Novell Security

Previous page
Table of content
Next page

Novell's NetWare has been around for many years , though it is not the dominant network operating system anymore. Early versions were limited in their capability to keep track of events, but this changed with NetWare 4.x. The most useful tool for older systems is the AUDITCON tool, which can be used to configure and audit a wide range of system events.

SYSCON and AUDITCON

The SYSCON utility that was used in NetWare 3.x was limited in the type of information it could provide to the administrator. It was basically limited to statistical information such as the number of blocks read/written and the services the server provided. In NetWare 4.x the AUDITCON utility provides an advanced tool that is superior to SYSCON in two ways:

  • The information is more granular. File-system events, such as access and modifications to individual files or directories, can be tracked. Events are also audited for NDS objects.

  • The auditing role has been separated from the administrator's role, enabling an employee other than the administrator to act as the network auditor .

Both of these features are significant advances. The first makes the information gathered more than just statistical. You can now track access and the type of access to individual files or objects. The second can be used to ensure that the network administrators, usually all-powerful people who can do anything on the network, are also held accountable for their actions. Network security is not compromised by the auditor, however, because this person does not have to be granted administrator-like rights to objects such as the SYS:SYSTEM directory. The administrator's and the auditor's functions are separated.

Note

The administrator does have some control over the auditor: The administrator has to set up the auditor so that she can perform her functions. After an auditor has been assigned and the account set up, the auditor can change her password, thereby keeping the administrator locked out of the auditing functions. This approach allows the administrator and the auditor to balance each other. The auditor can track the administrator's actions, and the administrator can always change the person designated to be the auditor.

After the administrator has enabled auditing on volumes or containers and designated the auditor, the auditor can use the AUDITCON utility to check the system. Using AUDITCON, the auditor can modify which events are audited on which resources, and can produce reports showing auditing information.

Auditable Events

The precise granularity of things you can audit is what makes AUDITCON a powerful tool. The person who has been set up as the auditor can perform these actions:

  • Audit by event ” This includes file- related events such as open , read, write, and create files or directories. These can be audited for all users (global) or on a per-user basis. You can also audit printer queue events (QMS), server events (such as when it is brought down or restarted), and user events (such as user logins and logouts or the creation or deletion of user objects).

  • File or directory events ” You can select files or directories for which all access will be audited.

  • User ” You can select individual users for which auditable events will be recorded.

Auditing Files

The auditing software uses several places to store its data:

  • NET$AUDT.DAT ” This file can be found at the root of every volume that has auditing enabled. It is always flagged as an open file to prevent anyone other than the auditor from accessing it directly. This file stores binary information in a binary format only for the volume on which it resides.

  • NDS Database ” Auditing for events for the directory (NDS) is stored in the NDS database.

  • AUD$HIST.DAT ” This file is used to keep track of actions taken by the auditor(s). After all, someone has to watch the watcher! When more than one auditor is assigned to the network, each should have a separate user account so that this file can be used to track the actions taken by each auditor, giving still more checks and balances to the system.

  • NET$AUDT.CFG ” This file contains audit file configuration information and is found at the root of the volume that is being audited. Using the AUDITCON utility, you can change the configuration information stored here, such as the maximum size the audit file can grow to, whether to allow more than one auditor to access the audit file at the same time, and whether dual-level passwords are used, among other things. The dual-level password requires an additional auditor password to be used when changing configuration information.

Note

No system, of course, is perfect. It is easy for the auditor to clear the AUD$HIST.DAT file when he has performed some action that was not allowed. However, the new file created after the old one is cleared will record that fact. Thus, although you might not be able to find out what was done, you can still find out that something suspicious is going on.

Using AUDITCON to Enable Auditing

An Admin user can enable auditing on a volume by running the AUDITCON utility. From the main menu, select the Enable Volume Auditing option and enter the password for that volume. If an old audit data file exists on the volume, it is replaced by the new file.

After this has been done, the administrator should give the volume password to the auditor, who should run AUDITCON and change it to a new value that the administrator does not know. Note that if the password is forgotten, the volume must be deleted and re-created if you want to change the password. You cannot recover the password. Also, without the correct password, you can disable auditing on the volume!

To change the audit password, the auditor should run the AUDITCON utility and select Audit Files Maintenance. From the next menu, select Auditing Configuration and then Change Audit Password. When prompted, enter the new password.

Producing Reports

Reports are produced to translate the binary auditing data into a format readable by humans . These reports can be produced by selecting Auditing Reports from the AUDITCON main menu. For security purposes, you should never leave these reports in a directory that can be easily accessed by other users. Instead, view or print the report text files and then delete them. You can always rerun the report later if you need to obtain another copy.

When producing an audit report, you can select events by date, time, and event; you also can choose to include or exclude selected files, directories, or users. This filtering capability makes it easy to get right to the important data when you are troubleshooting a security breach. If you are performing a regular review of the system, you can select all data and spend hours poring through it, but a large volume of data will most likely make it easy to miss an important event. In other words, when performing an analysis of the data, it's best to have a target objective of files or events, or possibly users, you need to keep an eye on.


Previous page
Table of content
Next page
Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434
Authors: Scott Mueller, Terry William Ogletree, Mark Edward Soper
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Cisco CallManager Fundamentals (2nd Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy