23.1 Auditing with Novell Audit

Using the Novell Audit package, you can send events generated by eDirectory to an outside auditing client for monitoring purposes.

eDirectory instrumentation is bundled with eDirectory 9.0. You need to install this package for auditing eDirectory events with Novell Audit.

Use the following information to install, configure, or uninstall Novell Audit on Linux and Windows servers:

23.1.1 Supported Platforms

For information about supported platforms and installation instructions, see the NetIQ eDirectory Installation Guide.

23.1.2 Prerequisites

  • eDirectory 9.0 auditing supports only the Novell Audit Platform Agent.

  • Installing and using the Novell Audit iManager Plug-in requires iManager 3.0 at a minimum. For more information, refer to the iManager Documentation Page.

23.1.3 Installing Novell Audit Packages

Linux

Configuring eDirectory Instrumentation As a Root User

If the Audit Platform Agent configuration file (logevent.conf) already exists in the /etc, back up the file before installing the Audit packages, because the new package overwrites the existing configuration.

If the Audit module is already loaded, unload the auditds module by using the ndstrace -c "unload auditds" command.

For the 64-bit Audit package:

  1. Install novell-AUDTplatformagent-2.0.2-68.x86_64.rpm from the setup directory of the extracted eDirectory build for the Linux platform.

    #rpm -Uvh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-68.x86_64.rpm

  2. Install the novell-AUDTedirinst-9.0-xx.x86_64.rpm from the setup directory of the extracted eDirectory build for the Linux platform.

    #rpm -Uvh <eDirectory build extracted folder>/eDirectory/setup/novell-AUDTedirinst-9.0-xx.x86_64.rpm

Run ndstrace -c "load auditds" to load the auditds module.

Configuring eDirectory Instrumentation As a Non-Root User

For the 64-bit Audit package:

  1. Install the Platform Agent (PA) as non-root user. To install PA, refer to the NetIQ Downloads Web site and the Novell Audit Platform Agent Guide (Sentinel Plug-Ins 2011.1r3).

  2. Stop the eDirectory server.

  3. Extract the eDirectory instrumentation rpm using the following command.:

    #rpm2cpio novell-AUDTedirinst-9.0-xx.x86_64.rpm | cpio -div

  4. Copy the extracted files to the non-root installed lib64 directory using the following command:

    cp -r ./opt/novell/eDirectory/lib64/* <eDirectory build extracted folder>/eDirectory/opt/novell/eDirectory/lib64/

  5. Restart the eDirectory server.

  6. Run ndstrace -c "load auditds" to load the auditds module.

Windows

If the Audit Platform Agent configuration file (logevent.cfg) already exists in the C:\WINDOWS, back up the file before installing instrumentation, because the new package overwrites the existing configuration.

For 64-bit installation of Audit packages and Audit Platform Agent, run the Novell_Audit_PlatformAgent_Win64.exe from the <installerFolder>/windows/x64/auditds/

NOTE:

  • If you upgrade an eDirectory server that has eDirectory instrumentation installed, the eDirectory instrumentation files are automatically upgraded. If you are currently on eDirectory 9.0 SP2 or lower version, you must upgrade the instrumentation files manually before upgrading your eDirectory server.

  • If you are upgrading eDirectory server as a non-root user, you must upgrade the instrumentation files manually before upgrading your eDirectory server.

23.1.4 Installing the Novell Audit iManager Plug-in

To configure auditing of eDirectory events using the Novell Audit Platform Agent, you must first install the Novell Audit plug-in for iManager.

Installing and using the Novell Audit iManager plug-in requires iManager 3.0 or later. See the iManager Installation Guide for iManager installation requirements and download instructions.

The Novell Audit iManager plug-in is bundled with eDirectory 9.0 plug-ins. eDirectory 9.0 plug-ins can be downloaded from the Download site.

The installation instructions are available on the eDirectory 9.0 Plug-ins for iManager 3.0 download page.

23.1.5 Understanding eDirectory Event Reporting

eDirectory uses two different event reporting systems to log events, journal and inline. By default, eDirectory logs events using journal event reporting, but you can enable inline event reporting in iManager. For more information about enabling inline event reporting, see Configuring Novell Audit for eDirectory.

Journal: This reporting system provides synchronous post-event reporting. With journal event reporting enabled, when an event is generated, eDirectory adds the event to the journal event processing queue. eDirectory then uses a separate thread to process events in the queue and sends those events to the auditing client.

Inline: This reporting system provides synchronous pre-event reporting. With inline event reporting enabled, when an event is generated, eDirectory uses the same thread to send the event directly to the client. Note that enabling inline event reporting can affect eDirectory performance.

23.1.6 Understanding eDirectory Event Types

You can configure eDirectory to log events in the following categories:

  • Meta

  • Objects

  • Attributes

  • Schema

  • Connections

  • Agent

  • Miscellaneous

  • Bindery

  • Replica

  • Partition

  • LDAP

We recommend auditing the following default set of event types:

Category

Event Type

Meta

All event types

Objects

  • Add Property

  • Allow Login

  • Change Password

  • Change Security Equals

  • Create

  • Delete

  • Delete Property

  • Login

  • Logout

  • Modify RDN

  • Move (Destination)

  • Move (Source)

  • Remove

  • Rename

  • Restore

  • Search

  • Verify Password

Attributes

All event types

Agent

  • DS Reload

  • Local Agent Close

  • Local Agent Open

  • NLM Load

Miscellaneous

  • Generated CA Keys

  • Recertified Public Key

LDAP

  • LDAP Bind

  • LDAP Modify

  • LDAP Password Modify

  • LDAP Add Response

  • LDAP Unbind

  • LDAP Delete

  • LDAP Modify DN

  • LDAP Modify Response

  • LDAP Search

  • LDAP Bind Response

  • LDAP Delete Response

  • LDAP Add

  • LDAP Search Response

  • LDAP Modify DN Response

23.1.7 Understanding eDirectory Auditing Event Filtering

You can also filter events for one or more specific object classes or attributes, depending on the event type. eDirectory evaluates all generated events against the configured filters on the eDirectory server and sends only events matching those filters through to the auditing client.

Multiple filters filter eDirectory events separately. For example, if you configure filtering on both a specific object class and one or more attributes, eDirectory sends events matching any of those filters to the client. You cannot configure filtering so that eDirectory sends only events of a certain object class and certain attributes to the client. You can select multiple object classes or attributes for which you want to filter eDirectory events.

NOTE:You can only filter a combined maximum of 256 object classes and attributes.

Click one of the following hyperlinked event types to select one or more object classes or attributes to filter for that event type:

Category

Event Type

Filtering Type

Objects

  • Create

  • Delete

Object Class

Attributes

  • Add Value

  • Delete Value

Object Class or Attribute

LDAP

  • LDAP Modify

  • LDAP Delete

  • LDAP Modify DN

  • LDAP Add

Object Class

For example, if you want to be notified when someone creates a user account in eDirectory, you can create a filter using iManager to look for only Create Object events that create a User object.

In iManager, navigate to Roles and Tasks > eDirectory Auditing > Audit Configuration, select the NCP Server you want to monitor, and then click the Novell Audit tab. In the Objects list, click the Create hyperlink. In the Available Object Classes list, select User, then click the right arrow to move User to the Selected Object Classes list, and then click OK.

With the filter configured, eDirectory checks all generated events for user-creation events and sends those events to the client. If you do not select other event types or configure filtering for other object classes or attributes, eDirectory only audits user-creation events.

Note that Object and LDAP category filters only allow you to filter on object classes, while Attribute category filters allow you to filter on both object classes and attributes.

If you select one of the event types above but do not specify an object class or attribute on which to filter, eDirectory sends all events of that event type to the client.

23.1.8 Configuring the Novell Audit Platform Agent

If the Audit Platform Agent is not already configured, edit the Platform Agent configuration file to set the Audit Server's host address in LogHost. By default, the installation program places the configuration file in the following directory:

  • Linux: /etc/logevent.conf

  • Windows: Windows_directory\logevent.cfg

For example, modify the LogHost attribute as follows:

LogHost=192.168.1.8

For more information, refer to the “Configuring the Audit Platform Agent” section in the Novell Audit 2.0 Administration Guide.

23.1.9 Configuring Novell Audit for eDirectory

To configure auditing of eDirectory events with the Novell Audit Platform Agent using iManager, select the eDirectory event types that you want to audit.

  1. Log in to the iManager using the following URL:

    https://ip_address_or_DNS/nps/

    where ip_address_or_DNS is the IP address or DNS name of your iManager server. For example:

    https://111.111.1.1/nps/

  2. Under Roles and Tasks, select eDirectory Auditing > Audit Configuration.

  3. Browse to and select the NCP Server object that corresponds to the eDirectory Server from which you want to collect events. Click OK.

  4. Click the Novell Audit tab to display the eDirectory Instrumentation Settings page.

  5. If you do not want eDirectory to send replicated events to another replica in the replica ring, select Do Not Send Replicated Events.

    You can use this option to filter out unnecessary event noise and reduce log size.

  6. If you want to enable inline pre-event reporting, select Register For Events Inline.

    Note that selecting this option can slow the eDirectory performance.

  7. Select the event types that you want to audit.

  8. If you want to filter events for one or more specific object classes, complete the following actions:

    1. Click one of the following hyperlinked objects:

      • Objects > Create

      • Objects > Delete

      • Attributes > Add Value

      • Attributes > Delete Value

      • LDAP > LDAP Add

      • LDAP > LDAP Modify

      • LDAP > LDAP Delete

      • LDAP > LDAP Modify DN

    2. In the Available Object Classes list, select the object classes for you want to audit events and click the right arrow.

    3. Click OK, then click OK again.

  9. If you want to filter events for one or more specific attributes, complete the following steps:

    1. Click one of the following hyperlinked objects:

      • Attributes > Add Value

      • Attributes > Delete Value

    2. In the Available Attributes list, select the attributes for you want to audit events and click the right arrow.

    3. Click OK, then click OK again.

      NOTE:eDirectory evaluates events individually against all filters, so if an event matches one filter but not another, eDirectory still sends the event to the client. For more information about filtering events, see Understanding eDirectory Auditing Event Filtering.

  10. Click Apply, then click OK.

Changes to your auditing configuration take effect within three minutes. If you want to immediately apply changes, you can also unload and then reload the Audit module. For more information about loading the audit module, see Loading the Audit Module.

NOTE:Ensure to check the Add Value and Delete Value attributes to generate the Meta events.

23.1.10 Loading the Audit Module

To load or unload the Audit module, use one of the following procedures depending on your platform:

Linux

  1. If the Audit module is not already loaded, execute the following command to load it:

    ndstrace -c "load auditds"

  2. Execute the following command to unload the Audit module:

    ndstrace -c "unload auditds"

  3. To automatically load Audit modules when eDirectory starts, edit the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file and add the following line to the file:

    auditds     auto     #eDirectory instrumentation

Windows

  1. Load the Audit module.

    1. Click Start > Control Panel > Novell eDirectory Services.

    2. Select nauditds from the Services tab, then click Start.

  2. Unload the Audit module.

    1. Click Start > Control Panel > Novell eDirectory Services.

    2. Select nauditds from the Services tab, then click Stop.

  3. To automatically load the Audit module when eDirectory is started, complete the following actions:

    1. Click Start > Control Panel > Novell eDirectory Services.

    2. Select nauditds from the Services tab, then click Startup.

    3. Select Automatic, then click OK.

  4. To disable automatic loading of Audit module when eDirectory is started, complete the following actions:

    1. Click Start > Control Panel > Novell eDirectory Services.

    2. Select nauditds from the Services tab, click Startup.

    3. Deselect the Automatic check box, then click OK.

23.1.11 Monitoring eDirectory Events with Sentinel

NetIQ Sentinel provides a Collector for collecting and auditing eDirectory events. In order to monitor specific eDirectory events in Sentinel, you must ensure that certain eDirectory auditing settings are configured properly.

For detailed information on configuring auditing settings, see Configuring Novell Audit for eDirectory.

For information on configuring Sentinel to collect eDirectory events, see the Sentinel Collector Guide for NetIQ eDirectory, located on the Sentinel Plug-ins site.

Auditing Create Object Events

When creating an object that will be used as an account, eDirectory first creates a generic object, then modifies the object class to a user type with an Add Value event. If you want Sentinel to properly collect the event, you must enable auditing of Add Value events in iManager. If you do not enable Add Value event auditing, the Sentinel Collector cannot parse Create Object events and will generate a “Configuration Error” event in Sentinel.

To enable auditing of Create Object events, launch iManager and navigate to the eDirectory Auditing > Audit Configuration > Novell Audit window. Select both Objects > Create and Attributes > Add Value.

Auditing LDAP Events

eDirectory considers each LDAP request to be a transaction, and generates events when a request is initiated and when a response is received and the transaction is completed.

In Sentinel, however, each request-response pair is treated as one event. In order to audit a type of LDAP event in eDirectory using Sentinel, you must enable auditing for both the request event and the response event. For example, to audit an LDAP bind request, you must configure auditing for both LDAP Bind and LDAP Bind Response events in iManager.

Auditing Failed Login Events

If you want to monitor failed login events in eDirectory, you must use iManager to enable auditing on Add Value events on the eDirectory server. You must also enable Intruder Detection on the eDirectory container or containers where you want to audit failed login events.

IMPORTANT:You must enable Intruder Detection and Add Value event auditing on each server with a replica of the container you want to monitor.

Use the following procedure to enable Intruder Detection on a container:

  1. Log in to the iManager.

  2. Under Roles and Tasks, select Directory Administration > Modify Object.

  3. Browse to and select the eDirectory container you want to audit. Click OK.

  4. On the General tab, click Intruder Detection.

  5. Select Detect intruders.

  6. Click OK.

NOTE:

  • You do not need to configure any other Intruder Detection-related settings or enable the Lock account after detection setting.

  • To monitor the failed login events for those login happening through NMAS, you must see the Finish Login Status in the NMAS collector. For more information, see Auditing NMAS Events.

23.1.12 Uninstalling the Novell Audit Packages

The following sections explain how to uninstall the Novell Audit packages:

Uninstalling Audit Packages on Linux

To uninstall Audit packages on Linux:

  1. Unload the Audit module by using the command ndstrace -c unload auditds.

  2. Uninstall the novell-AUDTedirinst-9.0-xx.rpm.

    #rpm -e --nodeps novell-AUDTedirinst-9.0-xx

  3. Disable automatic loading of Audit modules when eDirectory is started by editing the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file and removing the line corresponding to auditds (if it exists). The line corresponding to auditds is as follows: 

    auditds     auto     #eDirectory Instrumentation

NOTE:If no other auditing is installed, then uninstall the novell-AUDTplatformagent-2.0.2-68 Audit Platform Agent by using #rpm -e novell-AUDTplatformagent-2.0.2-68 command.

Uninstalling Audit Packages on Windows

To uninstall Audit packages on Windows:

  1. Unload the Audit module as follows:

    1. Navigate to Start > Control Panel > Novell eDirectory Services.

    2. Select Services.

    3. Click nauditds.dlm, then click Stop.

  2. Delete nauditds.dlm from the C:\Novell\NDS directory.

  3. Delete the ediraudit.sch file from the C:\Novell\NDS directory.

  4. Complete the following steps to disable automatic loading of Audit packages when eDirectory is started:

    1. Navigate to Start > Control Panel > Novell eDirectory Services.

    2. Select Services.

    3. Click nauditds.dlm, then click Startup.

    4. Disable the Automatic option by clearing the check-box.

    5. Click OK.

NOTE:If no other instrumentation is installed, uninstall the Audit Platform Agent by deleting the logevent.dll file from C:\Novell\NDS.