5.1 Account Management Events

An identity is a token used to represent a particular user or entity. The blame or credit for an action goes to the identity for a set of activities within a system. Accounts exist in the application domains to associate attributes with the set of identifiers typically associated with identities. Identities can be a a human being or an automated identity, such as another service, which is acting on behalf of a human or a regularly scheduled system activity. In both the cases, account management is considered as persistent account creation, wherein an identity with some limited or unlimited set of system rights is associated with attributes.

NOTE:The Modify Account Security Token event could have been defined in terms of Modify Account, but modification of account security tokens is considered critical to audit security, and is thus given its own event.

Table 5-1 Account Management Event Taxonomy

Event Name

Event Identifier

Corresponding eDir Event

Description

Use

Create Account

0.0.0.0

DSE_CREATE_ENTRY

DSE_LDAP_ADD

DSE_LDAP_ADDRESPONSE

DSE_NAME_COLLISION

Create a new account

Consider this event as appropriate for any situation wherein an account, as defined above, is to be created.

Delete Account

0.0.0.1

DSE_DELETE_ENTRY

DSE_LDAP_DELETE

DSE_LDAP_DELETERESPONSE

DSE_MOVE_SOURCE_ENTRY

DSE_REMOVE_ENTRY

Delete an existing account

This event has the opposite semantic meaning of account creation. Use this event wherever such an account, as described above, is to be deleted.

Disable Account

0.0.0.2

DSE_LOGIN

DSE_ADD_VALUE

Disable an existing account

Consider this event relevant for any situation where a particular record in an identifier database is disabled by an administrator or an automated security process such that it can no longer be used until it is re-enabled

Enable Account

0.0.0.3

DSE_ADD_VALUE

Enable an existing account

This is the counterpart event to the disable account event defined above.

Query Account

0.0.0.4

DSE_SEARCH

DSE_DSA_READ

DSE_INSPECT_ENTRY

DSE_LDAP_SEARCH

DSE_LDAP_SEARCHENTRYRESPONSE

DSE_LDAP_COMPARE

Query an existing account

Consider the Query account events whenever a request for the attribute information of a particular account is made.

Modify Account

0.0.0.5

DSE_MERGE_ENTRIES

DSE_ADD_VALUE

DSE_DELETE_ATTRIBUTE

DSE_DELETE_VALUE

DSE_LDAP_MODDN

DSE_LDAP_MODDNRESPONSE

DSE_LDAP_MODIFY

DSE_LDAP_MODIFYRESPONSE

DSE_MODIFY_ENTRY

DSE_MODIFY_RDN

DSE_RENAME_ENTRY

Modify an existing account

Consider the Modify account events whenever a request to change attribute information of a particular account is made.

Modify Account Security Token

0.0.0.6

DSE_CHGPASS

Modify an existing account security token

An account security token may be a password, or any other type of authentication materials associated with a user account. Here, a user account means any type of account by which a user, application, or system service may authenticate, and then act with the rights of that account.

5.1.1 Examples for Account Management Events

This section includes examples for the following Account Management events:

NOTE:The examples provided in the following sections are for reference only.

Create Account

Click Create Account to generate an event for creating a user account. An output in JSON format, similar to the following is generated:

Jan 08 15:06:03 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SLES11-SP2,O=mycom"},"Entity" : {"SysAddr" : "100.1.1.2","SysName" : "SLES11-SP2.my.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32805"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=USER,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_ACCOUNT","CorrelationID" : "eDirectory#25#0ef05b4c-e864-4d4c-f7a9-4c5bf00e64e8","SubEvent" : "DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1389173763},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}

The preceding example appears in XML format (when converted from JSON format), as follows:

<Source>eDirectory#DS</Source>
  <Observer>
    <Account>
      <Domain>MYTREE</Domain>
      <Name>CN=SLES11-SP2,O=mycom</Name>
    </Account>
    <Entity>
      <SysAddr>100.1.1.2</SysAddr>
      <SysName>SLES11-SP2.my.com</SysName>
    </Entity>
  </Observer>
  <Initiator>
    <Account>
      <Name>CN=admin,O=mycom</Name>
      <Id>32805</Id>
    </Account>
  </Initiator>
  <Target>
    <Data>
      <ClassName>User</ClassName>
      <Name>CN=USER,O=mycom</Name>
    </Data>
  </Target>
  <Action>
    <Event>
      <Id>0.0.2.0</Id>
      <Name>CREATE_ACCOUNT</Name>
      <CorrelationID>eDirectory#25#0ef05b4c-e864-4d4c-f7a9-4c5bf00e64e8</CorrelationID>
      <SubEvent>DSE_CREATE_ENTRY</SubEvent>
    </Event>
    <Time>
      <Offset>1389173763</Offset>
    </Time>
    <Log>
      <Severity>7</Severity>
    </Log>
    <Outcome>0</Outcome>
    <ExtendedOutcome>0</ExtendedOutcome>
  </Action>

Delete Account

Click Delete Account to generate an event for creating a user account, as shown in the following example:

Jan 08 15:17:10 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SLES11-SP2,O=mycom"},"Entity" : {"SysAddr" : "100.1.1.2","SysName" : "SLES11-SP2-164.my.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32805"}},"Target" : {"Data" : {"Name" : "CN=USER,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.0.1","Name" : "DELETE_ACCOUNT","CorrelationID" : "eDirectory#25#bc9563e5-d322-43c5-fb91-e56395bc22d3","SubEvent" : "DSE_REMOVE_ENTRY"},"Time" : {"Offset" : 1389174430},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}

Disable Account

Click Disable Account to generate an event for disabling a user account, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"},"Assertions" : {"NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "NCP Server","Name" : "CN=SRV1,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.0.2","Name" : "DISABLE_ACCOUNT","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_LOGIN"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}

Enable Account

Click Enable Account to generate an event for enabling a user account, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32809"},"Entity" : {"SysAddr" : "100.1.2.142:40645"}},"Target" : {"Data" : {"Attribute Name" : "Object Class","Attribute Value" : "ndsLoginProperties","Name" : "dc=LDAPValidate","Syntax" : "20"}},"Action" : {"Event" : {"Id" : "0.0.0.3","Name" : "ENABLE_ACCOUNT","CorrelationID" : "eDirectory#41#4477577d-b132-4d62-9e89-7d57774432b1","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}

Query Account

Click Query Account to generate an event for querying a user account, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.4","Name" : "QUERY_ACCOUNT","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_DSA_READ"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-603"}}

Modify Account

Click Modify Account to generate an event for querying a user account, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Attribute Flag" : "2","Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.5","Name" : "MODIFY_ACCOUNT","CorrelationID" : "eDirectory#0#fa79e19c-034a-445b-6292-9ce179fa4a03","SubEvent" : "DSE_MODIFY_ENTRY"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}

Modify Account Security Token

Click Modify Account Security Token to generate an event for querying a user account, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32809"},"Entity" : {"SysAddr" : "100.1.2.142:40645"}},"Target" : {"Data" : {"Name" : "CN=Test User1,dc=LDAPValidate"}},"Action" : {"Event" : {"Id" : "0.0.0.6","Name" : "MODIFY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "eDirectory#41#d0f97989-ac20-401f-03ab-8979f9d020ac","SubEvent" : "DSE_CHGPASS"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}