Novell Nsure Audit

bubblesradiographerServers

Dec 4, 2013 (3 years and 8 months ago)

97 views



Novell Nsure Audit

Brent McCormick

Corporte Technology Strategists

bmccormi@novell.com

© Novell Inc, Confidential & Proprietary

Agenda

Section 1


Nsure Audit Overview


Section 2


Nsure Audit Architecture


Section 3


Nsure Audit Basic Installation


Section 4


Nsure Audit Troubleshooting



Nsure Audit Overview

© Novell Inc, Confidential & Proprietary

What’s
happening
in my
systems?

Securing Organizational Resources

Partners /

Suppliers

Faculty/Staff

Administrator

Linux

Unix

Students

NetWare®

2003/XP

Desktop
Systems

Web Servers

Email Servers

Business
Applications

Directories

Custom
Applications

© Novell Inc, Confidential & Proprietary

Nsure Audit

Novell Nsure Audit is a secure logging and auditing
product that helps you reduce your organization's
liability and risk by ensuring compliance with
governmental regulations and business
-
driven
security policies. As a key part of any
comprehensive Secure Identity Management
solution, this product collects data about security,
system and application events that occur across
your organization's network. It then stores this
information centrally using one of the following
data formats: MySQL, Oracle, flat file or SYSLOG.

© Novell Inc, Confidential & Proprietary

Example Regulations

SEC Order 4
-
460 (June 27, 2002)Section 906 of the
Sarbanes
-
Oxley Act (July 30, 2002)

SEC Exchange Act Rules 13a
-
14 and 15d
-
14

HIPAA Health Insurance Portability and Accountability Act

GLBA Gramm
-
Leach Bliley Act

CIPA Children’s Internet Protection Act

GSIRA Government Information Security Reform Act


Plus
: FERPA, NAI, OCC, IIPPMA, Homeland Security Act 2002,
Regulation S
-
P (SEC), EU Privacy Act, UK Data Protection
Act, and local regulations...

© Novell Inc, Confidential & Proprietary

How is Nsure Audit unique?

1.
Integration with Novell products


As Novell’s official audit product, Nsure Audit
collects events from the broadest set of Novell
products (and the list is growing…)

2.
Data integrity and security


Event signing and event chaining protect the
integrity of logged data, making it forensically
robust (non
-
repudiative)

3.
Policy enforcement


Unauthorized changes to eDirectory values are
detected and reset to appropriate values, as
specified by company policy

© Novell Inc, Confidential & Proprietary

How is Nsure Audit unique?

1.
Notifications


Administrators can be notified in real
-
time
through a variety of methods if suspicious
activity occurs or if logging applications go
down

2.
Real
-
time system monitoring tools


Administrators can build easy
-
to
-
read, dynamic
dashboards with monitoring applications or
Web services

3.
Reporting and analysis tools


Prewritten Crystal reports, SQL queries wizard,
iManager plug
-
ins and LETrans are included

© Novell Inc, Confidential & Proprietary

Novell’s Auditing History

NetWare
6.0

1990

1996

1994

1992

1998

2004

.

.

.

.

NetWare
3.0

NDS 6

NDS 7

NDS 8

eDirectory
8.7

Accounting
Log

(NW 3.0)

AuditCon

(NW 4.0)

NAAS

(NW 6.0)

Nsure
Audit

2002

.

.

2000

eDirectory
8.5

eDirectory
8.6

.

NetWare
4.0

NetWare
5.0

NetWare
5.1

NetWare
6.5

© Novell Inc, Confidential & Proprietary

Novell DirXML

Novell NetWare

Novell eDirectory

Partners

Novell Auditing prior to Nsure Audit

Novell NetMail

Novell iChain

Novell BorderManager



NAAS

AuditCon

CS Audit

RNS

Logging

Features

Logging

Features

Logging

Features

NDS Audit

© Novell Inc, Confidential & Proprietary

3
rd

Parties

Partners

Nsure
Audit

Starter
Pack

Nsure Audit

Novell Auditing Today

Novell NetWare

Novell eDirectory

Novell

DirXML

Novell

NetMail

Novell

iChain

Novell
BorderManager



Nsure Audit API

Nsure, Nterprise, exteNd, Ngage

© Novell Inc, Confidential & Proprietary

Real
-
Time Monitoring

Supported Log Storage Devices

Signing and Chaining of Events

Additional Logging Interfaces

High
-
Level Feature Comparison

Flat File, MySQL

Y

(FUTURE)

iManager Only

Email only

Y

Nsure Audit
Starter Pack

(Ontario Lite /
Niagara)

Pervasive

Email only

Y

NAAS

(Novell Advanced
Auditing Service)

Nsure Audit Report,
LETrans, iManager

Log Reporting Tools

Flat File, MySQL,
Oracle

Y

Y

Canned Crystal Reports

(FUTURE)

Y

Mutual Authentication (PA

S䱓)

Email, Syslog, SNMP,
Storage, JAVA, CVR

Real
-
Time Notifications

Y

Centralized Logging

Y

Nsure Audit

(Ontario, full
auditing
product)



Nsure Audit Architecture

© Novell Inc, Confidential & Proprietary

Nsure Audit Architecture

Nsure Audit uses a client/server model to report
events from the “Logging application” to the
“Secure Logging Server”. The client portion is
implemented in the shared library “logevent”
and is referred to as the “Platform Agent”.
(Depending on the platform, the library is a
DLL, NLM or .SO Shared Object.)


The communication between client and server
is done over TCP/IP.

© Novell Inc, Confidential & Proprietary

Universal Auditing Infrastructure


Novell
Products

3
rd
-
Party

Products

Secure Logging
Server

Monitors

Reports

Logs

*
CVR



Critical Value Reset


Email


SNMP


SYSLOG


CVR*


Storage


Java

Notifications

© Novell Inc, Confidential & Proprietary

Nsure Audit Major Components

Platform agent


Collects events from instrumented applications


Sends the events to the Logging Server


Caches the event in case of communication failure


Optionally signs the events for validation

Secure Logging Server


Receives the events from the platform agent


Logs events to file or database


Sends any relevant notifications

© Novell Inc, Confidential & Proprietary

Key components of Nsure Audit

Logging Application


an application that has been instrumented
for Nsure Audit.


Platform Agent


the “client” portion of Nsure Audit


Secure Logging Server



the “server” portion of Nsure Audit. The
Secure Logging Server has three services
or functions:

a) Logging

b) Notification

c) Monitoring

© Novell Inc, Confidential & Proprietary

Secure logging server components




Stores all events received by the Auditing
Service via a Log Driver



Currently Flat File, MySQL, Oracle and
syslog drivers are available



Stores all events through the designated
Logging Driver. This helps to achieve the
goal of having a centralized repository for
auditing

Logging

© Novell Inc, Confidential & Proprietary

Notification



Sends Notifications via Notification Channels

and associated drivers


The following Notification drivers will be
supported:



a) SMTP, b) SNMP, c) Java applications, d) syslog, e) Critical
Value Reset, f) All drivers used for logging can also used for
notification (filtered logging)


Notifications are triggered when certain filtering
criteria are met


A single Notification can be delivered to multiple
channels


Notifications may be used to create filtered logs


Secure logging server components

© Novell Inc, Confidential & Proprietary

Monitoring



Used to provide real
-
time counts
of event occurrences


Counts based on Event IDs


Monitoring engine remotely
accessible from all supported
platforms through API

Secure logging server components

© Novell Inc, Confidential & Proprietary

Logging “Court Usable” Data

“If you decide you want to prosecute,
[the data] needs to be court usable..”
“You have to be able to show that the
data you're showing as evidence hasn't
been modified.”


Adam Gray, VP and CTO, Novacoast,

(a Santa Barbara, California
-
based IT services firm)

© May 6, 2004 Novell Inc, Confidential & Proprietary

23

© Novell Inc, Confidential & Proprietary

Nsure Roadmap


Calendar Quarters

Q1 2004

Q2 2004

Q3 2004

Q4 2004

In Market


2005

Identity Manager 2

NAM 3.0

DirXML 1.1a

Identity


Management

Nsure Audit 1.0

Secure


Logging

NiDP v1

Access


Management

NSL 3.5

iChain 2.2

Porpoise (Deployment Studio) EA & Quarterly Rel

iChain
2.3

Identity Manager x

Secure Gateway


(Internet Security)

Nsure Audit 2.0

Secure Client
1.0

Approval Flow/ IdM Apps
-

Guides & Sample Code

Nsure Audit 1.0.2

Nsure Audit 1.0.1

Driver (Avaya PBX, RACF, ACF/
2
, Lawson HR, Remedy User, HTTP/SOAP, Banner, JMS, Oracle, Top Secret, AS/
400
)


-

Proven connectivity to over
200
+ application and systems with existing connectors.

O/S Subscription Drivers

Linux VPN Client

iChain 2.4

NBM
3.8

NiDP v2

Secure Gateway

(WAM)

NiDP v3

Approval Flow/IdM Apps
1.0

Novell Confidential


Internal Use Only

Version 2002
-
4

© Novell Inc, Confidential & Proprietary

Secure Logging & Audit

Coming in 2004

Nsure Audit
1.0
x


Product clean
-
up from
1.0
release


IdM
2.0
, NBM
3.8
instrumentations available


SuSE Linux platform supported

Nsure Audit
2.0


Centralized event system deployment, configuration
and mgmt.


Event mgmt for over
75
web, proxy and email servers


Microsoft desktop and server platform event mgmt


Secure logging policy mgmt


Improved event correlation and reporting

Novell Confidential


Internal Use Only

Version 2002
-
4

Nsure Audit v
2
Supported Platforms

Platform Agent

Secure Logging Server

Monitoring App

Windows
2000
SP
3

Windows Server
2003

Windows XP

NetWare
4.2

NetWare
5.1

NetWare
6.0

NetWare
6.5

RH Linux
7.3

RH Linux
8

RH Ent. Linux (v
3
) WS, ES, AS

SuSE Linux
8.1

SuSE Linux
8.2

SuSE Linux
9

Solaris
8

Solaris
9


Windows 2000, SP3

Windows XP

Windows Server 2003

NetWare 5.1

NetWare 6, SP2

NetWare 6.5

Solaris 8, 9

Red Hat 7.3

Red Hat 8.0

Red Hat Enterprise
Linux (v3) WS, ES, AS







Windows
2000
SP
3

Windows XP






Nsure Audit v2 Agent Instrumentations

Applications

Server OS

Novell NetWare
4.2

Novell NetWare
5
.x

Novell NetWare
6
.x


MS Windows Server
2003

SuSE Linux
8.1

SuSE Linux
9

Redhat Enterprise
Linux v
3

Solaris
8

Solaris
9











Desktop OS

MS Windows 2000
Professional

MS Windows XP
Professional

SuSE Linux Pro 9

SuSE Linux Pro 8.2

RedHat Entperise
Linux v3 WS
















Novell DS 6, 7, 8

Novell eDirectory 8.x

Novell iChain 2.2 SP2

Novell DirXML 2.0

Novell BorderManager 3.8

Novell SecureLogin

Novell GroupWise

Novell ZENworks


Microsoft Active Directory

Microsoft SQL Server

Microsoft Exchange Server

Microsoft IIS Server

Microsoft ISA Server

Lotus Notes/Domino Server


75+ different web, proxy and
email servers, firewall,
routers and caching engines




Nsure Audit Installation

© Novell Inc, Confidential & Proprietary

JMS Event
Adapter

Secure Logging Server

Platform Agent

Notification

Service

Logging Service

Filter

SMTP

Flat
File

Driver

Monitoring

Applications

Report

Generator

SNMP

SYSLO
G

Storag
e

Java

CVR



SQL

Driver

Crystal
Reports

Java API

TCP/IP

(TLS)

Alerts/

Notifications

Oracle

SQL Server

MySQL

File
System

[11:58:18] MyApp
\

IMAP
\

Authentication: Valid
login for account
“FMSmith" from
137.65.47.144

[11:58:18] MyApp
\
POP3
\

Authentication: Valid
login for account
"pfeiffer" from
195.224.28.4

C API

Application

Application

Application



Monitoring
Service

Disconnected

Mode Cache

Administrator

Nsure Audit Architecture

© Novell Inc, Confidential & Proprietary

Nsure Audit Supported Platforms

Platform Agent

Secure Logging Server

Monitoring App

Windows 2000 SP3

Windows 2003
Server

Windows XP

NetWare 4.2

NetWare 5.1

NetWare 6.0

NetWare 6.5

RH Linux 7.3

RH Linux 8

RH Ent. Linux AS8

SuSE Linux 8.1

Solaris 8

Solaris 9


Windows 2000, SP3

Windows 2003

Windows XP

NetWare 5.1

NetWare 6, SP2

NetWare 6.5

Solaris 8, 9

Red Hat 7.3

Red Hat 8.0

Red Hat Enterprise Linux AS8





Windows
2000
SP
3

Windows XP













© Novell Inc, Confidential & Proprietary

Nsure Audit
1
.x Agent Instrumentations

Server OS

Desktop OS

Applications

Novell NetWare
4.2

Novell NetWare
5
.x

Novell NetWare
6
.x
















None


















Novell DS 6, 7, 8

Novell eDirectory 8.x

Novell iChain 2.2 SP2

Novell Identity Manager 2

Novell BorderManager 3.8

Novell NetMail






© Novell Inc, Confidential & Proprietary

NetWare
6.5
Install


Secure Logging Server Requirements


Server Class PC with min PIII or AMD K7 CPU


15 MB over the OS


4 MB avail disk on sys:


eDir 8.7 or higher


Healthy DS


Admin rights to root


schema update


Custom: Apache2, Tomcat4, MySQL, NAudit
Starter Pack, iManager 2. Secure Logging Server,
Autoconofig MySQL, Platform Agent.

© Novell Inc, Confidential & Proprietary

NetWare 6.5 Install

Default Logging Channel
-

MySQL DB


Host IP address


Port:
3306


DB username: auditusr


User password: auditpwd


DB Name: naudit


Table Name: log

© Novell Inc, Confidential & Proprietary

Windows 2000 SP3 Install

Secure Logging Server Requirements


Server Class PC with PII 400 mhz CPU


15 MB over the OS


4 MB avail disk on sys:


eDir 8.5 or higher

Healthy DS

Admin rights to root


schema update

Custom:

Full:

Reporting: Nsure Audit Report

Server: SLS, Channel Drv, WebAdmin

© Novell Inc, Confidential & Proprietary

Linux Install

Secure Logging Server Requirements


Server Class PC with PII
400
mhz CPU


15
MB over the OS


4
MB avail disk on sys:


eDir
8.5
or higher

Healthy DS

Admin rights to root


schema update

Custom:

Full:

Reporting: Nsure Audit Report

Server: SLS, Channel Drv, WebAdmin

© Novell Inc, Confidential & Proprietary

Administration & Configuration

Miscellenous Utilities & Tools


Platform Agent Configuration
Application

iManager (web application) is used to:


Configure Secure Logging Server (SLS)


Run Queries


Create Reports

LReport is used to:


Run Queries


Create Report

© Novell Inc, Confidential & Proprietary

iManager Nsure Audit Plugin

© Novell Inc, Confidential & Proprietary

Platform Agent Configuration Tool

© Novell Inc, Confidential & Proprietary

LReport

© Novell Inc, Confidential & Proprietary

Log Schema Configuration (LSC) file

Defines the different events, used to translate text

Can be used with auditext to automatically generate the
Application Object

#^Frozen Bubble Instrumentation^FBFB^FBubbleInst^EN

#

#EventID,Description,Text
1
Title,Text
2
Title,Value
1
Title,Value
1
Type,Value
2

#Title,Value
2
Type,Group Title,Group Type,Data Title,Data
Type,Display Schema

FBFB,Frozen Bubble,Frozen Bubble Instrumentation,,,,,,,,,,




Nsure Audit Trouble Shooting

© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: How to determine if the Logging Server is working?

A: Turn of the debug screen


Windows Shift
-
click naudit Icon in systray


Netware lengine

d


Linux ps
-
A|grep lengine


Q: MYSQL V4.0.17 database creation failure error on
nw6?

A: NetWare 6 SP2 plus most current libc


NWLIB5A.EXE

© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: Why do I see so many Nsure/license messages?

A: Usage of non
-
Starter Pack channels will send a
message every
10
minutes on all channels.


Q: Does Nsure Audit work with previous versions of
eDirectory & NetWare?

A: The full version does: NetWare
5.1
&
6.0
. NDS
6
.x and greater/ eDir ver
8.5
and later.


© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: How to audit failed login attempts?

A: Enable Intruder detection on the container (TID
10092488).

Select * from log WHERE eventid=720902 and
text2=‘Login Intruder Attempts’;


Q: How to configure Nsure Audit Report

A: 1. Configure the ODBC data source. 2. Import the
event information from the SLS. 3. Configure the
display format for the client & server. (TID
10088730).

© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: How to troubleshoot the file channel?

A: On the SLS the ‘Log File’ attribute needs to use a
correct path. i.e. c:
\
naudit
\
logfile;Windows
sys:
\
etc
\
logdir;NetWare /var/log/naudit;Linux


Q: How to troubleshoot the MYSQL channel?

A: The channel object needs to be created in the
channels container. Second need the correct IP
address in the host properties. Test the user
connectivity (TID 10088985).

© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: Why don’t login/logout events aren’t being
logged?

A: Make sure each server in the replica ring have
the PA installed.


Q: Why with v1.0.1 NetWare 5.1 file creation events
not being logged? Cluster enabled volumes seening
abend.

A: Patch NAUDITNW101P2.EXE (TID 2968353 &
10088123).

© Novell Inc, Confidential & Proprietary

Trouble Shooting Nsure Audit

Q: How to install only a platform agent on Linux?

A: Current version requires the installation of a SLS. Install full
SLS then remove the SLS demon. See TID
10087056


Q: Is Auditcon still supported with Nsure Audit?

A: Auditcon is no longer supported.


Q: Linux server segfaults when installing Nsure Audit
1.0.1
’s
eDirectory

A: Problem resolved in novell
-
AUDTedirinst
-
1.0.1
-
20040503
.i
586
. (TID
10092835
).



© Novell Inc, Confidential & Proprietary

Available Resources

Nsure Audit Product Information:

http://www.novell.com/products/nsureaudit/


Novell Nsure Audit Evaluation Download:

http://download.novell.com/filedist/pages/PublicSearch.jsp


Novell Nsure Audit SDK:

http://developer.novell.com/ndk/naudit.htm


Nsure Audit App ID Registry:

http://developer.novell.com/devres/vresource/


© Novell Inc, Confidential & Proprietary