The XDAS events are classified into the following categories:
Account Management events is applicable to the management of principal accounts. A principal may be an end-user. By default Organizational Person, Person, and User object classes are mapped to accounts.
NOTE:The Modify Account Security Token event can be defined in terms of Modify Account, but modification of account security tokens is considered critical to audit security, and is thus given its own event.
Table H-2 Account Management Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Create Account |
0.0.0.0 |
DSE_CREATE_ENTRY DSE_ADD_ENTRY |
Create a new account |
This event is generated when an account is created. |
|
Delete Account |
0.0.0.1 |
DSE_REMOVE_ENTRY |
Delete an existing account |
This event has the opposite semantic meaning of account creation. This event is generated when an account is deleted. |
|
Disable Account |
0.0.0.2 |
DSE_ADD_VALUE |
Disable an existing account |
This event is generated when an account is disabled by an administrator or an automated security process and cannot be used until it is re-enabled. |
|
Enable Account |
0.0.0.3 |
DSE_ADD_VALUE |
Enable an existing disabled account |
This is the counterpart event to the disable account event defined above. |
|
Query Account |
0.0.0.4 |
DSE_INSPECT_ENTRY DSE_LIST_SUBORDINATES DSE_READ_REFERENCES DSE_SEARCH DSE_REFERRAL DSE_COMPARE_ATTR_VALUE DSE_READ_ATTR DSE_STREAM |
Query an existing account |
This event is generated whenever a request for the attribute information of a particular account is made. |
|
Modify Account |
0.0.0.5 |
DSE_ADD_VALUE DSE_MOVE_SOURCE_ENTRY DSE_DELETE_VALUE DSE_MOVE_SUBTREE DSE_MERGE_ENTRIES DSE_MOVE_DEST_ENTRY DSE_MUTATE_ENTRY DSE_RENAME_ENTRY DSE_ADD_PROPERTY DSE_MODIFY_ENTRY DSE_DELETE_PROPERTY DSE_RESEND_ENTRY DSE_CREATE_BACKLINK DSE_REMOVE_BACKLINK |
Modify an existing account |
This event is generated whenever a request to modify attribute information of a particular account is made. |
This section includes examples for the following Account Management events:
NOTE:The examples provided in the following sections are for reference only.
Click Create Account to generate an event for creating a user account. An output in JSON format, similar to the following is generated:
Mar 15 12:08:35 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"ClassName" : "User"},"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=user1,O=novell","Id" : "32864"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_ACCOUNT","CorrelationID" : "eDirectory#29#87e32af4-e717-4607-a541-f42ae38717e7","SubEvent" : "DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1489559915},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
The preceding example appears in XML format (when converted from JSON format), as follows:
<Source>eDirectory#DS</Source>
<Observer>
<Account>
<Domain>MYTREE</Domain>
<Name>CN=SLES11-SP2,O=mycom</Name>
</Account>
<Entity>
<SysAddr>100.1.1.2</SysAddr>
<SysName>SLES11-SP2.my.com</SysName>
</Entity>
</Observer>
<Initiator>
<Account>
<Name>CN=admin,O=mycom</Name>
<Id>32805</Id>
</Account>
</Initiator>
<Target>
<Data>
<ClassName>User</ClassName>
<Name>CN=USER,O=mycom</Name>
</Data>
</Target>
<Action>
<Event>
<Id>0.0.2.0</Id>
<Name>CREATE_ACCOUNT</Name>
<CorrelationID>eDirectory#25#0ef05b4c-e864-4d4c-f7a9-4c5bf00e64e8</CorrelationID>
<SubEvent>DSE_CREATE_ENTRY</SubEvent>
</Event>
<Time>
<Offset>1389173763</Offset>
</Time>
<Log>
<Severity>7</Severity>
</Log>
<Outcome>0</Outcome>
<ExtendedOutcome>0</ExtendedOutcome>
</Action>
Click Delete Account to generate an event for deleting a user account, as shown in the following example:
Mar 13 16:40:50 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32872"},"Entity" : {"SysAddr" : "100.1.2.194:16600"}},"Target" : {"Data" : {"ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "VLV_MEM","Name" : "CN=user1,O=novell","Id" : "203366"}},"Action" : {"Event" : {"Id" : "0.0.0.1","Name" : "DELETE_ACCOUNT","CorrelationID" : "eDirectory#18#f2bb6a04-b1a5-43c2-a990-046abbf2a5b1","SubEvent" : "DSE_REMOVE_ENTRY"},"Time" : {"Offset" : 1489403450},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Disable Account to generate an event for disabling a user account, as shown in the following example:
Mar 08 17:39:31 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:39382"}},"Target" : {"Data" : {"Attribute Name" : "Login Disabled","ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=rrrr,OU=novell,OU=co,O=in","Id" : "32906"}},"Action" : {"Event" : {"Id" : "0.0.0.2","Name" : "DISABLE_ACCOUNT","CorrelationID" : "eDirectory#91#2a382b1e-9d96-4990-9341-1e2b382a969d","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1488974971},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Enable Account to generate an event for enabling a user account, as shown in the following example:
Mar 07 18:13:09 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:18902"}},"Target" : {"Data" : {"Attribute Name" : "Login Disabled","ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=raghu,OU=novell,OU=co,O=in","Id" : "32893"}},"Action" : {"Event" : {"Id" : "0.0.0.3","Name" : "ENABLE_ACCOUNT","CorrelationID" : "eDirectory#72#eecfbf13-9f36-4c09-b468-13bfcfee369f","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1488890589},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Query Account to generate an event for querying a user account, as shown in the following example:
Mar 06 16:40:00 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Attribute Name" : "ACL","ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"}},"Action" : {"Event" : {"Id" : "0.0.0.4","Name" : "QUERY_ACCOUNT","CorrelationID" : "eDirectory#59#","SubEvent" : "DSE_READ_ATTR"},"Time" : {"Offset" : 1488798600},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Account to generate an event for modifying a user account, as shown in the following example:
Mar 07 16:24:45 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Attribute Name" : "pwdFailureTime","ClassName" : "User","Syntax" : "24","Version" : "2"},"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"}},"Action" : {"Event" : {"Id" : "0.0.0.5","Name" : "MODIFY_ACCOUNT","CorrelationID" : "eDirectory#0#678d790d-c19f-4364-b821-0d798d679fc1","SubEvent" : "DSE_DELETE_ATTRIBUTE"},"Time" : {"Offset" : 1488884085},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Trust Management events are used for managing the trust relationships. A trust may be instantiated through a group or a role. By default, dynamicGroup, dynamicGroupAux, Group, LDAP Group and Organizational Role object classes are mapped to trusts.
For example, when an identity in Domain A makes a request to a service governed by Domain B, an association of trust is required between the two domains. This is called a trust relationship. You set up a trust relationship by establishing an identity in Domain B, which is used as a proxy for any request coming from any identity in Domain A.
Table H-3 Trust Management Events Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Create Trust |
0.0.1.0 |
DSE_CREATE_ENTRY DSE_ADD_ENTRY |
Creation of a trust. |
This event is reported when a new trust,is created. |
|
Delete Trust |
0.0.1.1 |
DSE_REMOVE_ENTRY |
Deletion of a trust. |
This event is reported when a trust is deleted. |
|
Query Trust |
0.0.1.2 |
DSE_INSPECT_ENTRY DSE_SEARCH DSE_LIST_SUBORDINATES DSE_READ_REFERENCES DSE_REFERRAL DSE_COMPARE_ATTR_VALUE DSE_READ_ATTR DSE_STREAM |
Requesting of the attributes associated with a trust. |
This event is reported when a request is raised for the attributes which are associated with a trust. |
|
Modify Trust |
0.0.1.3 |
DSE_MOVE_SUBTREE DSE_MERGE_ENTRIES DSE_RENAME_ENTRY DSE_MOVE_SOURCE_ENTRY DSE_MOVE_DEST_ENTRY DSE_MUTATE_ENTRY DSE_ADD_VALUE DSE_ADD_PROPERTY DSE_DELETE_VALUE DSE_DELETE_PROPERTY DSE_RESEND_ENTRY DSE_CREATE_BACKLINK DSE_REMOVE_BACKLINK DSE_MODIFY_ENTRY |
Modification of the attributes associated with a trust. |
This event is reported when any modification is made to the attributes which are associated with a trust. |
The following sections include examples for trust management events.
Click Create Trust to generate an event when a new trust is created, as shown in the following example:
Mar 16 20:56:39 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:43936"}},"Target" : {"Data" : {"ClassName" : "LDAP Group","Name" : "CN=LDAP Group - server2,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.0","Name" : "CREATE_TRUST","CorrelationID" : "eDirectory#41#2a670625-1950-48cf-8abf-2506672a5019","SubEvent" : "DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1489677999},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Delete Trust to generate an event when an existing trust is removed, as shown in the following example:
Mar 16 22:02:46 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:26571"}},"Target" : {"Data" : {"ClassName" : "dynamicGroup","Name" : "CN=group1,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.1","Name" : "DELETE_TRUST","CorrelationID" : "eDirectory#55#8f230203-1c8f-41f7-8456-0302238f8f1c","SubEvent" : "DSE_REMOVE_ENTRY"},"Time" : {"Offset" : 1489681966},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Query Trust to generate an event when a request is raised for the attributes which are associated with a trust, as shown in the following example:
Mar 16 16:49:35 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:31967"}},"Target" : {"Data" : {"Attribute Name" : "LDAP Allow Clear Text Password","ClassName" : "LDAP Group","Name" : "CN=LDAP Group - SLE12-142,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.4","Name" : "QUERY_TRUST","CorrelationID" : "eDirectory#46#","SubEvent" : "DSE_READ_ATTR"},"Time" : {"Offset" : 1489663175},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Trust to generate an event when any modification is made to the attributes which are associated with a trust, as shown in the following example:
Mar 16 22:02:46 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:26571"}},"Target" : {"Data" : {"Attribute Name" : "Obituary","Attribute Value" : "72061996379406335","ClassName" : "dynamicGroup","Name" : "CN=group1,O=novell","Syntax" : "9","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.5","Name" : "MODIFY_TRUST","CorrelationID" : "eDirectory#55#8f230203-1c8f-41f7-8456-0302238f8f1c","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1489681966},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
This set of events relate to the creating and managing the data items and resource elements within a domain. The type of the data item or the resource element is completely dependent on the domain. By default any object class that is not mapped to accounts or trusts, will be mapped to Data Items.
For example, files and directories, device special files, and shared memory segments within an operating system, tables and records within a database, messages within an e-mail system. The term data item is used in this context to refer to any type of resource element.
Table H-4 Data Item Management Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Create Data Item |
0.0.3.0 |
DSE_CREATE_ENTRY DSE_ADD_ENTRY DSE_ADD_REPLICA DSE_DEFINE_ATTR_DEF DSE_DEFINE_CLASS_DEF |
Create a data item |
This event is reported whenever a data item is created. |
|
Delete Data Item |
0.0.3.1 |
DSE_REMOVE_ENTRY DSE_REMOVE_REPLICA DSE_REMOVE_CLASS_DEF DSE_REMOVE_ATTR_DEF |
Delete a data item |
This event is reported whenever a security-relevant data item or resource element is deleted. |
|
Query Data Item Attribute |
0.0.3.2 |
DSE_DSA_READ DSE_INSPECT_ENTRY DSE_SEARCH DSE_LIST_PARTITIONS DSE_LIST_CONT_CLASSES DSE_LIST_SUBORDINATES DSE_READ_REFERENCES DSE_REFERRAL DSE_COMPARE_ATTR_VALUE DSE_READ_ATTR DSE_STREAM |
Requesting of the attributes associated with a data items. |
This event is reported whenever a security-relevant data item or resource element is queried – either for value, or for an attribute of the data item. |
|
Modify Data Item Attribute |
0.0.3.3 |
DSE_UPDATE_SCHEMA DSE_CHANGE_TREE_NAME DSE_MOVE_SUBTREE DSE_MOVE_TREE DSE_MERGE_ENTRIES DSE_RENAME_ENTRY DSE_MOVE_SOURCE_ENTRY DSE_MOVE_DEST_ENTRY DSE_MUTATE_ENTRY DSE_ADD_VALUE DSE_REMOVE_BACKLINK DSE_ADD_PROPERTY DSE_DELETE_VALUE DSE_DELETE_PROPERTY DSE_UPDATE_CLASS_DEF DSE_UPDATE_ATTR_DEF DSE_CHANGE_REPLICA_TYPE DSE_MODIFY_CLASS_DEF DSE_RESEND_ENTRY DSE_MERGE_TREE DSE_CREATE_SUBREF DSE_CREATE_BACKLINK DSE_MODIFY_ENTRY |
Modification of the attributes associated with a data items. |
This event is reported whenever a security-relevant data item or resource element is modified – either the value, or an attribute of the data item. |
The following sections are some examples to generate Data Item Management events.
Click Create Data Item to generate an event for creating a data item, as shown in the following example:
Mar 16 20:56:24 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:42144"}},"Target" : {"Data" : {"ClassName" : "NCP Server","Name" : "CN=server2,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.3.0","Name" : "CREATE_DATA_ITEM","CorrelationID" : "eDirectory#39#7e296d99-d6a7-4206-8f23-996d297ea7d6","SubEvent" : "DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1489677984},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Delete Data Item to generate an event for deleting a data item, as shown in the following example:
Mar 16 21:46:32 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:26571"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.3.1","Name" : "DELETE_DATA_ITEM","CorrelationID" : "eDirectory#55#9509dc1f-ecf1-4306-8fec-1fdc0995f1ec","SubEvent" : "DSE_REMOVE_ENTRY"},"Time" : {"Offset" : 1489680992},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Query Data Item Attribute to generate an event for querying a data item attribute, as shown in the following example:
Mar 03 14:01:36 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Attribute Name" : "EBATreeConfiguration","ClassName" : "Tree Root","Name" : "LNX-TREE-BUILD101","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.3.2","Name" : "QUERY_DATA_ITEM_ATTRIBUTE","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_READ_ATTR"},"Time" : {"Offset" : 1488529896},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Data Item Attribute to generate an event for modifying a data item attribute, as shown in the following example:
Mar 03 14:05:06 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:214"}},"Target" : {"Data" : {"Attribute Name" : "modifiersName","Attribute Value" : "CN=admin,OU=novell,OU=co,O=in","ClassName" : "NCP Server","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Syntax" : "3","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.3.3","Name" : "MODIFY_DATA_ITEM_ATTRIBUTE","CorrelationID" : "eDirectory#32#f2dbd583-1f5c-459a-8c37-83d5dbf25c1f","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1488530106},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
This set of events are applicable for auditing security operations of eDirectory. A security operation may be granting or revoking access, login, password modification or query. This set of events also help to detect intruder attempts on the eDirectory system.
Table H-5 Security Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDirectory Event |
Description |
Use |
|---|---|---|---|---|
|
Associate Trust |
0.0.1.2 |
DSE_ADD_MEMBER DSE_ADD_VALUE |
An association of an account with the trust which confers trust permissions to the account. |
This event is reported when a new trust association is created. For example, adding a member to a group. |
|
De-Associate Trust |
0.0.1.3 |
DSE_DELETE_MEMBER DSE_DELETE_VALUE |
Disassociation of an account with a trust. |
This event is reported when an existing trust association is removed. For example, removing a member from a group. |
|
Modify Account Security Token |
0.0.0.6 |
DSE_CHGPASS DSE_NMAS_LOG_SET_PWD DSE_NMAS_LOG_SET_LOGIN_CONFIG DSE_NMAS_LOG_DELETE_LOGIN_CONFIG DSE_NMAS_LOG_DELETE_LOGIN_SECRET DSE_NMAS_LOG_SET_LOGIN_SECRET DSE_NMAS_LOG_SET_DIST_PWD DSE_NMAS_LOG_DELETE_DIST_PWD DSE_NMAS_LOG_DELETE_PWD DSE_NMAS_LOG_CHANGE_PWD DSE_NMAS_LOG_DELETE_ALL_LOGIN_CONFIG DSE_NMAS_LOG_DELETE_ALL_LOGIN_SECRET |
Modify an existing account security token. |
An account security token may be a password, or any other type of authentication materials associated with a user account. Here, a user account means any type of account by which a user, application, or system service may authenticate, and then act with the rights of that account. |
|
Query Account Security Token |
0.0.12.3 |
DSE_NMAS_LOG_GET_LOGIN_CONFIG DSE_NMAS_LOG_GET_PWD_STATUS DSE_NMAS_LOG_GET_DIST_PWD DSE_NMAS_LOG_GET_PWD DSE_NMAS_LOG_GET_PWD_HISTORY DSE_NMAS_LOG_GET_ALL_LOGIN_CONFIG DSE_NMAS_LOG_GET_ALL_LOGIN_SECRET DSE_NMAS_LOG_CHECK_PWD_SYNTAX_POLICY |
Requesting for an existing account security token. |
An account security token may be a password, or any other type of authentication materials associated with a user account. Here, a user account means any type of account by which a user, application, or system service may authenticate, and then act with the rights of that account. |
|
Create Connection |
0.0.12.4 |
DSE_CONNECTION |
The creation of a communication channel between system components. |
This event is reported when a communication channel is created between system components. |
|
Terminate Connection |
0.0.12.5 |
DSE_CONNECTION |
The closure of a communications channel between system components. |
This event is reported when an existing communication channel is terminated between system components. |
|
Create Session |
0.0.2.0 |
DSE_LOGIN_EX DSE_NMAS_LOG_SRVR_BEGIN_LOGIN DSE_NMAS_LOG_FINISH_LOGIN_STATUS DSE_NMAS_LOG_SASL_MECHANISM_RESULT |
Create a new session. |
This event should be reported whenever a new session is created. For example, logging in to the eDirectory system. |
|
Terminate Session |
0.0.2.1 |
DSE_LOGOUT |
Terminate an existing session. |
This event should be reported whenever an existing session (as defined above) is terminated. For example, logging out of the eDirectory system. |
|
Authenticate Session |
0.0.2.4 |
DSE_AUTHENTICATE DSE_IMPERSONATE DSE_EBA_BA_FAILURE DSE_VERIFY_PASS |
A new identity is associated with a session. |
When a user authenticates a session, a new identity is associated with that session. This identity is then used to authorize requests for protected resources. |
|
Grant Trust Access |
0.0.1.7 |
DSE_ADD_VALUE |
Granting access to a trust for an object. |
This event is reported when access is granted to trust for an object. |
|
Revoke Trust Access |
0.0.1.8 |
DSE_DELETE_VALUE |
Revoking access from a trust for an object. |
This event is reported when access to a resource is removed from a trust. |
|
Intruder Lockout |
0.0.0.9 |
DSE_ADD_VALUE |
Lockout of an account. |
This event is reported during lockout of an account. |
|
Account Unlock |
0.0.0.10 |
DSE_DELETE_VALUE |
Unlock of a locked account. |
This event is reported when an locked account is unlocked. |
|
Grant Account Access |
0.0.0.7 |
DSE_ADD_VALUE |
Grant access to an account for an object. |
This event is reported when access is granted for a object to an account. |
|
Revoke Account Access |
0.0.0.8 |
DSE_DELETE_VALUE |
Revoke access from an account for an object. |
This event is reported when a object is removed from an account. |
|
Audit Config |
0.0.9.0 |
DSE_ADD_VALUE DSE_DELETE_VALUE |
The modification of the parameters controlling the operation of the audit service. |
This event is reported when any modification is done to the parameters that are controlling the audit service. |
The following sections are examples for Security events.
Click Associate Trust to generate an event when a new trust association is created, as shown in the following example:
Mar 16 21:57:28 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:26571"}},"Target" : {"Data" : {"Attribute Name" : "Member","Name" : "CN=group1,O=novell","Syntax" : "1","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.2","Name" : "ASSOCIATE_TRUST","CorrelationID" : "eDirectory#55#b22140b4-ad56-4592-942a-b44021b256ad","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1489681648},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click De-Associate Trust to generate an event when an existing trust association is removed, as shown in the following example:
Mar 07 22:20:41 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:31446"}},"Target" : {"Data" : {"Attribute Name" : "Member","Attribute Value" : "CN=raghu,OU=novell,OU=co,O=in","ClassName" : "Group","Name" : "CN=RG,OU=novell,OU=co,O=in","SubTarget" : "CN=raghu,OU=novell,OU=co,O=in","Syntax" : "1","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.3","Name" : "DEASSOCIATE_TRUST","CorrelationID" : "eDirectory#74#55e2ccc4-d99a-4a6a-b3dd-c4cce2559ad9","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1488905441},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Account Security Token to generate an event for modifying a user account security token, as shown in the following example:
Mar 15 13:19:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=user7,O=novell","Id" : "32869"}},"Action" : {"Event" : {"Id" : "0.0.0.6","Name" : "MODIFY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "eDirectory#25#db042b31-ea70-49d8-8b7b-312b04db70ea","SubEvent" : "DSE_CHGPASS"},"Time" : {"Offset" : 1489564174},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Query Account Security Token to generate an event for querying a user account security token, as shown in the following example:
Mar 15 13:19:34 eDirectory : INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell","Id" : "0"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"},"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=user8,O=novell"}},"Action" : {"Event" : {"Id" : "0.0.12.3","Name" : "QUERY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "nmas#0#","SubEvent" : "DSE_NMAS_LOG_GET_PWD_STATUS"},"Time" : {"Offset" : 1489564174},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Create Connection to generate an event when a communication channel is created between system components, as shown in the following example:
Mar 07 15:53:25 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101"},"Entity" : {"SysAddr" : "1100.1.2.194:64708"}},"Target" : {"Data" : {"ConnID" : "63","Module" : "NCP Engine","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","State" : "Create","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.13.1","Name" : "CREATE_CONNECTION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CONNECTION"},"Time" : {"Offset" : 1488882205},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Terminate Connection to generate an event when an existing communication channel is terminated between system components, as shown in the following example:
Mar 07 15:46:44 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101"},"Entity" : {"SysAddr" : "100.1.2.194:63684"}},"Target" : {"Data" : {"ConnID" : "65","Module" : "NCP Engine","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","State" : "Destroy","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.13.2","Name" : "TERMINATE_CONNECTION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CONNECTION"},"Time" : {"Offset" : 1488881804},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Create Session to generate an event for creating a new session, as shown in the following example:
Mar 06 16:21:47 eDirectory : INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Id" : "nds:7"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:54823"}},"Target" : {"Data" : {"Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#262183#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1488797507},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click terminate Session to generate an event for terminating a session, as shown in the following example:
Mar 16 21:02:23 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Name" : "[Public]"},"Entity" : {"SysAddr" : "164.99.91.92:8147"},"Assertions" : {"NetAddress" : "100.1.2.194"}},"Target" : {"Data" : {"Name" : "CN=stdir-vm-53,O=novell","SubTarget" : "CN=JPass,OU=users,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.1","Name" : "TERMINATE_SESSION","CorrelationID" : "eDirectory#42#","SubEvent" : "DSE_LOGOUT"},"Time" : {"Offset" : 1489678343},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Authenticate Session to generate an event when a new identity is associated with the session, as shown in the following example:
Mar 03 15:45:51 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:30404"},"Assertions" : {"NetAddress" : "1100.1.2.194","NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "NCP Server","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","SubTarget" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.4","Name" : "AUTHENTICATE_SESSION","CorrelationID" : "eDirectory#28#","SubEvent" : "DSE_AUTHENTICATE"},"Time" : {"Offset" : 1488536151},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Grant Trust Access to generate an event when access is granted to trust for an object, as shown in the following example:
Mar 03 14:33:06 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:214"}},"Target" : {"Data" : {"Attribute Name" : "Message Server","Attribute Value" : "Attribute Read","Name" : "[Public]","SubTarget" : "CN=raghu,OU=novell,OU=co,O=in","Syntax" : "17","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.7","Name" : "GRANT_TRUST_ACCESS","CorrelationID" : "eDirectory#32#9a868af1-7b8d-4426-ae41-f18a869a8d7b","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1488531786},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Revoke Trust Access to generate an event when access to a resource is removed from a trust, as shown in the following example:
Mar 16 20:57:33 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:43936"}},"Target" : {"Data" : {"Attribute Name" : "nsimHint","Attribute Value" : "Attribute Write, Attribute Self, Attribute Inherit CTL","Syntax" : "17","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.1.8","Name" : "REVOKE_TRUST_ACCESS","CorrelationID" : "eDirectory#41#156c162f-245b-4751-90da-2f166c155b24","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1489678053},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Intruder Lockout to generate an event during lockout of an account, as shown in the following example:
Mar 21 09:25:29 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "NET-REPORT","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=novell-emp222,OU=novell,OU=co,O=in","Id" : "33795"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Account Locked" : "TRUE","Attribute Name" : "Login Intruder Address","ClassName" : "User","Intruder Address" : "TCP: 164.99.179.164:49121","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Reset Time" : "03/21/17 09:27:29","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.9","Name" : "INTRUDER_LOCKOUT","CorrelationID" : "eDirectory#0#0ae8da6e-208f-4c44-b515-6edae80a8f20","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1490068529},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Account Unlock to generate an event when an locked account is unlocked, as shown in the following example:
Mar 21 12:09:00 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "NET-REPORT","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "NET-REPORT","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Attribute Name" : "Locked By Intruder","Attribute Value" : "True","ClassName" : "User","Name" : "CN=novell-emp312,OU=novell,OU=co,O=in","Syntax" : "7","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.10","Name" : "ACCOUNT_UNLOCK","CorrelationID" : "eDirectory#0#f5fdd0c4-0595-4e82-8b8f-c4d0fdf59505","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1490078340},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Grant Account Access to generate an event when access is granted for a object to an account, as shown in the following example:
Mar 16 15:23:16 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32834"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Attribute Name" : "Print Job Configuration","Attribute Value" : "Attribute Read, Attribute Write","ClassName" : "User","Name" : "CN=usr54412,O=novell","SubTarget" : "CN=usr54412,O=novell","Syntax" : "17","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.7","Name" : "GRANT_ACCOUNT_ACCESS","CorrelationID" : "eDirectory#40#1718277b-ed75-41f2-8610-7b27181775ed","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1489657996},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
NOTE:When a user account is considered as trustee on ACLs, Grant Account Access event is generated.
Click Revoke Account Access to generate an event when a object is removed from an account, as shown in the following example:
Mar 18 22:44:40 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32872"},"Entity" : {"SysAddr" : "100.1.2.194:20966"}},"Target" : {"Data" : {"Attribute Name" : "Description","Attribute Value" : "Attribute Supervisor","ClassName" : "User","Name" : "CN=user1,O=novell","SubTarget" : "CN=pc2,O=novell","Syntax" : "17","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.8","Name" : "REVOKE_ACCOUNT_ACCESS","CorrelationID" : "eDirectory#57#67ba4065-a7de-4581-b62e-6540ba67dea7","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1489857280},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
NOTE:When a user account is considered as trustee on ACLs, Revoke Account Access event is generated.
Click Audit Config to generate an event when any modification is done to the parameters that are controlling the audit service, as shown in the following example:
Mar 03 11:00:23 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=novell,OU=co,O=in","Id" : "32863"},"Entity" : {"SysAddr" : "100.1.2.194:64213"}},"Target" : {"Data" : {"Attribute Name" : "xdasConfiguration","Attribute Value" : "dsaccount=Computer$Organization$Organizational Person$Person$User$$","ClassName" : "NCP Server","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in","Syntax" : "3","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.9.0","Name" : "AUDIT_CONFIG","CorrelationID" : "eDirectory#28#a56628e8-38fc-43c5-93c2-e82866a5fc38","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1488519023},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
This set of events relates to the management of services or applications. The services or applications include modules, agents and background processes.
Table H-6 Service or Application Management Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Enable Service |
0.0.4.5 |
DSE_CHANGE_MODULE_STATE DSE_NMAS_LOG_PWD_POLICY_AGENT_REG DSE_NMAS_LOG_DIST_PWD_AGENT_REG DSE_NMAS_LOG_PWD_AGENT_REG DSE_NMAS_LOG_LTSS_AGENT_REG DSE_NMAS_LOG_PWD_CHANGE_AGENT_REG |
Enable a service or application. |
This event is reported when a service, operation or function is enabled. For example, loading any eDirectory module. |
|
Disable Service |
0.0.4.4 |
DSE_REMOTE_SERVER_DOWN DSE_CHANGE_MODULE_STATE DSE_NMAS_LOG_PWD_POLICY_AGENT_DEREG DSE_NMAS_LOG_DIST_PWD_AGENT_DEREG DSE_NMAS_LOG_PWD_AGENT_DEREG DSE_NMAS_LOG_LTSS_AGENT_DEREG DSE_NMAS_LOG_PWD_CHANGE_AGENT_DEREG |
Disable a service or application. |
This event is reported when a service, operation or function is disabled. For example, unloading any eDirectory module. |
|
Invoke Service |
0.0.5.0 |
DSE_BACKLINK_PROC_DONE DSE_LIMBER_DONE DSE_MOVE_TREE_START DSE_PURGE_START DSE_RECV_REPLICA_UPDATES DSE_SEND_REPLICA_UPDATES DSE_START_JOIN DSE_START_UPDATE_REPLICA DSE_START_UPDATE_SCHEMA DSE_SYNC_PART_START DSE_SYNC_SVR_OUT_START |
Invoke a service or application. |
This event is reported when a security-relevant service is invoked. For example, triggering a background process. |
|
Terminate Service |
0.0.5.1 |
DSE_REMOVE_ATTR_DEF DSE_ABORT_JOIN DSE_END_UPDATE_REPLICA DSE_END_UPDATE_SCHEMA DSE_JOIN_DONE DSE_MOVE_TREE_END DSE_PURGE_END DSE_SCHEMA_SYNC DSE_SYNC_PART_END DSE_SYNC_SVR_OUT_END |
Terminate a service or application. |
This event is reported when a service is terminated. For example, terminating a background process. |
|
Modify Service Config |
0.0.4.2 |
DSE_ALLOW_LOGIN DSE_UPDATE_REPLICA DSE_EBA_MOVE_EBA_CA DSE_GEN_CA_KEYS DSE_RECERT_PUB_KEY DSE_EBA_REQ_BA_MATERIAL DSE_EBA_REQ_SERVER_BA_MATERIAL DSE_NAME_COLLISION DSE_SERVER_RENAME DSE_SERVER_ADDRESS_CHANGE DSE_SYNC_PARTITION DSE_SYNC_SCHEMA DSE_EBA_ENABLE_PURE_MODE DSE_EBA_ISSUE_NCPCA_CERT DSE_EBA_REVOKE_NCPCA_CERT |
Modification of the configuration data associated with eDirectory service. |
This event is reported upon modification of the configuration data. For example, any changes made to the EBA configuration will trigger this event. |
The following sections include examples of events related to the management of services or applications.
Click Enable Service to generate an event when a service, operation or function is enabled, as shown in the following example:
Mar 07 10:03:15 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "1100.1.2.194:0"}},"Target" : {"Data" : {"Module State" : "Loaded","Name" : "libxdasauditds.so","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.4.5","Name" : "ENABLE_SERVICE","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CHANGE_MODULE_STATE"},"Time" : {"Offset" : 1488861195},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Disable Service to generate an event when a service, operation or function is disabled, as shown in the following example:
Mar 10 11:00:07 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Module State" : "Unloading","Name" : "libsnmpinst.so","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.4.4","Name" : "DISABLE_SERVICE","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CHANGE_MODULE_STATE"},"Time" : {"Offset" : 1489123807},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Invoke Service to generate an event when a security-relevant service is invoked, as shown in the following example:
Mar 03 14:41:44 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.5.0","Name" : "INVOKE_SERVICE","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_SYNC_PART_START"},"Time" : {"Offset" : 1488532304},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Terminate Service to generate an event for terminating a service, as shown in the following example:
Mar 03 14:41:44 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLES12-194-12"}},"Initiator" : {"Account" : {"Domain" : "LNX-TREE-BUILD101","Name" : "CN=SLES12-194-12,OU=novell,OU=co,O=in"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.5.1","Name" : "TERMINATE_SERVICE","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_SYNC_PART_END"},"Time" : {"Offset" : 1488532304},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Service Config to generate an event reported upon modification of the configuration data, as shown in the following example:
Mar 16 21:07:46 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:40159"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.4.2","Name" : "MODIFY_SERVICE_CONFIG","CorrelationID" : "eDirectory#34#","SubEvent" : "DSE_SYNC_PARTITION"},"Time" : {"Offset" : 1489678666},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Operational events are generated very rarely, and are considered important. For instance, shutting down an enterprise-critical server is exceptional because it cannot happen without someone's permission.
Table H-7 Operational Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Start System |
0.0.8.0 |
DSE_AGENT_OPEN_LOCAL DSE_RELOAD_DS |
Start a system |
This event is reported when a server, system, or mission-critical application starts up. |
|
Shutdown System |
0.0.8.1 |
DSE_AGENT_CLOSE_LOCAL |
Shutdown a system |
This event is reported when a server, system, or mission-critical application shuts down. |
|
Back up Data Store |
0.0.8.4 |
DSE_BACKUP_ENTRY |
Back up Data Store |
This event is reported when a server, system, or mission critical application backs up a critical data store. |
|
Recover Data Store |
0.0.8.5 |
DSE_RESTORE_ENTRY |
Recover Data Store |
This event is reported when a server, system, or mission critical application restores a critical data store. |
|
Internal Operations |
0.1.0.3.0.0 |
DSE_CRC_FAILURE DSE_DELETE_SUBTREE DSE_DELETE_UNUSED_EXTREF DSE_DSA_BAD_VERB DSE_LOST_ENTRY DSE_NEW_SCHEMA_EPOCH DSE_NO_REPLICA_PTR DSE_PURGE_ENTRY_FAIL DSE_EBA_ISSUE_CRL |
Event related to the operation of a service or application. |
Used for logging events that are generated by internal eDirectory operations. |
|
Modify Process Context |
0.0.4.3 |
DSE_PARTITION_STATE_CHG DSE_LDAP_MODLDAPSERVER DSE_PART_STATE_CHG_REQ DSE_REPAIR_TIME_STAMPS DSE_RESET_DS_COUNTERS DSE_SET_NEW_MASTER DSE_SYNTHETIC_TIME DSE_SPLIT_DONE DSE_SPLIT_PARTITION DSE_JOIN_PARTITIONS DSE_ABORT_PARTITION_OP DSE_LOW_LEVEL_JOIN |
Modify processing context |
This event is reported when any attributes of a process context are modified. For example, creating a partition will trigger this event. |
The following sections include example for exceptional events.
Click Start System to generate an event when a server, system, or mission-critical application starts, as shown in the following example:
Mar 13 11:20:24 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.8.0","Name" : "START_SYSTEM","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_AGENT_OPEN_LOCAL"},"Time" : {"Offset" : 1489384224},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Shutdown System to generate an event when a server, system, or mission-critical application shuts down, as shown in the following example:
Mar 13 11:16:23 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.8.1","Name" : "SHUTDOWN_SYSTEM","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_AGENT_CLOSE_LOCAL"},"Time" : {"Offset" : 1489383983},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Backup Data Store to generate an event when a server, system, or mission critical application backs up a critical data store, as shown in the following example:
Mar 14 13:03:29 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32872"},"Entity" : {"SysAddr" : "100.1.2.194:13018"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.8.4","Name" : "BACKUP_DATA_STORE","CorrelationID" : "eDirectory#43#","SubEvent" : "DSE_BACKUP_ENTRY"},"Time" : {"Offset" : 1489476809},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Recover Data Store to generate an event when a server, system, or mission-critical application recovers a data store, as shown in the following example:
Mar 14 14:16:02 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32872"},"Entity" : {"SysAddr" : "100.1.2.194:10203"}},"Target" : {"Data" : {"Name" : "OU=users,O=novell","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.8.5","Name" : "RECOVER_DATA_STORE","CorrelationID" : "eDirectory#36#bd5cb85b-0f9f-4268-a221-5bb85cbd9f0f","SubEvent" : "DSE_RESTORE_ENTRY"},"Time" : {"Offset" : 1489481162},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Internal Operations for to generate this event when logging events are generated by eDirectory internal operations, as shown in the following example:
Mar 15 13:45:13 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "stdir-vm-53.labs.blr.novell.com"}},"Initiator" : {"Account" : {"Domain" : "VLV_MEM","Name" : "CN=stdir-vm-53,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"ValidityEnd" : "03/16/2017 01:45:13 PM","ValidityStart" : "03/15/2017 01:45:13 PM","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.12.2","Name" : "INTERNAL_OPERATIONS","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_EBA_ISSUE_CRL"},"Time" : {"Offset" : 1489565713},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Process Context to generate an event when any attributes of a process context are modified, as shown in the following example:
Mar 16 21:07:46 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194","SysName" : "SLE12-142"}},"Initiator" : {"Account" : {"Domain" : "TREEUPGRADE","Name" : "CN=SLE12-142,O=novell"},"Entity" : {"SysAddr" : "100.1.2.194:0"}},"Target" : {"Data" : {"Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.5.3","Name" : "MODIFY_PROCESS_CONTEXT","CorrelationID" : "eDirectory#0#042b517b-41c4-4c9b-b5b5-7b512b04c441","SubEvent" : "DSE_PARTITION_STATE_CHG"},"Time" : {"Offset" : 1489678666},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}