1 / 48

Novell Nsure Audit

Brent McCormick Corporte Technology Strategists bmccormi@novell.com. Novell Nsure Audit. Agenda. Section 1 – Nsure Audit Overview Section 2 – Nsure Audit Architecture Section 3 – Nsure Audit Basic Installation Section 4 – Nsure Audit Troubleshooting. Nsure Audit Overview.

jennis
Download Presentation

Novell Nsure Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brent McCormick Corporte Technology Strategists bmccormi@novell.com Novell Nsure Audit

  2. Agenda • Section 1 – Nsure Audit Overview • Section 2 – Nsure Audit Architecture • Section 3 – Nsure Audit Basic Installation • Section 4 – Nsure Audit Troubleshooting © Novell Inc, Confidential & Proprietary

  3. Nsure Audit Overview

  4. What’s happening in my systems? Linux Students NetWare® Faculty/Staff 2003/XP Partners / Suppliers Unix Securing Organizational Resources Directories Web Servers Email Servers Business Applications Administrator Desktop Systems Custom Applications © Novell Inc, Confidential & Proprietary

  5. Nsure Audit • Novell Nsure Audit is a secure logging and auditing product that helps you reduce your organization's liability and risk by ensuring compliance with governmental regulations and business-driven security policies. As a key part of any comprehensive Secure Identity Management solution, this product collects data about security, system and application events that occur across your organization's network. It then stores this information centrally using one of the following data formats: MySQL, Oracle, flat file or SYSLOG. © Novell Inc, Confidential & Proprietary

  6. Example Regulations • SEC Order 4-460 (June 27, 2002)Section 906 of the Sarbanes-Oxley Act (July 30, 2002) • SEC Exchange Act Rules 13a-14 and 15d-14 • HIPAA Health Insurance Portability and Accountability Act • GLBA Gramm-Leach Bliley Act • CIPA Children’s Internet Protection Act • GSIRA Government Information Security Reform Act Plus: FERPA, NAI, OCC, IIPPMA, Homeland Security Act 2002, Regulation S-P (SEC), EU Privacy Act, UK Data Protection Act, and local regulations... © Novell Inc, Confidential & Proprietary

  7. How is Nsure Audit unique? • Integration with Novell products As Novell’s official audit product, Nsure Audit collects events from the broadest set of Novell products (and the list is growing…) • Data integrity and security Event signing and event chaining protect the integrity of logged data, making it forensically robust (non-repudiative) • Policy enforcement Unauthorized changes to eDirectory values are detected and reset to appropriate values, as specified by company policy © Novell Inc, Confidential & Proprietary

  8. How is Nsure Audit unique? • Notifications Administrators can be notified in real-time through a variety of methods if suspicious activity occurs or if logging applications go down • Real-time system monitoring tools Administrators can build easy-to-read, dynamic dashboards with monitoring applications or Web services • Reporting and analysis tools Prewritten Crystal reports, SQL queries wizard, iManager plug-ins and LETrans are included © Novell Inc, Confidential & Proprietary

  9. Novell’s Auditing History NDS 6 NDS 7 NDS 8 eDirectory 8.6 eDirectory 8.5 eDirectory 8.7 NetWare 3.0 NetWare 4.0 NetWare 5.0 NetWare 5.1 NetWare 6.0 NetWare 6.5 1990 1992 1994 1996 1998 2000 2002 2004 . . . . . . . AuditCon (NW 4.0) NAAS (NW 6.0) Nsure Audit Accounting Log (NW 3.0) © Novell Inc, Confidential & Proprietary

  10. Novell Auditing prior to Nsure Audit Novell NetWare Novell iChain Novell BorderManager Novell eDirectory Novell DirXML Novell NetMail … NDS Audit AuditCon RNS Logging Features Logging Features Logging Features NAAS CS Audit Partners © Novell Inc, Confidential & Proprietary

  11. Nsure, Nterprise, exteNd, Ngage Novell NetWare NovelliChain Novell BorderManager Novell eDirectory NovellDirXML NovellNetMail … Nsure Audit API Nsure Audit Nsure AuditStarter Pack 3rd Parties Partners Novell Auditing Today © Novell Inc, Confidential & Proprietary

  12. Nsure Audit (Ontario, full auditing product) Nsure Audit Starter Pack (Ontario Lite / Niagara) Centralized Logging Y Y Y Real-Time Notifications Email, Syslog, SNMP, Storage, JAVA, CVR Email only Email only Real-Time Monitoring Y Log Reporting Tools Nsure Audit Report, LETrans, iManager iManager Only Canned Crystal Reports Y Additional Logging Interfaces (FUTURE) (FUTURE) Y Y Signing and Chaining of Events Y Supported Log Storage Devices Flat File, MySQL, Oracle Flat File, MySQL Pervasive High-Level Feature Comparison NAAS (Novell Advanced Auditing Service) Mutual Authentication (PASLS) © Novell Inc, Confidential & Proprietary

  13. Nsure Audit Architecture

  14. Nsure Audit Architecture • Nsure Audit uses a client/server model to report events from the “Logging application” to the “Secure Logging Server”. The client portion is implemented in the shared library “logevent” and is referred to as the “Platform Agent”. (Depending on the platform, the library is a DLL, NLM or .SO Shared Object.) • The communication between client and server is done over TCP/IP. © Novell Inc, Confidential & Proprietary

  15. Novell Products Monitors Secure Logging Server 3rd-Party Products Notifications Email SNMP SYSLOG CVR* Storage Java Logs Reports Universal Auditing Infrastructure *CVR – Critical Value Reset © Novell Inc, Confidential & Proprietary

  16. Nsure Audit Major Components • Platform agent • Collects events from instrumented applications • Sends the events to the Logging Server • Caches the event in case of communication failure • Optionally signs the events for validation • Secure Logging Server • Receives the events from the platform agent • Logs events to file or database • Sends any relevant notifications © Novell Inc, Confidential & Proprietary

  17. Key components of Nsure Audit • Logging Application • an application that has been instrumented for Nsure Audit. • Platform Agent • the “client” portion of Nsure Audit • Secure Logging Server • the “server” portion of Nsure Audit. The Secure Logging Server has three services or functions: a) Logging b) Notification c) Monitoring © Novell Inc, Confidential & Proprietary

  18. Secure logging server components Logging • Stores all events received by the Auditing Service via a Log Driver • Currently Flat File, MySQL, Oracle and syslog drivers are available • Stores all events through the designated Logging Driver. This helps to achieve the goal of having a centralized repository for auditing © Novell Inc, Confidential & Proprietary

  19. Secure logging server components • Notification • Sends Notifications via Notification Channels and associated drivers • The following Notification drivers will be supported: • a) SMTP, b) SNMP, c) Java applications, d) syslog, e) Critical Value Reset, f) All drivers used for logging can also used for notification (filtered logging) • Notifications are triggered when certain filtering criteria are met • A single Notification can be delivered to multiple channels • Notifications may be used to create filtered logs © Novell Inc, Confidential & Proprietary

  20. Secure logging server components • Monitoring • Used to provide real-time counts of event occurrences • Counts based on Event IDs • Monitoring engine remotely accessible from all supported platforms through API © Novell Inc, Confidential & Proprietary

  21. Logging “Court Usable” Data • “If you decide you want to prosecute, [the data] needs to be court usable..” “You have to be able to show that the data you're showing as evidence hasn't been modified.”Adam Gray, VP and CTO, Novacoast, (a Santa Barbara, California-based IT services firm) © Novell Inc, Confidential & Proprietary

  22. In Market Q1 2004 Q2 2004 Q3 2004 Q4 2004 2005 Identity Management Identity Manager x Identity Manager 2 DirXML 1.1a Porpoise (Deployment Studio) EA & Quarterly Rel Approval Flow/ IdM Apps - Guides & Sample Code Approval Flow/IdM Apps 1.0 NAM 3.0 O/S Subscription Drivers Driver (Avaya PBX, RACF, ACF/2, Lawson HR, Remedy User, HTTP/SOAP, Banner, JMS, Oracle, Top Secret, AS/400) - Proven connectivity to over 200+ application and systems with existing connectors. iChain 2.4 iChain 2.3 iChain 2.2 Access Management NiDP v3 NiDP v2 NiDP v1 Secure Gateway (WAM) Secure Gateway (Internet Security) NBM 3.8 Linux VPN Client NSL 3.5 Secure Client 1.0 Secure Logging Nsure Audit 1.0.1 Nsure Audit 1.0 Nsure Audit 1.0.2 Nsure Audit 2.0 Novell Confidential – Internal Use Only Version 2002-4 Nsure Roadmap Calendar Quarters © Novell Inc, Confidential & Proprietary

  23. Novell Confidential – Internal Use Only Version 2002-4 Secure Logging & AuditComing in 2004 • Nsure Audit 1.0x • Product clean-up from 1.0 release • IdM 2.0, NBM 3.8 instrumentations available • SuSE Linux platform supported • Nsure Audit 2.0 • Centralized event system deployment, configuration and mgmt. • Event mgmt for over 75 web, proxy and email servers • Microsoft desktop and server platform event mgmt • Secure logging policy mgmt • Improved event correlation and reporting © Novell Inc, Confidential & Proprietary

  24. Secure Logging Server Windows 2000 SP3 Windows Server 2003 Windows XP NetWare 4.2 NetWare 5.1 NetWare 6.0 NetWare 6.5 RH Linux 7.3 RH Linux 8 RH Ent. Linux (v3) WS, ES, AS SuSE Linux 8.1 SuSE Linux 8.2 SuSE Linux 9 Solaris 8 Solaris 9 Windows 2000, SP3 Windows XP Windows Server 2003 NetWare 5.1 NetWare 6, SP2 NetWare 6.5 Solaris 8, 9 Red Hat 7.3 Red Hat 8.0 Red Hat Enterprise Linux (v3) WS, ES, AS Windows 2000 SP3 Windows XP Nsure Audit v2 Supported Platforms Monitoring App Platform Agent

  25. Server OS Desktop OS Applications Novell NetWare 4.2 Novell NetWare 5.x Novell NetWare 6.x MS Windows Server 2003 SuSE Linux 8.1 SuSE Linux 9 Redhat Enterprise Linux v3 Solaris 8 Solaris 9 MS Windows 2000 Professional MS Windows XP Professional SuSE Linux Pro 9 SuSE Linux Pro 8.2 RedHat Entperise Linux v3 WS Nsure Audit v2 Agent Instrumentations Novell DS 6, 7, 8 Novell eDirectory 8.x Novell iChain 2.2 SP2 Novell DirXML 2.0 Novell BorderManager 3.8 Novell SecureLogin Novell GroupWise Novell ZENworks Microsoft Active Directory Microsoft SQL Server Microsoft Exchange Server Microsoft IIS Server Microsoft ISA Server Lotus Notes/Domino Server 75+ different web, proxy and email servers, firewall, routers and caching engines

  26. Nsure Audit Installation

  27. Disconnected Mode Cache Nsure Audit Architecture Secure Logging Server Monitoring Service Monitoring Applications JMS Event Adapter Application Application Application Notification Service SMTP SNMP Alerts/ Notifications SYSLOG Filter TCP/IP (TLS) Storage Java Java API C API CVR Platform Agent … Logging Service Report Generator SQL Driver Flat File Driver … [11:58:18] MyApp\ IMAP\ Authentication: Valid login for account “FMSmith" from 137.65.47.144[11:58:18] MyApp \POP3\ Authentication: Valid login for account "pfeiffer" from 195.224.28.4 File System Oracle SQL Server MySQL Administrator Crystal Reports © Novell Inc, Confidential & Proprietary

  28. Platform Agent Secure Logging Server Monitoring App Windows 2000 SP3 Windows 2003 Server Windows XP NetWare 4.2 NetWare 5.1 NetWare 6.0 NetWare 6.5 RH Linux 7.3 RH Linux 8 RH Ent. Linux AS8 SuSE Linux 8.1 Solaris 8 Solaris 9 Windows 2000, SP3 Windows 2003 Windows XP NetWare 5.1 NetWare 6, SP2 NetWare 6.5 Solaris 8, 9 Red Hat 7.3 Red Hat 8.0 Red Hat Enterprise Linux AS8 Windows 2000 SP3 Windows XP Nsure Audit Supported Platforms © Novell Inc, Confidential & Proprietary

  29. Server OS Desktop OS Applications Novell NetWare 4.2 Novell NetWare 5.x Novell NetWare 6.x None Novell DS 6, 7, 8 Novell eDirectory 8.x Novell iChain 2.2 SP2 Novell Identity Manager 2 Novell BorderManager 3.8 Novell NetMail Nsure Audit 1.x Agent Instrumentations © Novell Inc, Confidential & Proprietary

  30. NetWare 6.5 Install • Secure Logging Server Requirements • Server Class PC with min PIII or AMD K7 CPU • 15 MB over the OS • 4 MB avail disk on sys: • eDir 8.7 or higher • Healthy DS • Admin rights to root – schema update • Custom: Apache2, Tomcat4, MySQL, NAudit Starter Pack, iManager 2. Secure Logging Server, Autoconofig MySQL, Platform Agent. © Novell Inc, Confidential & Proprietary

  31. NetWare 6.5 Install • Default Logging Channel - MySQL DB • Host IP address • Port: 3306 • DB username: auditusr • User password: auditpwd • DB Name: naudit • Table Name: log © Novell Inc, Confidential & Proprietary

  32. Windows 2000 SP3 Install • Secure Logging Server Requirements • Server Class PC with PII 400 mhz CPU • 15 MB over the OS • 4 MB avail disk on sys: • eDir 8.5 or higher • Healthy DS • Admin rights to root – schema update • Custom: • Full: • Reporting: Nsure Audit Report • Server: SLS, Channel Drv, WebAdmin © Novell Inc, Confidential & Proprietary

  33. Linux Install • Secure Logging Server Requirements • Server Class PC with PII 400 mhz CPU • 15 MB over the OS • 4 MB avail disk on sys: • eDir 8.5 or higher • Healthy DS • Admin rights to root – schema update • Custom: • Full: • Reporting: Nsure Audit Report • Server: SLS, Channel Drv, WebAdmin © Novell Inc, Confidential & Proprietary

  34. Administration & Configuration • Miscellenous Utilities & Tools • Platform Agent Configuration Application • iManager (web application) is used to: • Configure Secure Logging Server (SLS) • Run Queries • Create Reports • LReport is used to: • Run Queries • Create Report © Novell Inc, Confidential & Proprietary

  35. iManager Nsure Audit Plugin © Novell Inc, Confidential & Proprietary

  36. Platform Agent Configuration Tool © Novell Inc, Confidential & Proprietary

  37. LReport © Novell Inc, Confidential & Proprietary

  38. Log Schema Configuration (LSC) file • Defines the different events, used to translate text • Can be used with auditext to automatically generate the Application Object #^Frozen Bubble Instrumentation^FBFB^FBubbleInst^EN # #EventID,Description,Text1 Title,Text2 Title,Value1 Title,Value1 Type,Value2 #Title,Value2 Type,Group Title,Group Type,Data Title,Data Type,Display Schema FBFB,Frozen Bubble,Frozen Bubble Instrumentation,,,,,,,,,, © Novell Inc, Confidential & Proprietary

  39. Nsure Audit Trouble Shooting

  40. Trouble Shooting Nsure Audit • Q: How to determine if the Logging Server is working? • A: Turn of the debug screen • Windows Shift-click naudit Icon in systray • Netware lengine –d • Linux ps-A|grep lengine • Q: MYSQL V4.0.17 database creation failure error on nw6? • A: NetWare 6 SP2 plus most current libc • NWLIB5A.EXE © Novell Inc, Confidential & Proprietary

  41. Trouble Shooting Nsure Audit • Q: Why do I see so many Nsure/license messages? • A: Usage of non-Starter Pack channels will send a message every 10 minutes on all channels. • Q: Does Nsure Audit work with previous versions of eDirectory & NetWare? • A: The full version does: NetWare 5.1 & 6.0. NDS 6.x and greater/ eDir ver 8.5 and later. © Novell Inc, Confidential & Proprietary

  42. Trouble Shooting Nsure Audit • Q: How to audit failed login attempts? • A: Enable Intruder detection on the container (TID 10092488). • Select * from log WHERE eventid=720902 and text2=‘Login Intruder Attempts’; • Q: How to configure Nsure Audit Report • A: 1. Configure the ODBC data source. 2. Import the event information from the SLS. 3. Configure the display format for the client & server. (TID 10088730). © Novell Inc, Confidential & Proprietary

  43. Trouble Shooting Nsure Audit • Q: How to troubleshoot the file channel? • A: On the SLS the ‘Log File’ attribute needs to use a correct path. i.e. c:\naudit\logfile;Windows sys:\etc\logdir;NetWare /var/log/naudit;Linux • Q: How to troubleshoot the MYSQL channel? • A: The channel object needs to be created in the channels container. Second need the correct IP address in the host properties. Test the user connectivity (TID 10088985). © Novell Inc, Confidential & Proprietary

  44. Trouble Shooting Nsure Audit • Q: Why don’t login/logout events aren’t being logged? • A: Make sure each server in the replica ring have the PA installed. • Q: Why with v1.0.1 NetWare 5.1 file creation events not being logged? Cluster enabled volumes seening abend. • A: Patch NAUDITNW101P2.EXE (TID 2968353 & 10088123). © Novell Inc, Confidential & Proprietary

  45. Trouble Shooting Nsure Audit • Q: How to install only a platform agent on Linux? • A: Current version requires the installation of a SLS. Install full SLS then remove the SLS demon. See TID 10087056 • Q: Is Auditcon still supported with Nsure Audit? • A: Auditcon is no longer supported. • Q: Linux server segfaults when installing Nsure Audit 1.0.1’s eDirectory • A: Problem resolved in novell-AUDTedirinst-1.0.1-20040503.i586. (TID 10092835). © Novell Inc, Confidential & Proprietary

  46. Available Resources • Nsure Audit Product Information: • http://www.novell.com/products/nsureaudit/ • Novell Nsure Audit Evaluation Download: • http://download.novell.com/filedist/pages/PublicSearch.jsp • Novell Nsure Audit SDK: • http://developer.novell.com/ndk/naudit.htm • Nsure Audit App ID Registry: • http://developer.novell.com/devres/vresource/ © Novell Inc, Confidential & Proprietary

  47. © Novell Inc, Confidential & Proprietary

More Related