Novell's NetWare has been around for many years, though it is not the dominant network opera system anymore. Early versions were limited in their capability to keep track of events, but this changed with NetWare 4.x. The most useful tool for older systems is the AUDITCON tool, which canbe used to configure and audit a wide rang of system events.
SYSCON and AUDITCON
The SYSCON utility that was used in NetWare 3.x was limited in the type of information it could yide to the administrator. It was basically limited to statistical information such as the number of blocks read/written and the services the server provided. In NetWare 4.x the AUDITCON utility pr vides an advanced tool that is superior to SYSCON in two ways:
- The information is more granular. File-system events, such as access and modifications to individual files or directories, can be tracked. Events are also audited for NDS objects.
- The auditing role has been separated from the administrator's role, enabling an employee other than the administrator to act as the network auditor.
Both of these features are significant advances. The first makes the information gathered more than just statistical. You can now track access and the type of access to individual files or objects. The second can be used to ensure that the network administrators, usually all-powerful people who can do anything on the network, are also held accountable their actions. Network security is not compromised by the auditor, however, because this person does not have to be granted administrator-like rights to objects such as the SYS : SYSTEM directory. The administrator's and the auditor's functions are separated.
After the administrator has enabled auditing on volumes or containers and designated the auditor, the auditor can use the AUDITCON utility to check the system. Using AUDITCON, the auditor can modify which events are audited on which resources, and can produce reports showing auditing information.
Auditable Events
The precise granularity of things you can audit is what makes AUDITCON a powerful tool. The person who has been set up as the auditor can perform these actions:
- Audit by event—This includes file-related events such as open, read, write, and create files or directories. These can be audited for all users (global) or on a per-user basis. You can also audit printer queue events (QMS), server events (such as when it is brought down or restarted), and user events (such as user logins and logouts or the creation or deletion of user objects).
Auditing Files
The auditing software uses several places to store its data:
- NET$AUDT.DAT—This file can be found at the root of every volume that has auditing enabled. It is always flagged as an open file to prevent anyone other than the auditor from accessing it directly. This file stores binary information in a binary format only for the volume on which it resides.
- AUD$HIST.DAT—This file is used to keep track of actions taken by the auditor(s). After all, someone has to watch the watcher! When more than one auditor is assigned to the network, each should have a separate user account so that this file can be used to track the actions taken by each auditor, giving still more checks and balances to the system.
- NET$AUDT. CFG—This file contains audit file configuration information and is found at the root of the volume that is being audited. Using the AUDITCON utility, you can change the configuration information stored here, such as the maximum size the audit file can grow to, whether to allow more than one auditor to access the audit file at the same time, and whether dual-level passwords are used, among other things. The dual-level password requires an additional auditor password to be used when changing configuration information.
Using AUDITCON to Enable Auditing
An Admin user can enable auditing on a volume by running the AUDITCON utility. From the main menu, select the Enable Volume Auditing option and enter the password for that volume. If an old audit data file exists on the volume, it is replaced by the new file.
After this has been done, the administrator should give the volume password to the auditor, who should run AUDITCON and change it to a new value that the administrator does not know. Note that if the password is forgotten, the volume must be deleted and re-created if you want to change the password. You cannot recover the password. Also, without the correct password, you can disable auditing on the volume!
To change the audit password, the auditor should run the AUDITCON utility and select Audit Files Maintenance. From the next menu, select Auditing Configuration and then Change Audit Password. When prompted, enter the new password.
Producing Reports
Reports are produced to translate the binary auditing data into a format readable by humans. These reports can be produced by selecting Auditing Reports from the AUDITCON main menu. For security purposes, you should never leave these reports in a directory that can be easily accessed by other users. Instead, view or print the report text files and then delete them. You can always rerun the report later if you need to obtain another copy.
When producing an audit report, you can select events by date, time, and event; you also can choose to include or exclude selected files, directories, or users. This filtering capability makes it easy to get right to the important data when you are troubleshooting a security breach. If you are performing a regular review of the system, you can select all data and spend hours poring through it, but a large volume of data will most likely make it easy to miss an important event. In other words, when performing an analysis of the data, it's best to have a target objective of files or events, or possibly users, you need to keep an eye on.
NetWare Auditing Solutions
NetWare 6.5 contains an auditing utility developed by Blue Lance (www.bluelance.com) called LT Auditor+ Server Edition for NetWare, which replaced the Novell Advanced Audit Service (NAAS) added to NetWare 6. LT Auditor+ Server Edition for NetWare is a "light" version of Blue Lance's popular LT Auditor+ that supports only a single NetWare 6.5 server
If you need support for eDirectory, Windows 2000/NT, or other advanced features, you should consider upgrading to the full version of LT Auditor+ 8 SP4 or use Novell's own Audit 2.
In addition to providing LT Auditor+ Server Edition for NetWare as part of NetWare 6.5, Novell also sells its own full-featured auditing solution known as Novell Audit 2, an upgraded version of Novell Nsure Audit 1.0. Novell Audit 2 is a cross-platform auditing product that supports Novell NetWare 4.2 and above; Windows NT 4.0, 2000, 2000 Server, XP and Server 2003; SUSE Linux Enterprise 8; Solaris 8 and 9; RedHat Linux 7.3, 8, AS, and ES 2.1.
Novell Audit 2 works by using an agent which is used to collect data on an object, such as a server. A secure logging server receives this information from agents on the network. Agents are configured through a simple text-based configuration file known as the logevent. On a NetWare server, this file is called /etc/logevent.cfg; on Linux and Solaris, as /etc/logevent.conf; on Windows, as logevent.cfg in the default Windows folder (usually \Windows or \WinNT). Novell supplies a Java-based Platform Agent Configuration Tool to provide a graphical editor for the logevent file.
Novell Audit 2 can receive log events from Novell eDirectory 6.x, DirXML 2.0, NetMail 3.5 and above, iChain 2.2 SP1, BorderManager 3.8, NetWare NSS and NetWare Traditional file systems.
You can learn more about Novell Audit 2 by visiting its home page at the URL www novell.com/ products/audit /.
No comments:
Post a Comment