IMPORTANT:We have deprecated the support for auditing with Novell Audit Platform Agent in eDirectory 9.2 SP6 version. You must use the supported CEF module for auditing services instead of Novell Audit in future. There will be no support provided for issues related to the Novell Audit auditing with eDirectory 9.2 SP6 and above.
Using the Novell Audit package, you can send events generated by eDirectory to an outside auditing client for monitoring purposes.
eDirectory instrumentation is bundled with eDirectory 9.2. You need to install this package for auditing eDirectory events with Novell Audit.
Use the following information to install, configure, or uninstall Novell Audit on Linux and Windows servers:
For information about supported platforms and installation instructions, see the NetIQ eDirectory Installation Guide.
eDirectory 9.2 auditing requires the Novell Audit Platform Agent 2.0.2.80 at a minimum.
Installing and using the Novell Audit iManager Plug-in requires iManager 3.0 at a minimum. For more information, refer to the iManager Documentation Page.
If the Audit Platform Agent configuration file (logevent.conf) already exists in the /etc, back up the file before installing the Audit packages, because the new package overwrites the existing configuration.
If the Audit module is already loaded, unload the auditds module by using the ndstrace -c "unload auditds" command.
For the 64-bit Audit package:
Install novell-AUDTplatformagent-2.0.2-80.x86_64.rpm from the setup directory of the extracted eDirectory build for the Linux platform.
#rpm -ivh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-80.x86_64.rpm
Install the novell-AUDTedirinst-9.2-xx.x86_64.rpm from the setup directory of the extracted eDirectory build for the Linux platform.
NOTE:In case of upgrading the eDirectory server, novell-AUDTedirinst-9.2-xx.x86_64.rpm will be upgraded automatically if already installed.
#rpm -ivh <eDirectory build extracted folder>/eDirectory/setup/novell-AUDTedirinst-9.2-xx.x86_64.rpm
Run ndstrace -c "load auditds" to load the auditds module.
For the 64-bit Audit package:
Install the Platform Agent (PA) as non-root user. To install PA, refer to the Software License and Download portal and the Novell Audit Platform Agent Guide (Sentinel Plug-Ins 2011.1r3).
Stop the eDirectory server.
Extract the eDirectory instrumentation rpm using the following command.:
#rpm2cpio novell-AUDTedirinst-9.2-xx.x86_64.rpm | cpio -div
Copy the extracted files to the non-root installed lib64 directory using the following command:
cp -r ./opt/novell/eDirectory/lib64/* <eDirectory build extracted folder>/eDirectory/opt/novell/eDirectory/lib64/
Restart the eDirectory server.
Run ndstrace -c "load auditds" to load the auditds module.
If the Audit Platform Agent configuration file (logevent.cfg) already exists in the C:\WINDOWS, back up the file before installing instrumentation, because the new package overwrites the existing configuration.
For 64-bit installation of Audit packages and Audit Platform Agent, run the Novell_Audit_PlatformAgent_Win64.exe from the <installerFolder>/windows/x64/auditds/
NOTE:
If you upgrade an eDirectory server that has eDirectory instrumentation installed, the eDirectory instrumentation files are automatically upgraded. If you are currently on eDirectory 9.0 SP2 or lower version, you must upgrade the instrumentation files manually before upgrading your eDirectory server.
If you are upgrading eDirectory server as a non-root user, you must upgrade the instrumentation files manually before upgrading your eDirectory server.
To configure auditing of eDirectory events using the Novell Audit Platform Agent, you must first install the Novell Audit plug-in for iManager.
Installing and using the Novell Audit iManager plug-in requires iManager 3.0 or later. See the iManager Installation Guide for iManager installation requirements and download instructions.
The Novell Audit iManager plug-in is bundled with eDirectory 9.2 plug-ins. eDirectory 9.2 plug-ins can be downloaded from the Software License and Download portal.
The installation instructions are available on the eDirectory 9.2 Plug-ins for iManager 3.2 download page.
If the Audit Platform Agent is not already configured, edit the Platform Agent configuration file to set the Audit Server's host address in LogHost. By default, the installation program places the configuration file in the following directory:
Linux: /etc/logevent.conf
Windows: Windows_directory\logevent.cfg
For example, modify the LogHost attribute as follows:
LogHost=192.168.1.8
For more information, refer to the “Configuring the Audit Platform Agent” section in the Novell Audit 2.0 Administration Guide.
To configure auditing of eDirectory events with the Novell Audit Platform Agent using iManager, select the eDirectory event types that you want to audit.
Log in to the iManager using the following URL:
https://ip_address_or_DNS/nps/
where ip_address_or_DNS is the IP address or DNS name of your iManager server. For example:
https://111.111.1.1/nps/
Under Roles and Tasks, select eDirectory Auditing > Audit Configuration.
Browse to and select the NCP Server object that corresponds to the eDirectory Server from which you want to collect events. Click OK.
Click the Novell Audit tab to display the eDirectory Instrumentation Settings page.
If you do not want eDirectory to send replicated events to another replica in the replica ring, select Do Not Send Replicated Events.
You can use this option to filter out unnecessary event noise and reduce log size.
If you want to enable inline pre-event reporting, select Register For Events Inline.
Note that selecting this option can slow the eDirectory performance.
Select the event types that you want to audit.
If you want to filter events for one or more specific object classes, complete the following actions:
Click one of the following hyperlinked objects:
Objects > Create
Objects > Delete
Attributes > Add Value
Attributes > Delete Value
LDAP > LDAP Add
LDAP > LDAP Modify
LDAP > LDAP Delete
LDAP > LDAP Modify DN
In the Available Object Classes list, select the object classes for you want to audit events and click the right arrow.
Click OK, then click OK again.
If you want to filter events for one or more specific attributes, complete the following steps:
Click one of the following hyperlinked objects:
Attributes > Add Value
Attributes > Delete Value
In the Available Attributes list, select the attributes for you want to audit events and click the right arrow.
Click OK, then click OK again.
NOTE:eDirectory evaluates events individually against all filters, so if an event matches one filter but not another, eDirectory still sends the event to the client. For more information about filtering events, see Understanding eDirectory Auditing Event Filtering.
Click Apply, then click OK.
Changes to your auditing configuration take effect within three minutes. If you want to immediately apply changes, you can also unload and then reload the Audit module. For more information about loading the audit module, see Loading and Unloading the Modules.
NOTE:Ensure to check the Add Value and Delete Value attributes to generate the Meta events.
To load or unload the Audit module, use one of the following procedures depending on your platform:
If the Audit module is not already loaded, execute the following command to load it:
ndstrace -c "load auditds"
Execute the following command to unload the Audit module:
ndstrace -c "unload auditds"
To automatically load Audit modules when eDirectory starts, edit the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file and add the following line to the file:
auditds auto #eDirectory instrumentation
Load the Audit module.
Click Start > Control Panel > Novell eDirectory Services.
Select nauditds from the Services tab, then click Start.
Unload the Audit module.
Click Start > Control Panel > Novell eDirectory Services.
Select nauditds from the Services tab, then click Stop.
To automatically load the Audit module when eDirectory is started, complete the following actions:
Click Start > Control Panel > Novell eDirectory Services.
Select nauditds from the Services tab, then click Startup.
Select Automatic, then click OK.
To disable automatic loading of Audit module when eDirectory is started, complete the following actions:
Click Start > Control Panel > Novell eDirectory Services.
Select nauditds from the Services tab, click Startup.
Deselect the Automatic check box, then click OK.
eDirectory uses two different event reporting systems to log events, journal and inline. By default, eDirectory logs events using journal event reporting, but you can enable inline event reporting in iManager. For more information about enabling inline event reporting, see Configuring Novell Audit for eDirectory.
Journal: This reporting system provides synchronous post-event reporting. With journal event reporting enabled, when an event is generated, eDirectory adds the event to the journal event processing queue. eDirectory then uses a separate thread to process events in the queue and sends those events to the auditing client.
Inline: This reporting system provides synchronous pre-event reporting. With inline event reporting enabled, when an event is generated, eDirectory uses the same thread to send the event directly to the client. Note that enabling inline event reporting can affect eDirectory performance.
You can configure eDirectory to log events in the following categories:
Meta
Objects
Attributes
Schema
Connections
Agent
Miscellaneous
Bindery
Replica
Partition
LDAP
We recommend auditing the following default set of event types:
Category |
Event Type |
---|---|
Meta |
All event types |
Objects |
|
Attributes |
All event types |
Agent |
|
Miscellaneous |
|
LDAP |
|
You can also filter events for one or more specific object classes or attributes, depending on the event type. eDirectory evaluates all generated events against the configured filters on the eDirectory server and sends only events matching those filters through to the auditing client.
Multiple filters can be used to filter eDirectory events separately. For example, if you configure filtering on both a specific object class and one or more attributes, eDirectory sends events matching any of those filters to the client. You cannot configure filtering so that eDirectory sends only events of a certain object class and certain attributes to the client. You can select multiple object classes or attributes for which you want to filter eDirectory events.
NOTE:You can only filter a combined maximum of 256 object classes and attributes.
Click one of the following hyperlinked event types to select one or more object classes or attributes to filter for that event type:
Category |
Event Type |
Filtering Type |
---|---|---|
Objects |
|
Object Class |
Attributes |
|
Object Class or Attribute |
LDAP |
|
Object Class |
For example, if you want to be notified when someone creates a user account in eDirectory, you can create a filter using iManager to look for only Create Object events that create a User object.
In iManager, navigate to Roles and Tasks > eDirectory Auditing > Audit Configuration, select the NCP Server you want to monitor, and then click the Novell Audit tab. In the Objects list, click the Create hyperlink. In the Available Object Classes list, select User, then click the right arrow to move User to the Selected Object Classes list, and then click OK.
With the filter configured, eDirectory checks all generated events for user-creation events and sends those events to the client. If you do not select other event types or configure filtering for other object classes or attributes, eDirectory only audits user-creation events.
Note that Object and LDAP category filters only allow you to filter on object classes, while Attribute category filters allow you to filter on both object classes and attributes.
If you select one of the event types above but do not specify an object class or attribute on which to filter, eDirectory sends all events of that event type to the client.
NetIQ Sentinel provides a Collector for collecting and auditing eDirectory events. In order to monitor specific eDirectory events in Sentinel, you must ensure that certain eDirectory auditing settings are configured properly.
For detailed information on configuring auditing settings, see Configuring Novell Audit for eDirectory.
For information on configuring Sentinel to collect eDirectory events, see the Sentinel Collector Guide for NetIQ eDirectory, located on the Sentinel Plug-ins site.
When creating an object that will be used as an account, eDirectory first creates a generic object, then modifies the object class to a user type with an Add Value event. If you want Sentinel to properly collect the event, you must enable auditing of Add Value events in iManager. If you do not enable Add Value event auditing, the Sentinel Collector cannot parse Create Object events and will generate a “Configuration Error” event in Sentinel.
To enable auditing of Create Object events, launch iManager and navigate to the eDirectory Auditing > Audit Configuration > Novell Audit window. Select both Objects > Create and Attributes > Add Value.
eDirectory considers each LDAP request to be a transaction, and generates events when a request is initiated and when a response is received and the transaction is completed.
In Sentinel, however, each request-response pair is treated as one event. In order to audit a type of LDAP event in eDirectory using Sentinel, you must enable auditing for both the request event and the response event. For example, to audit an LDAP bind request, you must configure auditing for both LDAP Bind and LDAP Bind Response events in iManager.
If you want to monitor failed login events in eDirectory, you must use iManager to enable auditing on Add Value events on the eDirectory server. You must also enable Intruder Detection on the eDirectory container or containers where you want to audit failed login events.
IMPORTANT:You must enable Intruder Detection and Add Value event auditing on each server with a replica of the container you want to monitor.
Use the following procedure to enable Intruder Detection on a container:
Log in to the iManager.
Under Roles and Tasks, select Directory Administration > Modify Object.
Browse to and select the eDirectory container you want to audit. Click OK.
On the General tab, click Intruder Detection.
Select Detect intruders.
Click OK.
NOTE:
You do not need to configure any other Intruder Detection-related settings or enable the Lock account after detection setting.
To monitor the failed login events for those login happening through NMAS, you must see the Finish Login Status in the NMAS collector. For more information, see Auditing NMAS Events.
The following sections explain how to uninstall the Novell Audit packages:
To uninstall Audit packages on Linux:
Unload the Audit module by using the command ndstrace -c unload auditds.
Uninstall the novell-AUDTedirinst-9.2.0-xx.rpm.
#rpm -e --nodeps novell-AUDTedirinst-9.2.0-xx
Disable automatic loading of Audit modules when eDirectory is started by editing the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file and removing the line corresponding to auditds (if it exists). The line corresponding to auditds is as follows:
auditds auto #eDirectory Instrumentation
NOTE:If no other auditing is installed, then uninstall the novell-AUDTplatformagent-2.0.2-80 Audit Platform Agent by using #rpm -e novell-AUDTplatformagent-2.0.2-80 command.
To uninstall Audit packages on Windows:
Unload the Audit module as follows:
Navigate to Start > Control Panel > Novell eDirectory Services.
Select Services.
Click nauditds.dlm, then click Stop.
Delete nauditds.dlm from the C:\Novell\NDS directory.
Delete the ediraudit.sch file from the C:\Novell\NDS directory.
NOTE:If no other instrumentation is installed, uninstall the Audit Platform Agent by deleting the logevent.dll file from C:\Novell\NDS.