Nsure Audit Starter
Pack
(Auditing and Secure Logging)
|
3/3/2006 Logging important events to a log server and sending alerts when necessary is important for security. Netware 6.5 includes the NSure Audit Starter Pack for this purpose. The starter pack is a stripped down version of the full, purchasable product, but it is not too stripped down to provide the necessary functions. I installed this with my initial NW65 install, so that part was already set up. I was of course using the server's own MySQL server, and have both the server and platform agent (client which collects from all of the various products that are logging from that client server) on the same server. Yeah, so that's not as secure, but I'm going to configure it to log to our secure logging server later. View the Novell
Audit Guide.
To configure Nsure, log into iManager and select "Auditing
and Logging" from the left-hand menu, then click on "Logging
Server Options." You must select the logging server to configure
- it should be under the "Logging Services" container
in your tree. This will pop up a summary of what is currently going
on. It appears that the default setup logs to both mySQL and flat file
(in SYS:\etc\logdir), and logs the following applications:
No notifications were set up by default. From the pull down menu at the top, select General -> Configuration. To turn on digital signing, which does almost like a "linked list" type deal with signatures on each packet (each packet holds a hash of the packet before and after it, so you can tell if any entries were removed), you must check the "Sign Events" box here. In addition, you must modify the SYS:\ETC\logevent.cfg file and put in the line LogSigned=server in order to turn this option on. I did this in our configuration, because if you ever need to use your logs in a court of law, you probably want to be able to prove that they were not tampered with! Again, from the pull-down menu, click on General -> Status and ensure that the logging server is Enabled (which it is by default). Now, from the left-hand menu, click on Auditing and Logging -> Query Options. Under Global Options, the date/time format is set to UTC by default. I changed this to Local.
In order to run queries, under Auditing and Logging -> Query Options -> Databases, you must enter the information for the database that you originally set up for Nsure during installation. I clicked on New, then entered the following information for my database:
naudit at the end of that URL is of course the name of the database that I set up in the initial NW installation, and log is the name of the table. To configure which events are actually logged, click on "Logging Server Options" from the left-hand menu. Select the logging server, then from the summary page, click on one of the Applications down at the bottom. This will pop up a window from where you can modify the Application Object. From the pull-down menu, select Events. From here you can view all events, and check the ones that you want logged. Once you check all the ones you want, be sure to check "Allow checked events to be logged," then click OK. Before anything is logged with regards to eDirectory and Netware (filesystem), you must also enable logging in the NCP Server Object. To do so, log into iManager with the admin account. Click on the "View Objects" button up top, go into your Organization Container and click on the Server Object. Select "Modify Object" from the pop-up menu, which will pull up the property pages. Now click on the "Novell Audit" tab up top, then either Netware, Filesystem, or eDirectory to modify what events are logged. Remember that if you configure event logging on both the Server
Object and in the Application Object's Event Settings, ONLY THE EVENTS
THAT ARE ENABLED IN *BOTH* ARE LOGGED. So, there is a logical
AND performed to filter events. However, you can also only enable events
in the Server Object to make them logged. Here is the logic that event
logging uses:
I checked "Select all" for all events in the Server Object audit settings. Because that logical AND is performed, I checked the ones that I actually wanted to be logged under the Application Object Events. Take a look in the Novell Audit Guide under "Configuring Specific Events" for a nice guide about what events are important. *** When I tried enabling all events under the Server Object, then selecting individual events through the Application Object Events, it completely ignored what I had selected in the latter and still logged all events! The only way I found that actually worked, to filter which events were logged, was to check/uncheck the various events in the Server Object. Keep in mind, also, that what you select at the Server Object does not take effect until you restart the appropriate module (for example, unloading and loading auditds.nlm for Netware/FileSystem events). Now, to view the logs, simply click on Auditing and Logging -> Queries. We already entered the database information up above, so that database should be in the drop down menu and selected by default. Simply check one of the boxes for what you want to look at (I like to look at "All Last Hour" when doing debugging), and then click "Run Query" down at the bottom. It should then display a big long list of what was logged! The Auditing and Logging -> Verification option is what lets you verify that your database has not been tampered with; it goes down the chain, checking that all hashes match the immediate next and previous entry. Do this if you're concerned with integrity. Voila, you now have secure logging!
Creating a Secure Logging Certificate Configuring the Logging Server (including defining certificate and private key files)
To restart logging server (after applying changes): UNLOAD LENGINE
*** LENGINE.NLM eventually caused a memory leak for me, using upward of 400MB. To fix this, I created a Log Application Object for iManager (which is a good thing to audit anyhow), using this procedure.
* unload, load auditds (eDirectory logging) |