An identity is a token used to represent a particular user or entity. The blame or credit for an action goes to the identity for a set of activities within a system. Accounts exist in the application domains to associate attributes with the set of identifiers typically associated with identities. Identities can be a a human being or an automated identity, such as another service, which is acting on behalf of a human or a regularly scheduled system activity. In both the cases, account management is considered as persistent account creation, wherein an identity with some limited or unlimited set of system rights is associated with attributes.
NOTE:The Modify Account Security Token event could have been defined in terms of Modify Account, but modification of account security tokens is considered critical to audit security, and is thus given its own event.
Table 5-1 Account Management Event Taxonomy
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
---|---|---|---|---|
Create Account |
0.0.0.0 |
DSE_CREATE_ENTRY DSE_LDAP_ADD DSE_LDAP_ADDRESPONSE DSE_NAME_COLLISION |
Create a new account |
Consider this event as appropriate for any situation wherein an account, as defined above, is to be created. |
Delete Account |
0.0.0.1 |
DSE_DELETE_ENTRY DSE_LDAP_DELETE DSE_LDAP_DELETERESPONSE DSE_MOVE_SOURCE_ENTRY DSE_REMOVE_ENTRY |
Delete an existing account |
This event has the opposite semantic meaning of account creation. Use this event wherever such an account, as described above, is to be deleted. |
Disable Account |
0.0.0.2 |
DSE_ADD_VALUE |
Disable an existing account |
Consider this event relevant for any situation where a particular record in an identifier database is disabled by an administrator or an automated security process such that it can no longer be used until it is re-enabled |
Enable Account |
0.0.0.3 |
DSE_ADD_VALUE |
Enable an existing account |
This is the counterpart event to the disable account event defined above. |
Query Account |
0.0.0.4 |
DSE_SEARCH DSE_DSA_READ DSE_INSPECT_ENTRY DSE_LDAP_SEARCH DSE_LDAP_SEARCHENTRYRESPONSE DSE_LDAP_COMPARE |
Query an existing account |
Consider the Query account events whenever a request for the attribute information of a particular account is made. |
Modify Account |
0.0.0.5 |
DSE_MERGE_ENTRIES DSE_ADD_VALUE DSE_DELETE_ATTRIBUTE DSE_DELETE_VALUE DSE_LDAP_MODDN DSE_LDAP_MODDNRESPONSE DSE_LDAP_MODIFY DSE_LDAP_MODIFYRESPONSE DSE_MODIFY_ENTRY DSE_MODIFY_RDN DSE_RENAME_ENTRY |
Modify an existing account |
Consider the Modify account events whenever a request to change attribute information of a particular account is made. |
Modify Account Security Token |
0.0.0.6 |
DSE_CHGPASS |
Modify an existing account security token |
An account security token may be a password, or any other type of authentication materials associated with a user account. Here, a user account means any type of account by which a user, application, or system service may authenticate, and then act with the rights of that account. |
This section includes examples for the following Account Management events:
NOTE:The examples provided in the following sections are for reference only.
Click Create Account to generate an event for creating a user account. An output in JSON format, similar to the following is generated:
Jan 08 15:06:03 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SLES11-SP2,O=mycom"},"Entity" : {"SysAddr" : "100.1.1.2","SysName" : "SLES11-SP2.my.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32805"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=USER,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_ACCOUNT","CorrelationID" : "eDirectory#25#0ef05b4c-e864-4d4c-f7a9-4c5bf00e64e8","SubEvent" : "DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1389173763},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
The preceding example appears in XML format (when converted from JSON format), as follows:
<Source>eDirectory#DS</Source> <Observer> <Account> <Domain>MYTREE</Domain> <Name>CN=SLES11-SP2,O=mycom</Name> </Account> <Entity> <SysAddr>100.1.1.2</SysAddr> <SysName>SLES11-SP2.my.com</SysName> </Entity> </Observer> <Initiator> <Account> <Name>CN=admin,O=mycom</Name> <Id>32805</Id> </Account> </Initiator> <Target> <Data> <ClassName>User</ClassName> <Name>CN=USER,O=mycom</Name> </Data> </Target> <Action> <Event> <Id>0.0.2.0</Id> <Name>CREATE_ACCOUNT</Name> <CorrelationID>eDirectory#25#0ef05b4c-e864-4d4c-f7a9-4c5bf00e64e8</CorrelationID> <SubEvent>DSE_CREATE_ENTRY</SubEvent> </Event> <Time> <Offset>1389173763</Offset> </Time> <Log> <Severity>7</Severity> </Log> <Outcome>0</Outcome> <ExtendedOutcome>0</ExtendedOutcome> </Action>
Click Delete Account to generate an event for creating a user account, as shown in the following example:
Jan 08 15:17:10 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SLES11-SP2,O=mycom"},"Entity" : {"SysAddr" : "100.1.1.2","SysName" : "SLES11-SP2-164.my.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32805"}},"Target" : {"Data" : {"Name" : "CN=USER,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.0.1","Name" : "DELETE_ACCOUNT","CorrelationID" : "eDirectory#25#bc9563e5-d322-43c5-fb91-e56395bc22d3","SubEvent" : "DSE_REMOVE_ENTRY"},"Time" : {"Offset" : 1389174430},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Disable Account to generate an event for disabling a user account, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32870"},"Entity" : {"SysAddr" : "164.99.179.107:20366"}},"Target" : {"Data" : {"Attribute Name" : "Login Disabled","Attribute Value" : "True","ClassName" : "User","Syntax" : "7"},"Account" : {"Domain" : "MYTREE","Name" : "CN=user1,O=mycom","Id" : "32911"}},"Action" : {"Event" : {"Id" : "0.0.0.2","Name" : "DISABLE_ACCOUNT","CorrelationID" : "eDirectory#20#a7daeee2-990b-4203-1793-e2eedaa70b99","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Enable Account to generate an event for enabling a user account, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32809"},"Entity" : {"SysAddr" : "100.1.2.142:40645"}},"Target" : {"Data" : {"Attribute Name" : "Object Class","Attribute Value" : "ndsLoginProperties","Name" : "dc=LDAPValidate","Syntax" : "20"}},"Action" : {"Event" : {"Id" : "0.0.0.3","Name" : "ENABLE_ACCOUNT","CorrelationID" : "eDirectory#41#4477577d-b132-4d62-9e89-7d57774432b1","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Query Account to generate an event for querying a user account, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.4","Name" : "QUERY_ACCOUNT","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_DSA_READ"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-603"}}
Click Modify Account to generate an event for querying a user account, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Attribute Flag" : "2","Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.5","Name" : "MODIFY_ACCOUNT","CorrelationID" : "eDirectory#0#fa79e19c-034a-445b-6292-9ce179fa4a03","SubEvent" : "DSE_MODIFY_ENTRY"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Account Security Token to generate an event for querying a user account, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32809"},"Entity" : {"SysAddr" : "100.1.2.142:40645"}},"Target" : {"Data" : {"Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.6","Name" : "MODIFY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "eDirectory#41#d0f97989-ac20-401f-03ab-8979f9d020ac","SubEvent" : "DSE_CHGPASS"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}