This guide's goal is to present an overview of the auditing taxonomic changes made in eDirectory 9.0.3.  eDirectory 9.0.3, to ensure consistency, has closely aligned how its events are mapped to Sentinel's taxonomy.  A reference can be found here:
https://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html. 

The guide is divided into 2 parts. The first compares the event mapping differences between 903 and pre-903 releases. The second section covers event selection from within the iManager auditing plugin.

XDAS Audit Differences: Pre-903 vs. Post-903 releases:

• Authentication Related Events:
• Logins: No Change
• Pre 903: Create Session
• Post 903: Create Session
• Authentications: No change
• Pre 903: Authenticate Session
• Post 903: Authenticate Session
• Logouts: No change in behavior
  
• Pre 903: Terminate Session
• Post 903: Terminate Session
• Establish a connection: Changed behavior
  
• Pre 903: No events
• Post 903: Create Connection
• Establish a connection: Changed behavior
  
• Pre 903: No events
• Post 903: Create Connection
• Terminate a connection: Changed behavior
  
• Pre 903: No events
• Post 903: Terminate Connection
• Verify Password: Changed behavior
  
• Pre 903: QUERY_DATA_ITEM_ATTRIBUTE
• Post 903: Authenticate Session
• Lockout by Intruder: Changed behavior
  
• Pre 903: No specific event. Thrown as Create Session
  
• Post 903: Intruder Lockout
  
• Unlock Account after lockout: Changed behavior
  
• Pre 903: No specific event. Was thrown as part of Modify Account/Role
  
• Post 903: Account Unlock
• Security Related Events
• Password Modifications: No change
• Pre 903: Modify Account Security Token
  
• Post 903: Modify Account Security Token
  
• Login Config Change: Changed behavior
  
• Pre 903: Audited through NMAS Collector as an NMAS Event
  
• Post 903: Modify Account Security Token
  
• ACL changes: Changed behavior
  
• Pre 903: Create/Terminate Data Item Association
  
• Post 903: Grant/Revoke Account Access, Grant/Revoke Trust Access. Account/Trust is decided based on who is getting the access and the event is reported from Trustee’s point of view.
  
• Security Equals To/Equivalent To Me: Changed behavior
  
• Pre 903: It was getting reported as part of Modify Account/Role or Create Role.
  
• Post 903: Associate/Deassociate Trust
  
• Querying Password/Login Config: Changed behavior
  
• Pre 903: Audited through NMAS Collector as an NMAS Event.
  
• Post 903: Query Account Security Token
• Group Membership:
  
• Addition of a member: No change in behavior
  
• Pre 903: Associate Trust
  
• Post 903: Associate Trust
  
• Removal of a member: No change in behavior
  
• Pre 903: Deassociate Trust
  
• Post 903: Deassociate Trust
• Object related operations:
• Creation of an Object: Changed behavior
  
• Pre 903: Create Account/Role/Data Item
  
• Post 903: Create Account/Trust/Data Item based on your mapping of ObjectClass
  
• Deletion of an Object: Changed behavior
  
• Pre 903: Delete Account/Role/Data Item
  
• Post 903: Delete Account/Trust/Data Item based on your mapping of ObjectClass
  
• Addition/Deletion/Modification of Attribute Value: Changed behavior
  
• Pre 903: Modify Account/Role/Data Item Attribute, terminate Data Item Association
  
• Post 903: Modify Account/Trust/Data Item Attribute based on your mapping of ObjectClass
  
• Moving/Renaming of an object: Changed behavior
  
• Pre 903: Delete Data Item/Role
  
• Post 903: Modify Account/Trust/Data Item Attribute based on your mapping of ObjectClass
  
• Disable Account: No change in behavior
  
• Pre 903: Disable Account
  
• Post 903: Disable Account
  
• Enable Account: No change in behavior
  
• Pre 903: Enable Account
  
• Post 903: Enable Account
• Schema related operations:
• Defining a new Attribute/Class: Changed behavior
  
• Pre 903: Modify Data Item Attribute
• Post 903: Create Data Item
• Removing Attribute/Class: Changed behavior
  
• Pre 903: Modify Data Item Attribute
• Post 903: Delete Data Item
• Update/Modify schema definition: No change in behavior
  
• Pre 903: Modify Data Item Attribute
• Post 903: Modify Data Item Attribute
• Audit Config Changes: Changed Behavior
  
• Pre 903: No events
• Post 903: Audit Config event.
• Partition/Replica related operations:
• Create a partition: Changed behavior
  
• Pre 903: Create Data Item
• Post 903: Modify Process Context
• Joining partitions: Changed behavior
  
• Pre 903: Delete Data Item
• Post 903: Modify Process Context
  

---

XDAS Audit Events - iManager Plugin Page:

• BASIC EVENTS: The recommendation is to enable all basic events to monitor day to day activities.
• Account Management Events: “User”, “Person” and “Organizational Person” object classes are mapped by default.  All three of these classes are now referred to as an “Account”.
• Create Account: This event is thrown whenever a new Account is created.
• Delete Account: This event is thrown whenever an existing Account is deleted.
• Disable Account: This event is thrown whenever an Account is disabled.
• Enable Account: This event is thrown whenever a disabled Account is enabled.
• Modify Account: This event is thrown whenever attributes related to an Account are modified. eDirectory does the modification in 2 steps(delete and add). So, we get 2 Modify events for 1 modification.
• Query Account: This event is thrown whenever information related to an Account is read/queried.
• Trust Management Events: “Group”, “synamicGroup”, “dynamicGroupAux”, “LDAP GROUP” and “Organizational Role” object classes are mapped by default.  These 5 object classes are referred to as “Trust(s)”.
• Create Trust: This event is thrown whenever a new Trust is created.
• Delete Trust: This event is thrown whenever an existing Trust is deleted.
  
• Modify Trust: This event is thrown whenever attributes related to a Trust are modified. eDirectory does the modification in 2 steps(delete and add). So, we get 2 Modify events for 1 modification.
  
• Query Trust: This event is thrown whenever information related to a Trust is read/queried.
  
• Data Item Management Events: By default, everything not mapped to “Account” or “Trust” will be considered a Data Item.
  
• Create Data Item: This event is thrown whenever a new Data Item object is created or a new class/attribute is defined.
  
• Delete Data Item: This event is thrown whenever an existing Data Item object is deleted or a user-defined class/attribute is removed from schema.
  
• Modify Data Item Attribute: This event is thrown whenever attributes related to a Data Item object are modified. eDirectory does the modification in 2 steps(delete and add). So, we get 2 Modify events for 1 modification.
  
• Query Data Item Attribute: This event is thrown whenever information related to a data Item object is read/queried.
• Security Events: This events pertain to the security related operations like password modifications, ACL changes, group member addition/deletion, etc., which should not be filtered out. Some events in this group also serves as Meta Events.
  
• Associate Trust: “Addition of a member to a group” or “Marking an object Security Equals/Equivalent To Me to another object” will be reported using this event.
  
• Deassociate Trust: “Removal of a member from a group” or “Removing an object from Security Equals/Equivalent To Me of another object” will be reported using this event.
  
• Modify Account Security Token: Password and Login Config changes will be reported through this event.
  
• Query Account Security Token: Password and Login Config read request will be reported using this event.
  
• Create Connection: Whenever a new Connection is created to eDirectory, this event will be reported.
  
• Terminate Connection: Whenever an existing connection is destroyed from eDirectory, this event will be reported.
  
• Create Session: Logins to eDirectory are reported using Create Session.
  
• Terminate Session: Logouts from eDirectory are reported using Terminate Session.
  
• Authenticate Session: Authentication of a session is reported using this event.
  
• Grant Trust Access: This event is reported whenever a Trust or a Data Item object get ACL rights on another object.
  
• Revoke Trust Access: This event is reported whenever ACL rights over an object are revoked from a Trust or a Data Item object.
  
• Intruder Lockout: This event is reported whenever an account is locked due to intruder detection.
  
• Account Unlock: This event is reported whenever a locked account is unlocked.
  
• Grant Account Access: This event is reported whenever an Account object gets ACL rights on another object
  
• Revoke Account Access: This event is reported whenever ACL rights over an object are revoked from an Account object.
  
• Audit Config: This event is reported whenever there is a change in the XDAS Audting configuration.
• ADVANCED EVENTS: these events are primarily for those who have an interest in monitoring the internals of eDirectory.  Enabling advanced events will generate a significant amount of internal eDirectory events.
• Service or Application Management Events:
• Enable Service: This event is reported whenever a module is loaded into eDirectory or during agent registration in NMAS.
• Disable Service: This event is reported whenever a module is unloaded in eDirectory or during agent deregistration in NMAS.
• Invoke Service: This event is reported whenever a background process is about to start or an internal operation is invoked
• Terminate Service: This event is reported whenever a background process is ending or an internal operation is terminated
• Modify Service Config: This event is reported due to operations having in background of eDirectory like update replica, sync partition, gen CA keys, etc.
• Operational Events:
• Start System: This event is reported whenever the eDirectory system is started.
• Shutdown System: This event is reported whenever the eDirectory system is shut down.
• Backup Data Store: This event is reported whenever a backup is taken.
• Recover Data Store: This event is reported whenever a backup is restored.
• Internal Operations: This event pertails to the background operating of eDirectory like deletion of unused external references, lost entry, new schema epoch.
• Modify Process Context: This event is reported for background operations like partition state change, repair time stamps, creation and deletion of partitions,
  
• etc.

---

Q&A

1. Why are a few Trust based events under Security Events and not under Trust Management Events?
A. Associate/Deassociate Trust, Grant/Revoke Trust Access relate to group membership, Security Equals, Equivalent To Me and the ACL attributes of an object. As these attributes change, an object may get or lose some rights and therefore these events constitute as a Security Event rather than a regular Trust Management Event.

2. Earlier versions of XDAS used to have a NMAS or LDAP event as the subevent. I only see the DSE* subevents. What is the recommendations for customers who only had, for example, NMAS events and were filtering on NMAS events?

3. Is there any work to be done on the customer side to incorporate these changes into a current auditing environment?
A. It depends on how the event data is ultimately consumed.  If customers have written their own parsing logic, it will need to be changed.  However, there is no work required if Sentinel is used as it already has the parsing logic and data formulation.

4. Does the old configuration get saved?
A. No.  In case of upgrade, where a customer was already using XDAS previously:
- eDirectory will remove the xdasDSConfiguration attribute
- create the xdasConfiguration attribute if required
- enable all the basic events along with default mapping during loading of xdasauditds module or whenever the user visits the new iManager plugin page.