing those events to determine if there are any violations of your corporate policies, when the violations occurred, and who was responsible.
After you have implemented your auditing strategy, Novell Nsure Audit provides the information you need to assess overall compliance with organizational policies and to respond to policy violations in a timely manner.
For example, in a secure environment, you might have a policy that prohibits assigning user rights using the Security Equals attribute because it makes it difficult to track and manage user rights. To audit this policy, you first configure Novell Nsure Audit to log the Change Security Equals event.
To facilitate a timely response to policy violations, you configure a notification filter to send a message to your mailbox any time the Change Security Equals event occurs. You also have the notification filter route the event to the CVR channel, which is configured to automatically reset the Security Equals attribute on User objects to a null value.
You can monitor your organization’s compliance with this policy by using iManager or Nsure Audit Report to query the data store for Change Security Equals events. You then review the query results to determine when violations occurred and who the perpetrators were.
For the latest Nsure Audit documentation, including information on Nsure Audit setup and administration, go to the Nsure Audit documentation page.
iChain 2.3 includes NSure Audit functionality. This section describes how to enable the logging feature within iChain, as well as a description of the events that are available to be logged.
The Nsure Audit configuration functionality is managed through the iChain Command Line Interface (CLI). The configuration can be set and viewed using get log and set log commands. The following two tables list the commands and events.
NSure Audit provides tools to view the events generated by iChain. NSure Audit requires an LSC file that describes the schema associated with the events generated by each product that is instrumented for NSure Audit. The LSC file for iChain is included in the installation of NSure Audit, and is installed as part of that system.
Events that correspond with mutual authentication using revoked certificates (CertificateExpired and CertificateRevoked) might not be logged. This occurs because nothing is logged when certificate error pages are enabled. When certificate error pages are disabled, a log entry is created, but it uses the information from a previous successful login and not the current data.