Novell's NetWare has been around for many years , though it is not the dominant network operating system anymore. Early versions were limited in their capability to keep track of events, but this changed with NetWare 4.x. The most useful tool for older systems is the AUDITCON tool, which can be used to configure and audit a wide range of system events. SYSCON and AUDITCONThe SYSCON utility that was used in NetWare 3.x was limited in the type of information it could provide to the administrator. It was basically limited to statistical information such as the number of blocks read/written and the services the server provided. In NetWare 4.x the AUDITCON utility provides an advanced tool that is superior to SYSCON in two ways:
Both of these features are significant advances. The first makes the information gathered more than just statistical. You can now track access and the type of access to individual files or objects. The second can be used to ensure that the network administrators, usually all-powerful people who can do anything on the network, are also held accountable for their actions. Network security is not compromised by the auditor, however, because this person does not have to be granted administrator-like rights to objects such as the SYS:SYSTEM directory. The administrator's and the auditor's functions are separated.
After the administrator has enabled auditing on volumes or containers and designated the auditor, the auditor can use the AUDITCON utility to check the system. Using AUDITCON, the auditor can modify which events are audited on which resources, and can produce reports showing auditing information. Auditable EventsThe precise granularity of things you can audit is what makes AUDITCON a powerful tool. The person who has been set up as the auditor can perform these actions:
Auditing FilesThe auditing software uses several places to store its data:
Using AUDITCON to Enable AuditingAn Admin user can enable auditing on a volume by running the AUDITCON utility. From the main menu, select the Enable Volume Auditing option and enter the password for that volume. If an old audit data file exists on the volume, it is replaced by the new file. After this has been done, the administrator should give the volume password to the auditor, who should run AUDITCON and change it to a new value that the administrator does not know. Note that if the password is forgotten, the volume must be deleted and re-created if you want to change the password. You cannot recover the password. Also, without the correct password, you can disable auditing on the volume! To change the audit password, the auditor should run the AUDITCON utility and select Audit Files Maintenance. From the next menu, select Auditing Configuration and then Change Audit Password. When prompted, enter the new password. Producing ReportsReports are produced to translate the binary auditing data into a format readable by humans . These reports can be produced by selecting Auditing Reports from the AUDITCON main menu. For security purposes, you should never leave these reports in a directory that can be easily accessed by other users. Instead, view or print the report text files and then delete them. You can always rerun the report later if you need to obtain another copy. When producing an audit report, you can select events by date, time, and event; you also can choose to include or exclude selected files, directories, or users. This filtering capability makes it easy to get right to the important data when you are troubleshooting a security breach. If you are performing a regular review of the system, you can select all data and spend hours poring through it, but a large volume of data will most likely make it easy to miss an important event. In other words, when performing an analysis of the data, it's best to have a target objective of files or events, or possibly users, you need to keep an eye on. |