Wednesday, April 9, 2008

Novell Security

Novell's NetWare has been around for many years, though it is not the dominant network opera system anymore. Early versions were limited in their capability to keep track of events, but this changed with NetWare 4.x. The most useful tool for older systems is the AUDITCON tool, which canbe used to configure and audit a wide rang of system events.

SYSCON and AUDITCON

The SYSCON utility that was used in NetWare 3.x was limited in the type of information it could yide to the administrator. It was basically limited to statistical information such as the number of blocks read/written and the services the server provided. In NetWare 4.x the AUDITCON utility pr vides an advanced tool that is superior to SYSCON in two ways:

Both of these features are significant advances. The first makes the information gathered more than just statistical. You can now track access and the type of access to individual files or objects. The second can be used to ensure that the network administrators, usually all-powerful people who can do anything on the network, are also held accountable their actions. Network security is not compromised by the auditor, however, because this person does not have to be granted administrator-like rights to objects such as the SYS : SYSTEM directory. The administrator's and the auditor's functions are separated.

Internet 2010

After the administrator has enabled auditing on volumes or containers and designated the auditor, the auditor can use the AUDITCON utility to check the system. Using AUDITCON, the auditor can modify which events are audited on which resources, and can produce reports showing auditing information.

Auditable Events

The precise granularity of things you can audit is what makes AUDITCON a powerful tool. The person who has been set up as the auditor can perform these actions:

Auditing Files

The auditing software uses several places to store its data:

  • NET$AUDT.DATThis file can be found at the root of every volume that has auditing enabled. It is always flagged as an open file to prevent anyone other than the auditor from accessing it directly. This file stores binary information in a binary format only for the volume on which it resides.

Using AUDITCON to Enable Auditing

An Admin user can enable auditing on a volume by running the AUDITCON utility. From the main menu, select the Enable Volume Auditing option and enter the password for that volume. If an old audit data file exists on the volume, it is replaced by the new file.

After this has been done, the administrator should give the volume password to the auditor, who should run AUDITCON and change it to a new value that the administrator does not know. Note that if the password is forgotten, the volume must be deleted and re-created if you want to change the password. You cannot recover the password. Also, without the correct password, you can disable auditing on the volume!

To change the audit password, the auditor should run the AUDITCON utility and select Audit Files Maintenance. From the next menu, select Auditing Configuration and then Change Audit Password. When prompted, enter the new password.

Producing Reports

Reports are produced to translate the binary auditing data into a format readable by humans. These reports can be produced by selecting Auditing Reports from the AUDITCON main menu. For security purposes, you should never leave these reports in a directory that can be easily accessed by other users. Instead, view or print the report text files and then delete them. You can always rerun the report later if you need to obtain another copy.

When producing an audit report, you can select events by date, time, and event; you also can choose to include or exclude selected files, directories, or users. This filtering capability makes it easy to get right to the important data when you are troubleshooting a security breach. If you are performing a regular review of the system, you can select all data and spend hours poring through it, but a large volume of data will most likely make it easy to miss an important event. In other words, when performing an analysis of the data, it's best to have a target objective of files or events, or possibly users, you need to keep an eye on.

NetWare Auditing Solutions

NetWare 6.5 contains an auditing utility developed by Blue Lance (www.bluelance.com) called LT Auditor+ Server Edition for NetWare, which replaced the Novell Advanced Audit Service (NAAS) added to NetWare 6. LT Auditor+ Server Edition for NetWare is a "light" version of Blue Lance's popular LT Auditor+ that supports only a single NetWare 6.5 server

If you need support for eDirectory, Windows 2000/NT, or other advanced features, you should consider upgrading to the full version of LT Auditor+ 8 SP4 or use Novell's own Audit 2.

In addition to providing LT Auditor+ Server Edition for NetWare as part of NetWare 6.5, Novell also sells its own full-featured auditing solution known as Novell Audit 2, an upgraded version of Novell Nsure Audit 1.0. Novell Audit 2 is a cross-platform auditing product that supports Novell NetWare 4.2 and above; Windows NT 4.0, 2000, 2000 Server, XP and Server 2003; SUSE Linux Enterprise 8; Solaris 8 and 9; RedHat Linux 7.3, 8, AS, and ES 2.1.

Novell Audit 2 works by using an agent which is used to collect data on an object, such as a server. A secure logging server receives this information from agents on the network. Agents are configured through a simple text-based configuration file known as the logevent. On a NetWare server, this file is called /etc/logevent.cfg; on Linux and Solaris, as /etc/logevent.conf; on Windows, as logevent.cfg in the default Windows folder (usually \Windows or \WinNT). Novell supplies a Java-based Platform Agent Configuration Tool to provide a graphical editor for the logevent file.

Novell Audit 2 can receive log events from Novell eDirectory 6.x, DirXML 2.0, NetMail 3.5 and above, iChain 2.2 SP1, BorderManager 3.8, NetWare NSS and NetWare Traditional file systems.

You can learn more about Novell Audit 2 by visiting its home page at the URL www novell.com/ products/audit /.

No comments:

Internet Blogosphere