This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Auditing the Network is for administrative staff (aud itors, sup ervisors,
adm inistrators, and operators) of NetWare® Enhanced Secur ity servers.
It is not intended for non adm inistrative network users.
The p urp ose of this manu al is to
x Show individual au ditors, acting independ ently of network
sup ervisors and others, how to aud it network event transactions.
x Show auditors how to aud it Novell Directory ServicesTM (NDSTM)
events an d events sp ecific to a volu me’s file system or server.
Auditing the Network , when combined w ith the NetWare Enhanced
Security Manual, add resses the recomm ended content of the Gu idelines
for Writing Tru sted Facility Man uals [NCSC-TG-016] bu t, as described
in Paragrap h 1.3 of that m anu al, presents the information in a different
order and format than the recomm ended outline.
In Novell documentation, an asterisk denotes a trademarked name belonging toa third-party company. Novell trademarks are denoted with specific trademarksymbols, such as TM.
Manual Overview
This man ual contains N etWare Enhanced Secur ity information that
describes the effective u se and administration of the NetWare server ’saud it mechanisms and the NetWare Enhanced Security AUDITCON
(AUDIT CON sole) utility.
Auditing the Network replaces Chapter 8, “Aud iting NetWork Events,”
of the N etWare 4.1 Supervising the Network manu al. It describes
x Aud it history records, w hich record such m anagement actions as
examining or configur ing the aud it trail
x Aud it event records, wh ich record user actions that w ere aud ited
by the NetWare server or an external client
Audit history and audit event records are ph ysically stored together in
aud it data files. How ever, AUDITCON p rovides separ ate facilities to
examine the two types of records.
Audit history records are always recorded if auditing is enabled; you
cannot u se preselection (adv ance specification of the events, users, and
files to be aud ited) to avoid recording au d it history records.
The NetWare Enhanced Secur ity server man ages the types of aud it
trails shown in Table 1-1.
Table 1-1
NetWare Enhanced Security Audit Trails
Volume audit trails A volume audit trail is associated with a single volume on a single server. The
audit data is stored in the volume on that server. The volume audit trailcontains audit history events for the volume audit trail, plus security-relevant
events recorded by the server’s operating system (mount volume, for
example) and file server software (file open and file deletion, for example).
The audit configuration (rules for generating audit events and other items) is
specified by volume, so that auditing can be enabled for one volume and
disabled for another volume.
Volume audit events can be preselected based on event type, user identity,
and (for certain file system events) on filename.
In addition to the events that can be recorded in each volume audit trail, the
SYS: volume audit trail can also record events detected by the server’s
operating system. These include console events, such as loading NLMTM
programs and defining SET parameters. Because the server does not provide
a mechanism for logging in administrators at the server console, consoleauditing must be supported by a manual log that identifies which administrator
Figure 1-2 show s an example of these aud it trails on a two-server
netw ork. Each of the au dit trails is maintained, configured, andcontrolled sep arately. Each server can have its own volum e aud it trail
and each N DS container can have its own container aud it trail.
Server 1 has eigh t au dit trails: volum es SYS:, BETA:, and GAMMA:;
containers ACME, SALES.ACME, and LAB1.ENGR.ACME; and
externa l client audit trails EXT1 and EXT2.
Server 2 has six au dit tra ils; volu mes SYS:, ALPHA:, and ZETA:, and
containers ACME, SALES.ACME, and LAB1.ENGR.ACME.
NDS is a global netw ork d atabase. The d escription of a par ticular server
having a container aud it trail assum es that the container exists in an
NDS partition that is replicated on that server.
If a container is in a par tition that is foun d only on Server One, then
Server Two would not have a copy of that container au dit trail. See
Container audit trails Container audit trails record security-relevant Novell Directory Services (NDS)events performed in the associated NDS container object, as well as audit
history records for the audit trail. Because NDS is a distributed database,
container audit trails are associated with the distributed NDS container objectand not with any specific server (as with volume audit trails). Container audit
trails (but not necessarily all events in the audit trail) are replicated to each
partition holding the audited container object. The audit configuration is
specified separately for each audited NDS container object.
Preselection of container audit events can be configured in one of two ways:
event only (this is the default) or auditor by user as well as by event.
Auditing of a particular container object (an Organization object, for example)
does not imply auditing of subcontainers within the audited container (its
Organizational Unit objects, for example).
External audit trails The server provides external audit trails that can be used by trusted clients to
store audit data on the server. External audit trails also contain audit history
records. Preselection of client-generated audit records is performed by the
client before submission of audit records to the server. The NetWare server
sees the external audit information as a stream of un-interpreted data;interpretation of the audit events is performed solely by the client Trusted
Volumes are always rep resented by N DS Volume objects, and
containers by N DS container objects such as an Organ ization object oran Organ izational Unit object. The typ e of NDS object u sed for
representing w orkstation objects dep end s on the client softw are.
Table 1-2 defines the context in which your audit trails are configured
and accessed. N orm ally, except for setting access controls, you will not
need to d irectly man ipu late the Aud it File object or its prop erties.
Table 1-2
Audit File Object Properties
Audit Policy The Audit Policy property stores audit configuration data for the audit trail. Itincludes the maximum size of the file, the number of old online audit files to
be maintained by the server, a map of events to be audited, and other
information. Users with the Read right to this property can read the auditingconfiguration. Users with the Write right to this property can modify the audit
configuration and destroy old audit files.
Audit Contents The Audit Contents property has no specific values. However, users with the
Read right to this property can read the contents of any of the underlying auditdata files. Subjects with the Write right to this property can append audit
events to the current audit data file.
Access Control List(ACL)
Defines the rights held by other NDS objects to the Audit File object and itsproperties.
Audit Link List Defines the links to the NDS Volume, container, and workstation objects that
Your audit u tility (AUDITCON , for examp le) creates the Aud it File
object when you enable aud iting, and the Au dit File object is
transp arently checked by the server for access rights each time a user
attemp ts to access the aud it trail.
Auditing in a Client-Server Network
Within th e NetWare client-server env ironment, client an d server
comp onents provide cooperating aud it mechanisms to sup port your
organization’s auditing policy.
The aud it architecture described in th is section ad dresses
xInformation flows from u ser and ad ministrator actions toprotected au dit trails within the server
x Means for specifying and reviewing aud it configuration data
x Flows of aud it information from the au dit trails to a client for post-
processing
Figu re 1-4 show s the architecture of the client and server software used
by an aud itor to configure the server ’s aud iting mechanisms. There are
no server-based utilities for this task; instead, au ditors use client-based
utilities (AUDITCON , for examp le) to enable au d iting and to specifyaud it preselection p aram eters (which events, users, and files to audit).
This man ua l describes how to use AUDITCON. You are not required to
use AUDITCON for NetWare aud it adm inistration. You can u se any
third-party tool in its place, as long as that tool has been includ ed in
you r client w orksta tion’s Trusted Compu ting Base (TCB). See the
Audit Path For external audit trails, this property points to the volume (and, implicitly, tothe server) that store the audit data files associated with the external audit
trail. The Audit Path property is not necessary for volume and container audit
trails; the pathnames are implicitly known for these audit trails.
Audit Type Defines whether this Audit File object represents a Volume, container, or
external audit trail. This property is used by AUDITCON when locating
other audit trails. For example, if you are the auditor of the SYS: volume audittrail, but do not have access to other container and volume audit trails, youcannot track a user’s activities throughout NDS and other volumes. To audit theoverall network system, as required for a NetWare Enhanced Security system,at least one auditor must have rights to all audit trails.
The existing AUDITCON ut ility described in th is section does not
provide a m eans for correlating m ultiple volum e and container aud it
trails, or for correlating the servers’ au dit trails with clients’ external
audit trails. Correlation of multiple aud it trails mu st be performed
manu ally. One way is to generate ind ividu al printed au dit reports for
each desired volum e or container, and then m erge or sort the various
Trusted N etWare provides two general method s of performing
surveillance of users’ accesses to protected resources.
x Post-processing is a method of filtering an existing aud it trail to
present on ly the events that are of interest. AUDITCON p rovides
men us to d efine p ost-processing filters for volume, container, and
external auditing.
x Preselection is a method of causing the server to record selected
event typ es (such as file open s), specific users, or specific
resources (such as files or d irectories) to the current volum e trail.
For volum e aud iting, you can p reselect by event typ es, users, and
files.
For container aud iting, you can p reselect by users and eventtypes. The server d oes not p rovide any p reselection for external
aud iting. For preselection of external au diting, see your client
documentation.
You cannot generate audit reports for events that are not preselected forauditing when the event occurs. For example, if you want to review whichfiles were opened by a user two weeks ago, but you did not have file openspreselected at that time, you will not be able to generate an audit reportthat lists the files. Consequently, you must balance your need for certainaudit information with the resources required to audit those events.
2. For compatibility with previous NetWare® releases, the NetWare
Enhanced Security server also supp orts an op tional password-
based access control method . This option is enabled on ind ividual
servers by setting the ALLOW AUDIT PASSWORDS console
parameter. If aud it passwords are enabled at the server console,
the single-level aud it passw ord controls access to all aspects of theaudit trail.
You can also configure the au d it file to use d ual-level passw ords,
wh ere the first level password is required to view the aud it data
and the aud it configuration, and the second level password is
required to change the aud it configuration.
The d efault value for ALLOW AUDIT PASSWORDS is OFF, mean ing
that access to the aud it da ta is controlled solely by the Aud it File object’s
object p roperty rights.
How ever, in systems that do not comply w ith the N etWare Enhanced
Secur ity configuration, ad ministrators can configure servers to p ermit
the use of aud it passwords. Such configuration is done on a server-by-
server basis, so that m ixed configurations are possible—some servers
using the Au dit File object rights-based access controls and other
servers using aud it passwords.
The server’s NetWare Enhanced Security configuration requires use of theAudit File object rights-based access control mechanism to protect audit data.Do not enable the password-based access control method (by setting ALLOW
AUDIT PASSWORDS=ON), because this violates the assumptions under whichthe server was evaluated.
When an au d it utility (AUDITCON , for examp le) creates an Au dit File
object, the server gives the creator the following rights:
x The Sup ervisor right [Entry Rights] to the Aud it File object
x The Write right to the Access Control List p roperty
AUDITCON also assigns ad ditional rights. The following rights are
assigned to the creator of the Audit File object:
x Read an d Write rights to the Audit Policy prop erty
x The Read right to th e Aud it Contents p roperty
have those rights. If you revoke access rights to an au d itor wh o is
already accessing an aud it file, these changes d o not tak e effect unt il the
aud itor tries to reestablish access to the volum e or container aud it trail.
AUDITCON d oesn’t m odify rights to the Access Control List p roperty.
You can use other u tilities (NETADMIN or N etWare Ad ministrator) toassign other users righ ts to the Access Control List prop erty.
See your client documen tation for information on the ava ilability of
NetWare Adm inistrator or NETADMIN and in your client evaluated
configuration.
Do not give untrusted users (individuals who are not auditors or administrators)any rights to the Audit File object (or its properties) except the Browse right.
There is more th an one way to establish these rights. You could create
several Organ izational Role objects for each group ing of related au d ittrails.
For examp le, you might have an object called “Engineering Partition
Aud it Viewer” that wou ld be a trustee with the Read right to the Aud it
Policy and Au dit Contents p roperties of the Au dit File object associated
with each container in the “Engineering” p artition.
Anoth er object called “Engineering Par tition Au dit Adm inistrator”
could be a tru stee with the Read an d Write rights to the Aud it Policy
and Audit Contents p roperties of the Aud it File object for each of the
same containers.
Individual ad ministrators could then be m ade security equivalent to
whichever Organ izational Role object is approp riate for th eir
responsibilities. Alternately, ind ividual users could be made tru stees of
those Au dit File objects that they are responsible for m anaging .
There is no requirement to divid e up the rights to au dit files. In some
organizations, a group of administrators has the au thority to manage all
aspects of the organization, includ ing audit m anagem ent. In th is case,
all ind ividu als in th at group might h ave the Supervisor right to the rootof the Directory tree, with n o Inherited Rights Filters to block righ ts. In
this scenario, there is no n eed to d irectly assign rights to p roperties of
an Aud it File object, since the adm inistrators will gain those rights
through inheritance.
The server does not provide any locking mechanism to prevent multiple auditorsfrom simultaneously attempting to change volume, container, or external audit
configuration data. If this occurs, the last auditor to write the audit configurationmight overwrite changes made by other auditors. If you have more than oneauditor who has rights to modify the audit configuration, you must instituteprocedural methods to control access to the Audit File object, such as selectinga single replica of the Audit File object and making all changes to that replica.
Protecting Audit Utilities
AUDITCON is stored in SYS:PUBLIC of the server file system , from
where it is norm ally executed by the client w orkstation. Because
AUDITCON runs w ith your identity and has you r rights to the aud it
trails you ma nage, it is essential that AUDITCON be write-protected to
prevent m odification by u ntrusted users.
Permanently loading AUDITCON on you r local trusted w orkstation is
not recommend ed. Load ing it locally has no advantages, and itcomplicates maintenance of the server Trusted Com pu ting Base.
The aud it utilities that configure and access their server ’s external aud it
trails must also be protected from m odification by un trusted users. See
your client d ocumen tation for information on the client-specific utilities
and how they are protected.
Protecting Audit Data on Removable Media
AUDITCON p rovides a mechanism for backing up old volume an d
container aud it files to removable media (diskette, tape, and so forth)
and then d eleting those files from th e server to free up audit space.
Procedures for backing u p au dit files are given in Chap ter 4, “Using
AUDITCON for Volume Au diting,” Chapter 5, “Using AUDITCON for
Container Au diting,” and Chapter 6, “Using AUDITCON to Au dit
External Audit Trails.” How ever, once the file is copied from the
server ’s protected file system to removable media, you m ust u se other
means to ensure that the Trusted Compu ting Base audit d ata is not
compromised. Table 2-2 show s the two m ethod s available:
In add ition, you can run SBACKUP to back up the Au dit File object and
its properties. Refer to “Backing Up and Restoring Data” in Supervising
the Network for m ore information about backing up NDS. NDS backup s
are intend ed only for recovery from catastrophic losses of NDS; the
prim ary backup mechan ism is the replication of the NDS da tabase onto
multiple servers.
SBACKUP and its Target Service Agents (TSAs) do not back up volume andcontainer audit files. If you want to recover audit files after a server crash, youmust manually back up audit files using AUDITCON or another utility.
SBACKUP and its TSAs do not back up audit preselection flags for files,directories, or users. If you audit specific files/directories or users, you mustmanually log that audit configuration. Otherwise, you won’t be able to restore thedesired audit configuration after recovering from a backup.
Preventing Loss of Audit Data
The server p rotects aud it files to prevent un au thorized u sers from
accessing or deleting the files. How ever, hardw are problems, software
problems, or pow er failures can cause the loss of aud it data records or
entire aud it data files.
1. Individua l aud it records are maintained in the server ’s file system
cache u ntil the server w rites the cache to disk. The server d oes not
exped ite the hand ling of audit data. The amou nt of audit data that
can poten tially be lost after a p ower failure is limited on ly by thesize of the cache. To redu ce the amou nt of aud it data that can be
lost, you can set the Dirty Disk Cache Delay Time to its minim um
value (0.1 second s). See “SET” in Utilities Reference for m ore
information.
2. Container auditing u ses the Transaction Tracking SystemTM
(TTSTM) to ensure that each aud it record is separately tracked. If
the server crashes, your container au d it files will be on a clean
aud it record bou nd ary after the crash. Volume aud iting d oes not
use TTS, so a server crash could cause part of the au d it file to be
corrup ted. Records add ed after the crash w ill still be accessible;
how ever, there might be p artial records in the m idd le of the file. In
such a case, AUDITCON is generally able to find lost aud it
Improper shutdown of the server is a potential cause of file corruption (includingaudit file corruption). Be sure to properly down the server, then exit from theserver, before turning off the server’s power.
In add ition to aud it loss that can be caused by h ardw are or software
problems or loss of pow er to the machine, you can lose audit events if the configured n um ber of aud it files are filled o r d isk space fills up and
the audit trail is improp erly configured. The server p rovides the
following th ree configuration op tions for han d ling au dit overflow.
x Archive the current audit file. When an au d it file reaches its
maximum size or the server is unable to wr ite an aud it record (for
example, the d isk is fu ll), the server archives the current audit file.
This consists of saving th e current au dit file as an old aud it file and
creating a new current au dit file.
The server can maintain online storage for up to 15 old au d it files,where the maximu m n um ber of old audit files is a configuration
setting of the Au dit File object’s Audit Policy. If the server alread y
has the maximum nu mber of old online aud it files, it deletes the
oldest of the old au d it files. Use of this option is not recommended
in the Enhanced Secur ity configuration, as it can lead to data loss.
x Continue without auditing. Actions which wou ld otherwise be
aud ited are not aud ited by the server. Use of this option is not
recomm end ed in th e Enhanced Secur ity configuration, except in
emergency situations, as it results in the loss of aud it coverage.
x Disallow audited/auditable events. If the au dit trail is a volume
audit tra il, then an y facility which is potentially aud itable (such as
NCP service) is disallowed, even if that particular event w ould n’t
cause an au dit record to be generated . If the aud it trail is a
container aud it trail, then any event wh ich requires aud iting is
disallowed, but only if that particular event w ould cause an au dit
record to be generated . If the aud it trail is an external aud it trail,
then su bmission of aud it records is d isallowed (that is, external
audit records are rejected).
This is the only option recommen ded for the Enhanced Secur ity
configuration.
“Aud it Trail Overflow” on p age 133, “Audit Trail Over flow” on
page 215, and “Au dit Trail Overflow” on page 261 provide m ore
AUDITCON is a client utility for DOS and OS/ 2* workstations that
allows an aud itor to configure and review th e server ’s volume an d
container aud it trails. This chap ter presents the prerequisites and
procedu res for ru nning AUDITCON.
General Prerequisites
t A trusted workstation running DOS 3.30 or later.
t Sufficient memory on the workstation to run the AUDITCON utility.
t Read file rights on the AUDITCON utility and help files in theserver's file system’s public directory.
t NDSTM access rights or the correct audit password. Anyone can
run the AUDITCON utility. However, to see audit data or to
configure the auditing system, you must pass the access controlson the audit trails, either by having NDS access rights or by having
the correct audit password. See “Controlling Access to OnlineAudit Data” on page 17.
See your client documentation for information on the availability ofAUDITCON in your client evaluated configuration. Because auditors haveaccess to the trusted computing base’s audit data, you must runAUDITCON only on a trusted (C2 evaluated) workstation.
When generating reports to the screen or formatting reports in files,AUDITCON creates temporary files in your current directory. For thisreason, you should run AUDITCON only from a directory that is protectedfrom access by unauthorized users.
The term current directory is used in this chapter to indicate the drive anddirectory you were using when you started AUDITCON, whether thatdirectory is on a client or server.
Auditing ,” on page 139. For external aud iting, the current server
and volume information is replaced w ith the current N DS
container context. For m ore information, see Chapter 6, “Using
AUDITCON to Au dit External Au dit Trails,” on page 221.
The date and time displayed in the top line of the header area are theworkstation’s local date and time. To make reasonable decisions aboutthe server’s audit configuration, you must ensure that your workstationNetwork Trusted Computing Base (NTCB) partition is synchronized withthe network time maintained by NDS.
The menu area contains menus, w ith the most recent m enu
layered on top of previous menu s. Menus h ave a header (in this
examp le, “Available aud it options”, a list of available options, and
a scroll bar). Use the Up- and Dow n-arrow keys to highlight the
desired selection. If the menu has m ore entries than can be
displayed in the menu box, the menu w ill show an up arrow or
down arrow to indicate that there are add itional choices at the topor bottom of the menu .
The footer line d escribes the actions associated w ith var ious keys
for the cur rent men u. For the previous examp le, pressing Esc exits
AUDITCON, while pressing Enter selects the highlighted entry
and moves to the correspond ing screen in the menu tree.
3. Move down the menu tree by highlighting an entry in the
current menu, choosing that entry, and finding the desiredentry in the succeeding menu.
AUDITCON p rovides separate menu t rees for volum e, container,
and external auditing. See Chapter 4, “Using AUDITCON for
Volume Au diting”, Chapter 5,“Using AUDITCON for Container
Auditing”, and Chapter 6, “Using AUDITCON to Aud it External
Audit Trails.”
You can p erform volu me, container, and external au d iting in a
single session (withou t restarting AUDITCON ), bu t AUDITCON
does not p rovide any w ay of merging au dit d ata or reports from
mu ltiple volum es, containers, or external aud it trails.
In general, you can move back up the menu tree by p ressing until
you reach the top of the tree. At any tim e, you can press F1 for
The following top ics are explained in this chapter.
x “Accessing a Volume Au dit Trail” on p age 34
x “Displaying Volum e Aud it Status” on page 43
x “Enabling Volume Aud iting” on p age 44
x “Changing a Volum e Au dit Configuration” on page 47
x “Generating Volume Aud it Reports” on p age 86
x “Generating Reports from Offline Audit Files” on page 122
x “Volum e Audit File Maintenan ce” on p age 127
x
“Resolving Volume Aud it Problems” on p age 133
Accessing a Volume Audit Trail
This section d escribes AUDITCON’s top -level menus, h ow to select a
different current server and volume, and how to log in to a volum e
audit trail (if audit password s are enabled).
If you are an auditor for multiple volumes, you perform activities on
one aud it trail, then return to the top-level men u an d select a d ifferent
volume for aud iting.
AUDITCON selects a current server and current volume when it starts, basedon where it was run. Consequently, you might need to change the server or thevolume before you can begin auditing the volume you are interested in.
Top-Level Menus
When you ru n AUDITCON, it displays a screen with an “Available
aud it options” menu as shown in Figu re 3-1 on page 30. There are five
such top-level menu s. The one AUDITCON displays dep ends on fourvariables:
x Whether the “Allow Au dit Password s” console parameter is set to
OFF or ON. It m ust be set to OFF in th e NetWare Enhanced
Depend ing on the volume chosen on the new server, AUDITCON
will display men u 101, 101A, 102, 103, or 104 (using the same ru les
that w ere used to select an initial menu ).
3. If you are using password-based access, you can press Insert
to display a list of other NetWare servers or press Delete tolog out from any server except the default server. Press F3 to
change your user identity.
AUDITCON d isplays menu 111, which provid es a list of
additional servers.
Logging in or out of servers using this mechanism will not work in theNetWare Enhanced Security configuration. If the server you want to auditdoes not appear in the list in menu 110, exit AUDITCON, map a drive to avolume on the server (using the MAP command), and restart AUDITCON.
4. Choose a server and press Enter to add the server to the listin menu 110.
Figure 4-7
Menu 111: OtherNetWare Servers
This list shows those servers that you are neither logged in nor
background auth enticated to.
5. (Optional) If you pressed F3 in Step 3, AUDITCON permits youto change your user identity on the server.
If more th an on e server is listed in m enu 110, AUDITCON does a
bindery login (NetWare 3.x) for the nam e that you specify in th is
men u. (This is different from logging in to an aud it trail; in this
case, the au ditor is actua lly changing you r identity on the
specified server. This iden tity persists after you exit fromAUDITCON.)
6. Enter the password necessary to change your identity on the
Logging in to an aud it trail is d ifferent from logging in to a Trusted
NetWare server. When you log in to a Tru sted N etWare server, your
login password is used to au thenticate your identity to NDS during
your login session. “Logging in” to a volum e aud it trail is a means of
controlling access to the audit file, and is not perm itted in evaluated
NetWare Enhanced Security configuration.
If you decide to use aud it passwords to control access to the aud it trail,
do n ot reuse your N etWare login password.
Prerequisites
t See “General Prerequisites” on page 29.
t The ALLOW AUDIT PASSWORDS console parameter must be
ON for you to log in to a volume audit trail on that server.
The server’s NetWare Enhanced Security configuration requires usingNDS rights-based access control to protect audit data. Do not enable thepassword-based access control method (by setting ALLOW AUDITPASSWORDS=ON at the server console), because this violates theassumptions under which the server was evaluated.
Procedure
1. Choose “Auditor volume login” in the “Available audit
options” menu and press Enter.
AUDITCON p rompts you to enter the volume aud it password .
2. Enter the volume audit password and press Enter to log in tothe current volume's audit trail.
AUDITCON does not echo your p assword to the screen.
t In order to display the volume audit status, you must have Read or
Write rights to the Audit Policy property of the Audit File object, orhave Read or Write rights to the Audit Contents property of theAudit File object, or have logged in with a level 1 password.
Procedure
1. You can invoke this display from various places in the volumeaudit menu tree. For example, choose “Display audit status”
in menu 101. AUDITCON then displays menu 200.
This is a read-only display that p resents the aud it status for your
current volume au dit trail.
2. Press Esc to return to the calling menu.
Figure 4-9
Menu 200: Audit Status
The “Au dit status” m enu displays the following status information forthe current volume au dit trail:
t You must have the Read right for the Volume object's Audit File
Link property. This is necessary for AUDITCON to determine the
existence of an Audit File object for the volume.
t If an Audit File object does not already exist for the volume, youmust have the Write right to the Volume object's Audit File Link
property to modify the volume's Audit File Link to point to the AuditFile object.
t If an Audit File object does not already exist for the volume, youmust have the Create object right to the container object where theVolume object is located.
Procedure
1. Run AUDITCON at a trusted workstation.
AUDITCON displays the current server and volume in the head er
area at the top of the screen.
2. Choose the server and volume to be audited, as described in
“Selecting an Alternate Server” on page 38 and in “Choosingan Alternate Volume” on page 40.
3. To enable auditing of a volume, choose “Enable volumeauditing” in the “Available audit options” menu.
This option is available only in menu 102 (when au d iting is not
already enabled for the volume). AUDITCON checks the
volum e’s Aud it File Link to d etermine w hether th e cur rent
volum e already h as an Au dit File object; if so, then AUDITCON
continues with Step 5.
4. If the volume does not have an Audit File object (for example,
auditing was not previously enabled for this volume),AUDITCON creates an Audit File object in the NDS containerwhere the volume is stored.
The nam e of the Aud it File object is “AFOid_volname”, where id is
a counter u sed if there is already an object w ith the desired nam e,
For example, if the volume nam e is ALPHA_SYS.ACME, then the
Au dit File object is named AFO0_ALPHA_SYS.ACME, or if that
object a lready exists, then AFO1_ALPHA_SYS.ACME.
If the concept of an independent auditor (“Independent Control ofDifferent Audit Trails” on page 13) is important to you, you might want toset the Access Control List and Inherited Rights Filter for the Audit Fileobject to prevent access by administrators who are not auditors, asdescribed in “Creating the Auditor Account” on page 10.
AUDITCON th en bu ilds links from th e Audit File object and
Volum e object to each oth er.
As described in “Cont rolling Access to Online Aud it Data” on
page 17, the server gives you th e Sup ervisor object right to th e
Audit File object, and the Write right to the ACL proper ty. In
addition, AUDITCON gives you Read an d Write rights to the
Audit File object Au dit Policy property, and the Read righ t to theAudit Contents p roperty. See “Controlling Access to Online Au dit
Data” on page 17 for information on giving other au d itors rights
to the Audit File object.
5. AUDITCON enables auditing for the volume and returns tomenu 101.
When auditing is enabled for the first time on a volume, there are noevents, files, or users selected. You should continue by using menu 497,498, or 499 to select the desired audit events, files, and users.
When the server creates the audit file, it defines a password hash thatcannot be matched by a hashed password submitted by AUDITCON. Ifyou want to permit password-based access to the volume audit files, youmust (1) set the console parameter ALLOW AUDIT PASSWORDS=ONand (2) use AUDITCON (“Auditing configuration” menu, “Change auditpassword” or “Set audit password” submenu) to set an audit password forthe audit files. (You cannot configure the server to use audit passwords ifyou are using the server in a NetWare Enhanced Security configuration.)
As au ditor, it is your responsibility to review you r organ ization’s
aud iting requirements and identify an aud iting strategy for you r
netw ork. This can range from aud iting nothing to aud iting all events
for all users. It all depend s on wh at you w ant to accomp lish with
auditing.
One ad vantage of aud iting, even if you au dit only a few even ts (for
example, logins), is that it can help deter browsing an d p robing by
logged in users.
This section d escribes how you can u se AUDITCON ’s audit
configuration m enu to
x Define w hat information is aud ited by th e server (events, files/
d irectories, and users)
x Define how aud it files are hand led (size, threshold, and rollover
handling)
x Set aud it passwords
x Disable auditing
x Recover from fu ll volum e aud it trails
Prerequisites
t See “General Prerequisites” on page 29.
t To examine the auditing configuration in a NetWare EnhancedSecurity configuration, you must have the Read right to the AuditPolicy property of the Audit File object associated with the volume
you want to audit.
t To change the auditing configuration in a NetWare Enhanced
Security configuration, you must have the Write right to the AuditPolicy property of the Audit File object associated with the volume
t To examine or change the audit configuration in a network that isnot in the NetWare Enhanced Security configuration (that is, audit
passwords are enabled at the server), you must have supplied thecorrect password.
If the audit file is configured for level 2 passwords, and you don’thave access through NDS rights, then you must have the level 2password to modify the auditing configuration. If you’ve logged in
with a level 1 password, AUDITCON prompts for the level 2password after each operation. These screens are not shown inthe following section because they don’t pertain to the NetWare
Enhanced Security Configuration. See “Controlling Access toOnline Audit Data” on page 17 for more information.
t Determine what actions you want to perform (for example, whichusers to audit, how large you want the audit file to be) before you
run AUDITCON.
Procedure
1. Choose “Auditing Configuration” from the “Available audit
options” menu (101).
AUDITCON disp lays menu 497, 498, or 499, which list more
configuration op tions, depend ing on the setting of the ALLOW
AUDIT PASSWORDS option and whether you have sufficient
rights to the Audit File object. See “Top-Level Menu s” on page 34
for the definition of sufficient rights.
Table 4-2 sum marizes the algorithm AUDITCON uses to
determine w hich m enu it will display, based on the above tw o
variables. Entries in italics will not occur in the NetWare
2. Choose the desired configuration option, and press Enter.
The first three entries (aud it by event, file/ d irectory, and u ser)
allow you to preselect the events tha t the server w ill record in th e
audit file.
Other entries allow you to define how th e server manages aud it
files, to set passw ords, to disable aud iting, and to d isplay the
current aud it status. These subm enus are add ressed in the
following sections.
When you make changes to the volume audit configuration, you mayreceive a message that AUDITCON was unable to update the Audit Fileobject. If this occurs, your configuration changes could be lost.
Audit by Event
This section d escribes how you preselect file, queue m anagem ent,server, and user au d it events.
Preselection is th e opera tion of telling th e server, in ad vance, wh ich
types of aud it events you want the server to record in an au dit file. The
server records the events you have preselected and ignores other
events.
By preselecting the events th at are important in you r organization, you
conserve the d isk space and processor cycles required to record th e
other p otential aud it events.
Ten of the file system events d escribed in this section p ermit op tions for
user an d / or file preselection as pa rt of event selection. For example,
“file open–user an d file” will cause the server to record file opens on ly
for selected users an d only for selected files. For the remaining volum e
events, the defau lt is that events you select will be recorded for all users
of the volum e. If you w ant to au d it only certain specific users, you
should
x Preselect the u sers wh ose actions you w ant to record as d escribed
in “Aud it by User” on p age 67.
x Choose the “user or file” option for the d esired event if the event
permits a choice among “user and file,” “user or file,” or “global”
4. Choose “Yes” to save the changes and return to menu 497,498, or 499, or choose “No” to leave the audit events
unchanged.
Audit by File Events
After you select file events, you must also go to the “Audit by File/Directory”menu shown in Figure 4-21 and/or the “Audit by User” menu shown in Figure4-22 and in Figure 5-13 if you chose any “file and user” or “file or user” events.Selecting “file and user” or “file or user” events without selecting any files orusers will not cause the recording of any audit events.
Procedure
1. Choose “Audit by file events” from the “Audit by event” menu(401) and press Enter to edit the list of preselected file events.
AUDITCON displays men u 405, which lists basic file events, basic
d irectory even ts, and assorted other even ts. Because of the screen
size, only 16 events are shown at one time, with the rem ainder of
the events available using the Page Up, Page Down , and arrow
For examp le, Table 4-4 shows examples of the aud it events that
will be recorded if the “File open - user or file” event, users ANN
and BOB, and file FOO.EXE and BAR.DAT are selected for
auditing.
To configure “u ser or file” aud iting, (1) preselect the user or file
event, (2) preselect the list of files and d irectories to be aud ited
(“Aud it by File/ Directory” on page 64), and (3) preselect the list
of users to be aud ited (“Aud it by User” in this chap ter or “Audit
by User” in Chap ter 5).
When using “user and file” or “user or file” events, see the cautions in“Audit by User” on page 67 or “Audit by User” on page 161. The set ofusers you identify is global; that is, they will be audited on all volumes,containers, and servers in your Directory tree, not just on a particularvolume.
Global auditing, particularly of common events such as file opens, canresult in a high volume of audit events. Unless you closely monitor thestatus of the audit files that are collected by the server, this can cause theserver to automatically take the volume offline when the audit files orvolume are filled.
2. Move the cursor to each event and press F10 to toggle it to thedesired state (for example, OFF to ON).
Enabling one even t (for examp le, “File open - u ser or file”) will
cause related events (for example, “File open - global”) to
AUDITCON then d isplays menu 403 (shown p reviously) to
confirm that you w ant to make the changes.
4. Choose “Yes” to save the changes and return to menu 497,
498, or 499, or choose “No” to leave the audit events
unchanged.
Audit by File/Directory
This section d escribes how to p reselect files and d irectories in the
volume for aud iting.
After you preselect a file or directory for auditing, you must also go to the “Auditby event” and “Audit by file events” menus shown in the “Changing a VolumeAudit Configuration” on page 47), then choose the “user and file” or “user or file”events you want to audit. Selecting a file or directory without the associatedevents will not cause the file to be audited.
The server keeps file and directory audit flags in the file system, but does notsave that information when you back up the volume. If you ever restore files ordirectories from backup, the audit flags will be lost. Consequently, you mustkeep a manual record of all files and directories you've preselected for auditingin order to be able to restore that information.
Table 4-5 shows a sam ple form that you can u se when recording wh ich
files and d irectories have been marked for aud iting. You m ust keep a
record of all such files and directories for recovery p urposes. If the
system is ever restored from a full backup, you will use th is list toreconstru ct your aud it settings. In ad dition, if the adm inistrator
restores files or d irectories from a backup , you w ill wan t to u se this
record to reestablish your aud it settings. Failure to keep and use such a
record can resu lt in loss of audit d ata.
Table 4-5
Sample Format for Recording File/Directory Settings
Date Time Set/-
Cleared?
Server Volume Path Name
23 Mar 95 2:50pm Set SERVER1 SYS: \PUBLIC\NETADMIN.EXE
23 Mar 95 2:55pm Set SERVER1 ALPHA: \USERS\SMITH
23 Mar 95 3:17pm Set SERVER2 ZETA: \USERS\JONES
24 Mar 95 9:42am Cleared SERVER1 SYS: \PUBLIC\NETADMIN.EXE
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 47.
t You don’t need file system rights to a file or directory to select it forauditing. If you have rights to the volume audit trail, the server will
list files and directories that you can select for auditing. (This doesnot permit you to access those files or directories, but only toenable them for auditing.)
t Determine the list of files and directories you want to audit beforeyou run AUDITCON.
Procedure
1. Choose “Audit by file/directory” from the “Auditingconfiguration” menu (497, 498, or 499).
AUDITCON d isplays menu 410, wh ich lists the contents of the
current d irectory of the cur rent volum e. The following men u
show s an example of a disp lay for the PUBLIC directory.
Figure 4-21
Menu 410: Audit by File/Directory
24 Mar 95 9:50am Cleared SERVER2 ZETA: \USERS\JONES
24 Mar 95 1:35pm Set SERVER1 SYS: \PUBLIC
24 Mar 95 1:50pm Set SERVER1 SYS: \SYSTEM
Table 4-5 continued
Sample Format for Recording File/Directory Settings
Accesses to a file are su bject to au ditin g if either (a) the file itself is
preselected for au d iting or (b) the containing d irectory is
preselected.
For examp le, accesses to the file AUDITCON .EXE are subject to
au diting because the file itself is preselected. Accesses to files in
BACKUP, for example, BACKUP\ FILE1 and BACKUP\ FILE2,
are sub ject to au d iting because the BACKUP su bdirectory is
preselected for aud iting.
However, accesses to BACKUP\ DIR1\ FILE1 are not su bject to
auditing u nless the BACKUP\ DIR1 subd irectory is preselected.
Thus, setting the au dit preselection flag for a d irectory on ly affects
the au dit statu s of files that are imm ediately contained in that
directory.
Auditing is also subject to the “File and user” an d “File or user”
criteria that were selected.
When you create a subd irectory, the new subd irectory inherits the
value of the aud it preselection flag from its parent d irectory. Thus,
if you create the BACKUP\ DIR2 and BACKUP\ DIR2\ DIR3
subd irectories, they inh erit the au dit flag from the BACKUP
directory. Any files in these su bd irectories are subject to aud iting.
The inheritance of audit p reselection flags app lies only when a
subd irectory is created. If you preselect the BACKUP d irectory for
auditing, the aud it flag does not flow d own to existing
subd irectories, such as BACKUP\ DIR1.
Because audit preselection flags are not saved when you back up avolume, and because audit flags are inherited when you create asubdirectory within an audited directory, you can end up auditing moredirectories than shown in your manual audit log.
For example, if you flag the directory \A\B for auditing and then create the \A\B\C subdirectory, \A\B\C will inherit the audit flag from \A\B. If thevolume is then backed up and restored, your audit flag log only shows
\A\B as being audited.
To prevent problems with this feature, log any important subdirectoriesthat inherit audit flags. If you log enough information to manually restorethe audit flags for all directories you want to audit, you don’t need to beconcerned about the loss of audit flags for other directories.
2. Move through the Directory tree by pressing Enter to browsea subdirectory in the current menu, choosing “..” to browse
x For any of the ten file system events that permit u ser and/ or file
preselection, you m ust also go to the “Aud it by event” and Aud it
by file events” m enu s to select the “user and file” or “user or file”
events you wish to aud it. For these events, selecting a u ser
withou t the associated even ts and files w ill not cause the user ’s
file access to be audited.
x For all other volum e events, you m ust set the “User restriction
flag” to “Yes,” as d escribed in “User Restriction” on page 84.
When you select a user for volum e aud iting, the selection ap plies to all
volum es and containers in the netw ork w here p reselection is in effect.
For examp le, selecting BOB for certain “user or file” events on volu me
SYS: also selects BOB for a ll “user or file” and “user an d file” events
selected for all other volum es on all other servers in the netw ork.
Similarly, selecting JANE for volume auditing w ill cause JANE to be
audited on all containers w here the “User restriction” flag is set to
“Yes.”
A side effect of this is that y ou can select a user for aud iting u sing either
the “Aud it by user” menu or the corresponding “Au dit by DS users”
men u u nd er NDS aud iting. Both have the same effect.
The server keeps user audit flags in the associated User objects in NDS butdoes not save that information when you back up NDS. If you ever restore NDSfrom a backup, the audit flags will be lost. You must keep a manual record of allusers you’ve preselected for auditing in order to restore that information.
If an auditor has rights to audit any volume or container in the network, thatauditor can enable or disable auditing for any user in the NDS tree.
Table 4-6 shows a samp le format for recording w hich u sers have been
marked for aud iting. You m ust keep a record of all such users for
recovery pur poses. If NDS is ever restored from a full backu p, you w ill
use this list to reconstru ct your aud it settings. Failure to keep such a
record an d u se it can resu lt in loss of aud it data.
Because NDS is a distributed system and some servers might be offline at anygiven time, selecting a user for auditing might involve a long delay before NDScan synchronize this information throughout the network. See “SecuritySupplement to Managing the Novell Directory Tree” in NetWare Enhanced Security Administration for information on how to determine that a change has
been synchronized to all replicas of the partition.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 47.
t Determine which users you want to audit.
Procedures
1. Choose “Audit by user” from the “Auditing configuration”menu (497, 498, or 499).
AUDITCON d isplays menu 420, which lists the users on th e
server. The list of users d isplayed is those users in the d efau lt
bindery context for the server where the volume is located .
The AUDITCON window sh ows only 16 entries at a time, so you
migh t need to u se the arrow keys to scroll through the list of users.
The list of users shown is not the complete list of potential users of thevolume. To see (and mark) users other than those listed here, see “Auditby User” on page 161. You will be working in the NDS auditing menu tree.
2. Move the cursor to a desired entry and press F10 to toggle itto the desired state (for example, OFF to ON).
3. When you have set and reviewed the list of audited users,press Esc to save the configuration.
AUDITCON asks you to confirm th e chan ges.
4. Choose “Yes” to save the changes and return to menu 420, orchoose “No” to leave the audit events unchanged.
In addition to this method of preselecting users for auditing, you can alsouse an alternate method within the container auditing menu. See “Auditby User” on page 67.
Setting the audit flag on the USER_TEMPLATE user will not causeautomatic auditing of newly created users. When a new user is created,you must preselect the User object if you want that user’s actions audited.
Audit Options Configuration
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 47.
Procedure
1. Choose “Audit options configuration” from the “Auditing
configuration” menu (497, 498, or 499).
AUDITCON d isplays menu 430, which defines the current au dit
blank out the entries for “Days between aud it archives” and
“Hour of day to archive.”
3. If you enable “Force dual-level audit passwords” and the
ALLOW AUDIT PASSWORDS option is set to ON, AUDITCON
will immediately prompt you (twice) to enter the new level 2password.
These menus are not shown here, because audit passwords are notpermitted in NetWare Enhanced Security networks.
4. Review the settings on the current screen, and change anysettings as required.
5. Press Esc to exit the menu.
AUDITCON asks you to confirm th e chan ges.
6. Choose “Yes” to save the changes and return to menu 497,498, or 499, or choose “No” to leave the audit configurationunchanged.
If you intend to back up audit files to high-density (1.44 MB) diskettes, setthe maximum size of the audit file to approximately 1.3 MB to ensure thatthe audit file will fit on the disk.
Audit files consume disk resources that might be needed by other users.Before you define the number and size of audit files, discuss your
projected disk space requirements with an administrator for the server. Ifyou set the audit file size too small, you risk shutting down the servervolume or losing audit data, depending on the overflow option you’veconfigured.
The server’s NetWare Enhanced Security configuration requires use ofthe NDS rights-based access control mechanism to protect audit data.Do not enable the password-based access control method (by settingALLOW AUDIT PASSWORDS=ON), because this violates theassumptions under which the server was evaluated.
The server does not provide any locking mechanism to prevent multipleauditors from simultaneously attempting to change volume, container, orexternal audit configuration data. If this occurs, the last auditor to write theaudit configuration might overwrite changes made by other auditors. Ifmore than one auditor has rights to modify the audit configuration, youmust institute procedural methods to control access to the Audit Fileobject, such as selecting a single replica of the Audit File object andmaking all changes to that replica.
If you specify the “Disable auditable events” option, the server will stopprocessing auditable volume NCPTM requests when the current audit filefills up, even if there is sufficient disk space to roll over the audit file andstart a new audit file. For example, you could have room for 15 onlineaudit files, but the server will disable auditable NCP events when thecurrent audit file fills up.
To prevent this disruption, configure automatic audit file archiving so thatthe current audit file will not overflow during routine operation. Forexample, if it normally takes two days to fill an audit file, set “Automaticaudit file archiving” to ON, “Days between audit archives” to one day, and“Number of old audit files” to at least 7. To prevent audit loss, you shouldmonitor the audit status on a regular basis, and you must clean out the oldaudit files before the last audit file is used.
If you configure both “Automatic audit file archiving” and the “Archive auditfile” overflow option, the server will roll over the current audit file at boththe appointed time and the specified file size. For example, if you're
archiving audit files every Friday and the file becomes full on Thursday, theserver will roll over the audit file on Thursday (overflow processing) andthen again on Friday (automatic archival processing). Consequently, youmight use up the configured number of old audit files (for example, 15)faster than anticipated. To prevent loss of audit data, you should monitorthe audit status on a regular schedule and you must clean out the old auditfiles before the last file is used.
Change Audit Passwords
This section d escribes how the au ditor can change level 1 aud it
passw ords and level 2 aud it passwords (if level 2 password s areenabled). For information on u sing the password-based m echanism for
accessing audit files, see “Controlling Access to Online Aud it Data” on
page 17.
The server’s NetWare Enhanced Security configuration requires use of the NDSrights-based access control mechanism to protect audit data. For NetWareEnhanced Security networks, do not enable the password-based access controlmethod (by setting ALLOW AUDIT PASSWORDS=ON at the server console)because this violates the assumptions under which the server was evaluated.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 47.
1. To change the level 1 password, choose “Change audit
password” from the “Auditing configuration” menu (498).
2. Enter the current (level 1) audit password.AUDITCON does not echo any p assword information to the
screen.
If du al-level passwords are enabled, AUDITCON promp ts you to
enter th e level-2 password before you can change th e level-1
passw ord. AUDITCON allows you to change the level-2
password using the same p rocedu re used to change the level-1
password.
3. Enter the new (level 1) audit password when prompted byAUDITCON.
AUDITCON promp ts you tw ice for the new password . This
ensures that the aud itor d id not make an error when entering the
password.
AUDITCON d oesn’t check the passw ord for length,
alphan umeric characters, or other characteristics of strong
passw ords, nor d oes it ensure that it is different from th e previous
passw ord. Uppercase and lowercase characters are treated
identically.
Set Audit Passwords
This section d escribes how to set level 1 audit p asswords and level 2
aud it passw ords (if level 2 password s are enabled). This section is
ap plicable only if the ALLOW AUDIT PASSWORDS option is set to
ON. For m ore information on u sing the password-based mechanism for
accessing audit files, see “Controlling Access to Online Audit Data” on
page 17.
The server’s NetWare Enhanced Security configuration requires use of the NDSrights-based access control mechanism to protect audit data. For NetWareEnhanced Security networks, do not enable the password-based access controlmethod (by setting ALLOW AUDIT PASSWORDS=ON at the server console)because this violates the assumptions under which the server was evaluated.
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 47.
Procedures
1. To set the level 1 password, choose “Set audit password”from the “Auditing configuration” menu (1497).
AUDITCON p romp ts you to enter th e new (level 1) container
password.
2. Enter the new password.
AUDITCON does not echo any p assword information to the
screen
If du al-level passw ords are enabled, AUDITCON p romp ts you to
set the level 2 password before you can set the level 1 passw ord.
AUDITCON allows you to set the level 2 password using the sam e
procedu re used to change the level 1 password.
3. Reenter the new password.
The du al prompt ensures that the auditor did not m ake an error
wh en entering the new password.
AUDITCON does not check the password for length,alphanu meric characters, or other characteristics of strong
password s, nor does it ensure that it is different from th e previous
password . Passwords are not case-sensitive.
If you use audit passwords to control access to the audit file, do not use yourserver password as the audit password.
If you use a password to control access to an audit file, and forget the auditpassword, then you must use the rights-based access, as described in “AccessControls for Online Audit Data” in Chapter 2. When you have access to the audittrail, you can reset the password as described in this procedure.
Disable Volume Auditing
When you disable volume au diting, you stop the server from recording
aud it events to the volume au dit file, but you do n ot delete the Aud it
File object for the volume au d it trail. The Aud it File object remains and
NOT_LOGGED_IN u sers” flag, the server records these events in
the current volume au d it file.
These flags pertain on ly to the currently selected volum e and do n ot
affect other volum e or container aud it files. Unlike the p er-user au d it
flag (which is global across the networ k), the “User restriction” an d“Audit NOT_LOGGED_IN users” flags must be set individu ally for
each volu me and container. The two flags are ind epend ent of each
other, so you can set either flag withou t affecting th e other.
If you set the “User restrictions” flag to “Yes”, you must also preselect thoseusers you want audited, using the procedures shown in “Audit by User” onpage 67 or “Audit by User” on page 161. Setting the “User restrictions” flag to“Yes” without preselecting any users will mean that only “User or File” events(where the file is preselected) will be recorded in the audit trail.
If you set the “User restrictions” flag to “Yes” but leave the “AuditNOT_LOGGED_IN users” flag set as “No”, then actions of unauthenticatedusers will not be audited, unless they would otherwise be audited by selectionof “User or File” events where the file is preselected.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 47.
Procedures
1. Choose “User restriction” from the “Auditing configuration”menu (497, 498, or 499).
AUDITCON d isplays menu 480, which allows you to select the
desired u ser restriction parameters for the volum e.
Figure 4-24
Menu 480: UserRestriction
2. Review the settings on the current screen, and change anysettings as required. Press “Y” to set a value to “Yes” orpress “N” to set the value to “No.”
3. When you are finished, press Esc to exit the menu.
4. Choose “Yes” to save the changes and return to menu 497,498, or 499, or choose “No” to leave the user restrictions
configuration unchanged.
Generating Volume Audit Reports
AUDITCON allows you to p rocess online and offline audit files to
extract and review the information the server has collected for you .
Processing consists of displaying aud it information on th e AUDITCON
screen (viewing) and genera ting printable reports (printing ).
This section d escribes how to p rocess online au d it files, either the
current au dit file or the old au dit files that have been archived (that is,rolled over ) by the server bu t are still maintained as audit files by the
server. See “Generating Reports from Offline Aud it Files” on p age 122
for information on how to p rocess offline au dit files.
Prerequisites
t See “General Prerequisites” on page 29.
t To process online audit files, you must either have the Read rightto the Audit File object Audit Contents property or have logged in
to the audit trail. (To log in to an audit trail, you must enable auditpasswords at the server console. This configuration is notpermitted in NetWare Enhanced Security facilities.)
t You must be able to create new (temporary) files in the directoryyou were in when you started AUDITCON, and have sufficient disk
space on that volume. These temporary files hold the audit dataas it is extracted from the audit trail.
t You must have preselected events for auditing. You can view or
report only those audit events that have been recorded by theserver; for example, if you don’t configure the server to record fileopen events, then you can’t display any file open events. (See“Changing a Volume Audit Configuration” on page 47 for more
information on preselection.)
Because AUDITCON places temporary files in the directory you were inwhen you started AUDITCON, and these temporary files contain audit
2. Highlight an entry and press Enter to edit an existing date/time range, or press Insert to define a new range, or highlightan entry and press Delete to remove a time range from the
filter.
If you press Insert or Enter, AUDITCON disp lays menu 504,
wh ich allows you to do more editing of the date/ time profile
selected in m enu 503.
Figure 4-29
Menu 504: Reportby Date/Time
3. To edit the date/time profile, use the arrow keys to move thecursor to the desired field and type in the new value.
AUDITCON makes reasonable attemp ts to convert alternate
forms (for examp le, “3/ 15/ 95”, “mar 15”, “15 Mar 95”, “8am”, or
4. When you have reviewed the date/time range, press Esc toreturn to menu 503.
5. Choose “Yes” to save your changes or “No” to cancel the
changes.
If AUDITCON find s an error (for example, the start d ate/ time
later than the end date/ time), it displays an error m essage and
goes back to m enu 504.
6. Press Esc to return to the “Edit Report Filter” menu (502).
Report by Event
Procedure
1. From the “Edit report filter” menu, choose “Report by event.”
AUDITCON d isplays menu 505, which provid es a high-level
selection of the typ es of aud it events (file system even ts, queue
events, server events, and user even ts) defined in the curren t filter.
Figure 4-30
Menu 505: Report
by Event
QMS events occur only in the volume SYS: audit trail. If you areexamining another volume’s audit trail, the menu item identified as 510 willnot be present.
2. Choose one of the types of audit events.
See “Aud it by Event” on page 50 for d escriptions of th ese events.
When you choose a type of event, one of the following seven
1. From the “Edit report filter” menu, choose “Report exclude
users.”
AUDITCON d isplays menu 515, which lists the au d it filter’s users
to be exclud ed from au dit reports.
2. Press Insert to define a new username. When prompted forthe username, press Enter to edit an existing entry or pressDelete to remove an existing entry. Press Insert twice to
browse the list of usernames to select usernames to beexcluded from audit reporting.
The list of users d isplayed is those users in the d efault bind erycontext for the server w here the volu me is located.
The list of users shown is not the complete list of users who might haveaudit records in the audit file. If you want to exclude users other thanthose in the default bindery context, you must type their names, ratherthan selecting them using the browser. Enter the full context without apreceding period (.), such as JOE.SALES.NOVELL.
The status shown in menu 517 for each user is the current status, whichis not necessarily the same status of the user when the audit data wasrecorded.
AUDITCON does not verify that the user names entered are valid. If theyare not valid, they are ignored.
This section d escribes how to generate a formatted t ext version of the
user events in the current au dit file. You cannot d irectly print the
server ’s aud it files, because the server ’s au dit files are not d irectly
accessible to netw ork clients and the server ’s aud it files are stored in a
comp ressed format.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 86.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedure
1. Choose “Report audit file” from the “Auditing reports” menu
(500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
3. AUDITCON displays menu 526, which shows the availablefilters. These include the files with .ARF extensions in your
current directory and a null filter (“_no_filter_”) that will passall records in the audit file. To use one of these filters, select
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see your
workstation documentation for information on using theworkstation’s access control mechanisms to protect your files.
Procedures
1. Choose “Report audit history” from the “Auditing reports”menu (500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
3. AUDITCON retrieves records from the current audit file,formats the records, and writes them to your output file.
AUDITCON d isplays a “Reading file” message in the head er area
of your screen and a “Please wait ...” notification in th e menu area.
When it is finished, AUDITCON returns to men u 500.
4. To review the contents of your report, exit to DOS and eitherprint or use an editor.
This section d escribes how to generate a formatted text version of the
user events in an old online aud it file.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 86.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedures
Choose “Report old audit file” from the “Auditing reports”menu (500).
AUDITCON d isplays menu 540, which lists up to 15 old au d it
files that are still maintained online by the server. The old au dit
files are sorted by d ate and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 4-42
Menu 540: Select
Old Audit File
5. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON promp ts you for the nam e of the outpu t file.
6. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
7. AUDITCON displays menu 542, which shows the availablefilters. Choose the desired filter and press Enter, or press F10
to edit a filter.
Figure 4-43
Menu 542: SelectFilter
AUDITCON retrieves records from the curren t aud it file, applies
the specified filter to those records, formats the filtered records,
and wr ites formatted records to you r outp ut file.
Depen ding on the size of the aud it file and the complexity of your
filter, this can be a time consu ming process. AUDITCON d isplays
a “Reading file” message in the head er area of your screen and a
“Please wait ...” notification in the m enu area. When it is finished ,
AUDITCON retu rns to men u 500.
8. To review the contents of your report, exit to DOS and either
This section d escribes how to generate a formatted text version of the
auditor events in an old on line aud it file.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 86.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedures
1. Choose “Report old audit history” from the “Auditingreports” menu (500).
AUDITCON d isplays menu 550, which lists up to 15 old au d it
files that are still maintained online by the server. The old au dit
files are sorted by d ate and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 4-44
Menu 550: Select
Old Audit File
2. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
4. AUDITCON retrieves records from the current audit file,formats the records, and writes them to your output file.
AUDITCON d isplays a “Reading file” message in the head er area
of your screen and a “Please wait ...” notification in th e menu area.
When it is finished, AUDITCON returns to men u 500.
5. To review the contents of your report, exit to DOS and either
print or use an editor.
View Audit File
This section describes how to d isplay a listing of the user events in th e
current au dit file on the screen of your w orkstation.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 86.
Procedures
1. Choose “View audit file” from the “Auditing reports” menu
(500).
AUDITCON d isplays menu 560 to d isplay the available filters.
These includ e the files with .ARF extensions in you r current
directory and a n ull filter (“_no_filter_”) that will pass all records
in the au dit file.
If AUDITCON d oes not d isplay the d esired filter, return to DOS,
change to the d irectory w here the filter is located, and try again.
AUDITCON reads the cur rent aud it file and d isplays menu 570,
which contains the first screen of aud it history events.
Figure 4-47
Menu 570: View Audit History
2. Press the Home, End, Page Up, Page Down, and arrow keys tomove through the display. When you are finished, press Esc
and answer “Yes” to return to menu 500.
The “Auditor login” event means that an auditor began accessing the auditfile, while the “Auditor logout” event means that an auditor ceasedaccessing the access file. These events do not indicate user logins orlogouts.
View Old Audit File
This section d escribes how to d isplay a listing of the user even ts from
an old on line aud it file to the screen of your w orkstation.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 86.
t See “General Prerequisites” on page 29 and “Prerequisites” onpage 86.
tYou must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you arecreating the database file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report audit file” from the “Auditing
reports” menu (500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON d isplays menu 801 to display the available filters. These includ e the files with .ARF
extensions in your current d irectory and a n ull filter (“_no_filter_”) that w ill pass a ll records in
the au dit file.
Figure 4-51
Menu 801: SelectFilter
3. To use one of these filters, choose that filter and press Enter.
AUDITCON also allows you to create a temp orary filter, or modify an existing filter, for u se in
this report . Choose the d esired filter (or “_no_filter_”) and press F10. Edit the filter as described
in “Generating Reports from Offline Aud it Files” on pag e 122, then press Esc to bring up the
“Save Filter” m enu . From there you can d iscard the changes, save the changes to a filter file, or
This section d escribes how to generate a formatted t ext version of the
aud itor events in the current au dit file in a format suitable for loading
into a d atabase.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 86.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report audit history” from the “Auditing
reports” menu (500).
AUDITCON promp ts you for the name of the outp ut file. Enter
the path name for the file and press Enter.
AUDITCON attem pts to create the file and disp lays an errorscreen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file.
AUDITCON d isplays a “Reading file” message in the head er area
of your screen and a “Please wait ...” notification in the menu area.
When it is finished , AUDITCON returns to menu 500.
2. Exit to DOS and use an appropriate database loadingprogram to insert the audit history records into a database forreview.
See “Format of the Database Outp ut File” on page 121 for a
This section d escribes how to generate a file containing th e user events
in an old online aud it file in a form suitable for load ing into a d atabase.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 86.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report old audit file” from the “Auditing
reports” menu (500).
AUDITCON d isplays menu 820, which lists up to 15 old au d it
files that are still maintained online by the server. The old au dit
files are sorted by d ate and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when itstarted accumu lating aud it events).
Figure 4-52
Menu 820: SelectOld Audit File
2. Move the cursor to choose the desired audit file, then press
Enter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON d isplays menu 822 to d isplay the available filters.
Figure 4-53
Menu 822: SelectFilter
4. Choose the desired filter and press Enter, or press F10 to edit
a filter.
AUDITCON retrieves records from the curren t aud it file, applies
the specified filter to those records, formats the filtered records,
and wr ites formatted records to you r outp ut file.
Depen ding on the size of the aud it file and the complexity of your
filter, this can be a time consu ming process. AUDITCON d isplays
a “Reading file” message in the head er area of your screen and a
“Please wait ...” notification in the m enu area. When it is finished ,
AUDITCON retu rns to men u 500.
5. Exit to DOS and use an appropriate database loading
program to insert the audit records into a database for review.
See “Format of the Database Outp ut File” on page 121 for a
This section d escribes how to generate a file containing the au d itor
events in an old online au dit file in a form su itable for loading into a
database.
Prerequisites
t See “General Prerequisites” on page 29 and “Prerequisites” on
page 86.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report old audit history” from the
“Auditing reports” menu (500).
AUDITCON d isplays menu 830, which lists up to 15 old au d it
files that are still maintained online by the server. The old au dit
files are sorted by d ate and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when itstarted accumu lating aud it events).
Figure 4-54
Menu 830: SelectOld Audit File
2. Move the cursor to move the desired audit file, then press
Enter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file.
AUDITCON d isplays a “Reading file” message in the head er area
of your screen and a “Please wait ...” notification in the menu area.
When it is finished , AUDITCON returns to menu 500.
4. Exit to DOS and use an appropriate database loadingprogram to insert the audit history records into a database for
review.
See “Format of the Database Outp ut File” on page 121 for a
description of the form at of the d atabase file.
Format of the Database Output File
Each line in the outp ut file represents a single aud it record . Each line
consists of a series of comm a-separated fields in th e following ord er:
x Time, as hh:mm:ss
x Date, as mm -dd -yyyy
x A “V” to ind icate the record came from a volum e aud it trail
x The name of the volum e where the audit record w as generated
x A textua l description of the event (for example, “File search”)
x The word “event” followed by the nu merical event n um ber
x The word “status” followed by the status from the event
1. Choose “Audit files maintenance” from the “Available audit
options” menu (101).
2. Press Enter.
AUDITCON d isplays menu 700, which lists more maintenance
options.
Figure 4-56
Menu 700: Audit
Files Maintenance
Copy Old Audit File
This section d escribes how to copy old on line aud it files to removable
med ia (for example, diskettes or magnetic tapes), workstation
directories, or network dr ives. The prim ary reason for copying an au dit
file is to save the contents of the file before you d elete it from the server
(see “Delete Old Au dit File” on page 131). You m ight also want to copy
an old au d it file to removable med ia in order to save it for evidence or
to keep it for long-term storage.
Prerequisites
t See “General Prerequisites” on page 29.
t To copy an online audit file, you must either have Read rights to the
Audit File object Audit Contents property or have logged in to theaudit trail. (To log in to an audit trail, you must enable auditpasswords at the server console; this configuration is not
If you do not sp ecify a d rive letter and d irectory, AUDITCON
leaves the aud it file in you r current d irectory. The default
filename is “AUDITOLD.DAT” on your local drive.
AUDITCON d isplays a “Please wait” m essage while it copies the
audit file from th e server to your offline destination file. When it
has copied th e file, AUDITCON retu rns to m enu 700.
4. If you copy audit files from the server onto your localworkstation’s file system, you must ensure that the audit datais properly protected by your workstation.
5. If you copy the audit file onto removable media (for example,
a diskette or tape cartridge), attach a diskette or tape labelthat shows the server name, volume name, your name, thedate, time, and size of the audit file, along with any other
specific comments that you feel are important. Finally, youmust ensure that the media is physically protected.
The purpose of this information is to ensu re that you can load the
med ium in the future, and generate meaningful aud it reports
from it.
One strategy that is commonly used is to set the maximum audit file sizeso that one audit file will fit on a 1.44 MB diskette. See “Changing aVolume Audit Configuration” in this chapter for information on setting theaudit file size.
If you have a high volume of audit data, you will probably want to archiveyour audit files onto magnetic tape, for example, tape cartridges.AUDITCON does not provide a means for copying audit files directly tomagnetic tape. If you want to use magnetic tape for long-term storage,you must first copy those files onto your file system, then use a backupprogram to copy the files to magnetic tape.
The frequency at which you should copy the server's audit files to offlinestorage depends on how fast your server fills up audit files. If your serverarchives audit files on a periodic basis (as opposed to filling up the auditfile), then you can set the number of audit files to 10 or 15, and copy orremove online audit files once per week without expecting to overflow the
This section d escribes how to delete an old aud it file from the server ’s
online storage a fter you’ve copied th e file to offline storage or d ecided
that you do not need to save the file.
Prerequisites
t See “General Prerequisites” on page 29.
t To delete an online audit file, you must either have the Write right
to the Audit File object Audit Policy property or have logged in tothe audit trail. If dual-level passwords are enabled, you must havethe level 2 password.
Procedure
1. Choose “Delete old audit file” from the “Audit filesmaintenance” menu (700).
AUDITCON d isplays menu 720, which lists up to 15 old au dit
files that are maintained online by the server. The old au dit files
are sorted by date and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when it
started accum ulating aud it events).
Figure 4-58
Menu 720: SelectOld Audit File
There is no mechanism for deleting the current audit file. If you want todelete the data in the current audit file, you must first reset the audit datafile (see “Reset Audit Data File” on page 132).
You can only delete one file at a time. If you want to delete multiple auditfiles, perform the steps in this section once for each file.
2. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON asks you to confirm that you want to d elete the au dit
After you delete an online audit file, there is no way to recover the contentsof the file. Do not delete the file unless you are absolutely certain that youwill not require the data in the audit file. If there is any doubt, copy theaudit file (see “Copy Old Audit File” on page 128) to offline storage beforeyou delete the file.
3. If you are certain that you want to delete the old audit file,
press Enter.
Reset Audit Data File
This section d escribes how to reset the current au dit file. Resetting a file
is a man ual means of causing th e cur rent au dit file to “roll over,” tha t is,
to cause the current au d it file to become an old au dit file and to establish
a new current aud it file.
Manu al reset might be necessary, for examp le, if the server stops
processing volu me requ ests because the volume is in an overflow state.
See “Resolving Volum e Aud it Problems” on p age 133 for information
on recovering from volum e overflow.
Prerequisites
t See “General Prerequisites” on page 29.
t To reset the current audit file, you must either have the Write rightto the Audit File object Audit Policy property or have logged in to
the audit trail. If dual-level passwords are enabled, you must havethe level 2 password.
Procedures
1. Choose “Reset audit data file” from the “Audit filesmaintenance” menu (700).
AUDITCON requests confirmation that you want to p erform th e
reset.
If you perform the reset, the current au dit file will become an old
audit file and a new current au d it file will be created .
2. Choose “Yes” and press Enter to reset the current volume
This section describes solutions to poten tial volum e aud it problems.
These include aud it trail overflow an d catastrophic failure.
Audit Trail Overflow
“Preventing Loss of Audit Data” on page 23 describes the poten tial for
audit loss if the configured n um ber of aud it files are filled or d isk space
fills up and the au dit trail is imp roperly configured .
“Aud it Options Configuration” on page 70 describes the three overflow
configuration op tions for volum e aud it trails:
x
Archive aud it file
x Disable auditable events
x Disable event recording
The only option that prevents the loss of audit events (from au dit
overflow situations) is to disable aud itable events. With this setting, the
server goes into an overflow state w hen th e cur rent au dit file reaches its
maximum size or the server cannot w rite the current au dit event.
To recover from this overflow state, an au ditor (with the Write right tothe volum e Aud it File object Audit Policy prop erty) must reset the
current audit trail.
1. If volume SYS: overflow s, the server will allow an aud itor to
perform a read-only login to reset the aud it file.
To perform a read-only login when volume SYS: has overflowed, you musthave sufficient software in your workstation to perform the login withoutdownloading anything from the \LOGIN directory. The specific softwarethis requires depends on your workstation.
In general, having a copy of the contents of \LOGIN will be sufficient. Todo this, create a \LOGIN directory on your workstation, and copyeverything from SYS:\LOGIN to your workstation \LOGIN directory. Therequired contents include not only the \LOGIN directory itself, but alsosubdirectories of \LOGIN (that is, \LOGIN\NLS and
If you don’t keep a copy of \LOGIN on a workstation, you will be unable torecover from an audit overflow on the SYS: volume.
When in the overflow state, you can log in using your local copy of \LOGINby changing to that directory and running LOGIN.EXE (or any otherappropriate programs).
2. If you w ant to save the oldest aud it file, and you haven’t already
backed it u p, copy th e oldest old aud it file to offline storage (for
example, a file in the server or wor kstation or removable media).
3. Reset the current volume aud it file, as described in “Reset Aud it
Data File” on page 132. This rolls over the curren t aud it file (to an
old au dit file), deleting the oldest old aud it file, and initializes a
new aud it file.
4. If you want to save any audit files that you haven’t already saved
(includ ing the new est of the old au d it files), copy those au d it files
to offline storage.
Perform the following suggestions to help p revent volum e overflow:
1. Review the status and size of the audit file frequently.
2. Manu ally reset the audit file before it overflows, if necessary.
3. Enable “Automatic audit file archiving” as described in
“Changing a Volume Au dit Configuration” on page 47. Set the“Aud it file maximu m size” large enough and the “Days between
audit archives” low enou gh that the aud it file w ill not overflow.
Use cau tion in setting these param eters to prevent destruction of
audit data.
4. Don ’t ov er au d it.
If the audit trail for a volume is full, the auditor’s actions (for example, deletingdata files, resetting the audit file) cannot be audited for that volume. In this case,you must keep a manual log of your actions for use when generating a complete
history of actions performed on the server. You will be informed via a messagefrom the server to your workstation when this occurs.
When the audit trail is reaches its configured threshold, you will receive thefollowing notification on your workstation screen:
The audit overflow file for volume volname is almost
When the audit trail is completely full, you will receive the following notificationon your workstation screen:
The audit overflow file for volume volname is full.
To avoid missing this message, you must not issue the SEND /A=N or SEND / A=P commands, or if using Windows and the NetWare User Tools, do notdisable network warnings.
Catastrophic Failure Recovery
This section d escribes wh at to d o if you h ave a catastrophic failu re, for
example, the volum e being au d ited is destroyed (perhap s because of a
hard disk failure) and you need to recover the aud it state to wh at it was
before the failure. In add ition, it explains how to han d le planned
up grades, such as w hen a volum e is moved from a small disk d rive to
a larger disk drive.
There are several potential losses not ad dressed here:
x Loss of offline aud it data. Your offline aud it data (whether stored
in server or workstation file systems, or on removable media)
should be backed u p frequently enough that its loss would not be
catastrophic.
x Loss of some, but not all cop ies of the Audit File object describing
the volum e aud it trail due to failure of one or more servershold ing an NDS partition. In this case, NDS au tomatically uses
whatever copies are available. If a server configured for the
partition is brought back online, then it w ill automatically be
up dated w ith the Aud it File object information.
There are two m ajor catastroph ic failures possible for volum e aud it:
x Loss of all copies of the Audit File object describing the volum e
au dit trail. If all cop ies of the Audit File object are lost (for
examp le, because there only was one copy, and the server it was
on su ffered a d isk failure), then you might be able to recover the
Au dit File object from a backup of your Directory tree (presu ming
you h ave backed up your Directory tree). If so, then you will be
able to regain access to the existing online aud it data. If not, then
no access is possible to the online aud it data. You m ust recreate
the volume au dit trail using the procedures in “Enab ling Volum e
Auditing” on page 44 (includ ing selecting even ts, aud it full
actions, and so on).
x Loss of a volume (for example, because of a disk failure). Because
volum e audit files are stored in an inaccessible directory w hich
cannot be backed u p, loss of a volum e means that the online aud itfiles (both th e current aud it file and an y old aud it files) are lost.
Use AUDITCON to perform regular backup s of audit d ata to
avoid loss of online aud it data.
If you restore a volume from a backup, it will come back without auditingenabled. To avoid unaudited actions while you are configuring the audit system,you should take the server offline for the restoration process until the volumeaudit has been reconfigured. To do this, disconnect the server from anynetworks it is connected to, and attach it to a protected LAN containing only atrusted workstation located in a secure location. Then restore the volume fromthe backup. Use the trusted workstation to run AUDITCON to re-enable volume
auditing. Restore the previous configuration, using your manual logs of whichfiles are audited (as described in “Changing a Volume Audit Configuration” onpage 47). Finally, reconnect the server to the standard networks.
You m ight need to take more than on e server offline to perform th is
restoration, for examp le, if the server being restored d oes not have
replicas of any N DS containers with ad ministrative users, or if the
Au dit File object for the volum e aud it trail will not be stored in a
container foun d on th e server.
In ad d ition to the above scenarios, if you restore an N DS User object
from an N DS backup , it w ill come back without its per-user audit flag.
To p revent a user from p erforming u nau dited actions, you shou ld take
the server offline before restoring the User object, and use AUDITCON
to set the per-user audit flag using the manu al logs of aud ited users (as
described in “Au dit by User” on page 67 or “Aud it by User” on
page 161).
If you u pgrade a volum e (for examp le, replacing it with a larger disk),
that is equ ivalent to recovery from a catastrophic disk failure. To do an
up grade, you m ust first back up the old volume, and then restore it on
the new d isk. This loses all audit data. Therefore, before performing avolume up grade, you should also back up all volum e aud it data stored
on that server. Because the backup d oes not includ e the per-file aud it
flags, you shou ld use the procedu re described above to take the server
offline for the recovery process, and use th e manu al logs of which files
are aud ited to configure the au dit system correctly before bringing the
Chapter 5: Using AUDITCON for Container Auditing 141
Accessing the Container Audit Trail
This section d escribes how to
x Access the container aud iting menu tree
x Select a container for aud iting
x Log in to a container audit trail (if aud it passwords are enabled )
You shou ld hav e read Chap ter 3, which describes how to run
AUDITCON and navigate the menu tree.
Getting Started
When you ru n AUDITCON, it disp lays a screen with one of the five“Available audit op tions” m enus. The particular entry menu you see
dep ends on your current volum e and the state of that volume aud it
trail.
The container auditing state is independent of the state of volume auditing. Youdo not have to enable auditing of a volume or have access to a volume audit trailto perform container auditing.
Prerequisites
t
See “General Prerequisites” on page 29.
t If you are unfamiliar with NDS concepts, review the Guide to NetWare 4 Networks . If you are unfamiliar with the implementation
of your Directory tree, run a graphical utility such as NetWareAdministrator to browse the tree.
See your client documentation for information on the availability ofNetWare Administrator or NETADMIN in your client evaluatedconfiguration.
which replica of the partition will be used for auditing. Failure to use theprimary copy (as described in “Configuring Auditing” on page 155 and“Container Audit File Maintenance” on page 210) for configurationchanges can cause the audit configuration changes to be lost. Whendoing audit reporting, you should examine each replica of the partition inturn, as described in “Generating Container Audit Reports” on page 172.
Audit the Directory Tree
This option allows you to brow se the Directory tree to select a container
for au diting. AUDITCON displays a menu that allows you to begin
auditing that container. If you have a lready selected the container, as
described in “Change Session Context” on p age 143, you d o not need to
browse the tree.
Prerequisites
t See “General Prerequisites” on page 29.
t To browse the Directory tree for containers, you must have theBrowse right to the container. Otherwise, AUDITCON will not be
able to find the container.
Procedures
1. Choose “Audit Directory tree” in the “Audit Directory
services” menu (1000) and press Enter.
AUDITCON d isplays menu 1010, w hich allows you to brow se the
Directory tree to select a container for au diting.
If auditing is enabled, your first selection from the top level menu shouldbe “Change replica” (see “Change Replica” on page 148), to determinewhich replica of the partition will be used for auditing. Failure to use theprimary copy (as described in “Configuring Auditing” on page 155 and“Container Audit File Maintenance” on page 210) for configurationchanges can cause the audit configuration changes to be lost. Whendoing audit reporting, you should examine each replica of the partition in
turn, as described in “Generating Container Audit Reports” on page 172.
Chapter 5: Using AUDITCON for Container Auditing 149
Audit data is stored on master, read/write, and read-only replicas of thecontainer.
Auditor Container Login
Logging in to an au dit trail is fun damen tally different from logging in
to a NetWare Enhanced Secur ity server. When you log in to a NetWare
Enhanced Security server, your login passw ord is used to auth enticate
your individual identity to NDS for the life of your login session.
“Logging in” to a container aud it trail is a means of controlling access
to an au d it file, and is not p ermitted in the NetWare Enhanced Secur ity
configuration. H owever, if you use au d it passwords to control access to
the aud it trail, do not reuse your NetWare login password .
Prerequisites
t See “General Prerequisites” on page 29.
t The ALLOW AUDIT PASSWORDS console parameter must beON at the particular server you are accessing for you to log in to acontainer audit trail anywhere on that server.
The server’s NetWare Enhanced Security configuration requires use ofthe NDS rights-based access control mechanism to protect audit data. Do
not enable the password-based access control method (by settingALLOW AUDIT PASSWORDS=ON at the server console) because thisviolates the assumptions under which the server was evaluated. Seepreceding note under “Change Replica” for additional information.
Procedures
1. Choose “Auditor container login” in the “Available audit
options” menu and press Enter.
2. Enter the container audit password (after the colon prompt)
and press Enter to log in to the current container's audit trail.
AUDITCON d oes not echo you r passw ord to the screen. If your
login is successful, AUDITCON goes to menu 1101.
If you u se the wrong password or au dit password s are disabled
for your current server, AUDITCON d isplays an error report as
show n in m enu 131. Because p assword -based access to aud it trails
Chapter 5: Using AUDITCON for Container Auditing 153
or
(2) the server you are logged in to must have a replica of the partition thatcontains the container you want to audit.
Under the second condition, choose “Change Replica” from the “Available AuditOptions” menu, then choose the server containing the read/write replica and set“Allow Audit Passwords” to ON for the server containing the replica.
When the auditor logs in to audit the container, the auditor will be prompted fora password for the container. This password is the one specified by theadministrator. Once the auditor is logged in to the container, he or she mustchange the password to protect the data.
Prerequisites
t See “General Prerequisites” on page 29.
t You must have the Read right to the container object's Audit FileLink property. This is necessary for AUDITCON to determine the
existence of an Audit File object for the container.
t If an Audit File object does not already exist for the container, you
must have the Write right to the container object's Audit File Linkproperty to modify the container's Audit File Link to point to the
Audit File object.
tIf an Audit File object does not already exist for the container, youmust have the Create object right to the container object.
Procedures
1. From menu 1010, choose the desired container to be audited
and press F10.
2. To enable auditing of the container, choose “Enable containerauditing” from the “Available audit options” menu.
This option is available only in m enu 1102 (when aud iting is notalready enabled for the container). AUDITCON th en checks the
container object’s Au dit File Link to d etermine w hether the
container alread y has an Au dit File object; if so, AUDITCON
If the container d oes not h ave an Audit File object (for example,
auditing w as not previously enabled for this container),
AUDITCON creates an Au dit File object in the container.
The nam e of the Au dit File object is “AFOid_contname,” where id
is a coun ter used if there is already an object with the desired
name, and contname is the name of the container. For examp le, if
the container n ame is FINAN CE.ACME, then the Aud it File object
would be nam ed AFO0_FINAN CE.ACME, or if that object
already exists, then AFO1_FINAN CE.ACME.
If having an independent auditor is important to you, you might want to setthe Access Control List and Inherited Rights Filter for the Audit File objectto prevent access by administrators who are not auditors.
AUDITCON bu ilds links from th e Audit File object and Con tainer
object to each other. The server g ives you the Sup ervisor object
right to th e Au dit File object, and the Write right to the ObjectTrustees (ACL) prop erty. In add ition, AUDITCON gives you Read
and Write rights to the Au dit File object au d it Policy prop erty, and
Read righ ts to the Au dit Contents p roperty. See “Controlling
Access to Online Aud it Data” on page 17 for information on
giving other au d itors rights to the Au dit File object.
AUDITCON enables aud iting for the container and returns to
men u 1101.
When auditing is enabled for the first time on a container, there are no
events selected. You should continue by using menu 1497, 1498, or 1499(depicted on the following pages) to select the desired audit events.
When the server creates the audit file, it defines a password hash that cannever be matched by a hashed password submitted by AUDITCON. If youintend to permit password-based access to the audit files, you must setthe console parameter ALLOW AUDIT PASSWORDS=ON and useAUDITCON (“Auditing configuration” menu, “Change audit password” or“Set audit password” menu) to set an audit password for the audit files.(Do not configure the server to use audit passwords if you are using theserver in a NetWare Enhanced Security configuration.)
See note under “Change Replica” in this chapter for additionalinformation.
Chapter 5: Using AUDITCON for Container Auditing 155
Configuring Auditing
This section d escribes how you can u se AUDITCON ’s container aud it
configuration m enu to d efine
x Which NDS events are aud ited
x How aud it files are han dled (size, threshold , rollover han d ling)
x How to set audit passwords
x How to d isable aud iting
x How to recover from au dit file overflow
Auditing Configuration Prerequisites
t See “General Prerequisites” on page 29.
t To change the auditing configuration in a NetWare EnhancedSecurity configuration, you must have the Write right to the Audit
Policy property of the Audit File object associated with thecontainer you want to audit. If audit passwords are enabled at the
server and you have logged in with the correct password,AUDITCON will also permit you to change the audit configuration.
If the audit file is configured for level 2 passwords, and you don't
have NDS access, then you must have the level 2 password tomodify the auditing configuration. If you've logged in with a level 1password, AUDITCON prompts for the level 2 password after each
operation. These screens are not shown in the following sectionsbecause they don’t pertain to the NetWare Enhanced Security
configuration. See “Controlling Access to Online Audit Data” onpage 17 for information on password levels.
t Determine what actions you want to perform (for example, whichevents to audit, how large you want the audit file to be) before you
run AUDITCON.
Procedure
1. Choose “Auditing Configuration” from the “Available audit
Chapter 5: Using AUDITCON for Container Auditing 157
Figure 5-10
Menu 1498: Auditing
Configuration
Figure 5-11
Menu 1499: AuditingConfiguration
2. Choose the desired configuration option, and press Enter.
These configuration submenus are addressed in the following
sections.
When you make changes to the container audit configuration, you might
receive a message that AUDITCON was unable to update the Audit Fileobject. If this occurs, it is possible that your configuration changes couldbe lost.
Configuration of each container audit trail must be performed on a singleserver which holds a replica of the audit trail. It doesn’t matter which oneyou pick, but all auditors of the container must use that one copy. Failureto use a single copy for configuration can cause unexpected results and/ or loss of configuration changes.
Audit by DS Events
This section describes how you p reselect the NDS events to be aud ited
in the container au d it file. Preselection is the operation of telling the
server, in advance, which types of aud it events you want the server to
record in an au dit file. By p reselecting the even ts that are impor tant in
your organ ization, you conserve disk space for recording other au d it
By default, the events you select will be recorded for all users of the container.If you only want to audit actions of certain users, you should set the “Userrestrictions” flag in the “User restriction” menu, and then preselect the specificusers whose actions you want to record using the “Audit by user” menu.
You cannot generate audit reports for events or users that were not preselectedfor auditing when the event occurred. For example, if you need to review loginsby a user two weeks ago, but you did not have logins preselected at that time,you will not be able to generate an audit report for these events. You mustbalance your need for certain audit information with the resources required toaudit those events.
Prerequisites
t See “General Prerequisites” on page 29 and the “AuditingConfiguration Prerequisites” on page 155.
Procedures
1. Choose “Audit by DS events” from the “Auditingconfiguration” menu (1497, 1498, or 1499).
AUDITCON d isplays menu 1401 which lists the NDS events that
you can preselect for aud iting. These events are usu ally associated
with user actions p erformed at client w orkstations, and the au dit
record includ es the identity of the u ser that requested the service.
Chapter 5: Using AUDITCON for Container Auditing 161
Verify console operator
Verify password
In addition to the events that are preselected for auditing, container audittrails also include pseudo-events that establish the context for reviewingaudit events. For example, the server records logins and logouts for usersin other containers, even if logins and logouts are not selected for thecurrent container.
2. Determine the list of events that you want to audit. Move the
cursor to each event and press F10 to toggle it to OFF or ON.
You can p ress F8 to toggle all events to ON or OFF.
3. When you have set and reviewed the audit eventconfiguration, press Esc.
4. Choose “Yes” to save the changes and return to menu 1497,1498, or 1499, or “No” to leave the audit events unchanged.
If level 2 password s are enabled, AUDITCON will prom pt for the
level 2 password before making the change.
Audit by User
By d efau lt, selected container events are recorded for all users. If you
wan t to p reselect by u ser for container events, then you mu st use the
“User restriction” m enu to set the “User restrictions” flag for thecontainer to “Yes”. The “User restriction” men u is reached from the
“Aud iting Configuration Menu.”
If an auditor has rights to audit any volume or container in the network, thatauditor is able to enable or disable auditing for any user in the Directory tree.
When you select a user for container aud iting, the selection app lies to
all volum es and containers on all servers in the networ k. You cann ot
select user BOB for au diting of events on container LAB1.ENGR.ACME
without also having BOB aud ited for events on all other volumes and
all other containers in the network.
The server keeps user audit flags in the associated User objects in NDS, butdoes not save that information when you back up NDS. If you ever restore NDSfrom a backup, the audit flags will be lost. You must keep a manual record of allusers you’ve preselected for auditing to restore that information.
Table 5-3 shows a samp le form for recording w hich u sers have been
marked for aud iting. You m ust keep a record of all such u sers for
recovery p urposes. If NDS is ever restored from a fu ll backu p, you will
use th is list to reconstru ct your au d it settings. Failure to keep su ch a
record an d u se it can resu lt in loss of audit d ata.
Because NDS is a distributed system and some servers might be offline at anygiven time, selecting a user for auditing might involve a long delay before NDScan synchronize this information throughout the network. See Chapter 9,“Security Supplement to Maintaining the NetWare Server” of NetWare Enhanced Security Administration for information on how to determine that achange has been synchronized to all replicas of the partition on which it resides.
Prerequisites
t See“General Prerequisites” on page 29 and “AuditingConfiguration Prerequisites” on page 155.
t You do not need specific rights to a User object in the NDSdatabase to set the audit flag for that user.
Procedures
1. Choose “Audit by user” from the “Auditing configuration”menu (1497, 1498, or 1499).
AUDITCON d isplays men u 1420, wh ich lists containers th at can
Chapter 5: Using AUDITCON for Container Auditing 163
Figure 5-13
Menu 1420: Audit Directory Tree Users
2. Choose the container that holds the User objects and pressEnter.
AUDITCON expan ds th e menu to list the objects in that container.
3. To preselect a user for volume and container auditing, use the
up and down arrow keys to scroll within the window. Choose
a user and press F10 to toggle the user audit flag to ON orOFF.
You can p reselect u sers in other containers by selecting th e
container, which will then show the users in that container. Non-
User objects (for example, Organizational Un it objects) are
d isplayed, but you cann ot toggle the au dit flag for those objects.
4. When you have set and reviewed the audit eventconfiguration, press Esc.
5. Choose “Yes” to save the changes and return to menu 1420,or choose “No” to leave the audit events unchanged.
Setting the audit flag on the USER_TEMPLATE user will not cause automaticauditing of newly created users. When a new user is created, you must preselecthis or her NDS User object if you want the user’s actions to be audited.
Chapter 5: Using AUDITCON for Container Auditing 165
When computing the overflow audit file size for a container audit trail, youmust use the maximum value for the number of service processes on allservers where the container is stored. That is, if the container is stored onservers A, B, and C, you must use the highest value for the number ofservice processes in your calculation. Otherwise, your value might not be
large enough and you could lose some audit data.
The server provides three options for hand ling container au dit file
overflow. The op tions, as show n in Table 5-4, “ Overflow
Options”, are “Archive au dit file,” “Disable aud ited events,” and
“Disable event recording.”
Table 5-4 Overflow Options
Archive audit file With this setting, the server archives the current audit file and creates a new
audit file. If necessary (because the maximum number of old online audit files
already exists), the server deletes the oldest of the old online audit files.
This option is not recommended for use in NetWare Enhanced Security
networks because it can result in audit data being lost.
Disable audited events With this setting, the server disables all audited NDS events when the current
audit file has reached the “Audit file maximum size” or the server cannot write
to the current audit file (for example, it is out of disk space). The server doesn’t
attempt to roll over to a new audit file, even if audit files and disk space are
available.
In this overflow state, any event that is preselected for auditing is disabled;
however, events that are not preselected are still permitted. For example, iflogins are preselected for auditing, any attempt to log in to an object in the
container (except by an auditor) will fail.
This is the only overflow option that guarantees that you will not lose audit
data. Consequently, if collection of audit data is of the utmost importance
(such as, in a NetWare Enhanced Security network), then you should use this
setting, even though it might inconvenience users when they are unable to log
2. Move the cursor to the field you want to change and enter thenew configuration value.
For num eric fields (for examp le, “Au dit file ma ximu m size”), type
the new value into the field over the previou s value, then press
Enter. For “Yes/ No” settings, type “Y” or “N ” to change the value.
Depend ing up on your change, the server might mod ify other
values on the configuration screen. For examp le, if you set“Au tomatic audit file archiving” to “N o”, the server w ill blank ou t
the entries for “Days between au dit archives” and “H our of day to
archive.”
If you enable “Force dual-level audit p asswords,” AUDITCON
will imm ediately prom pt you (twice) to enter the new level 2
password. These menus are not show n here, because au dit
passwords are not permitted in NetWare Enhanced Security
networks.
3. Review the settings on the current screen, and change anysettings as needed.
4. When you are finished, press Esc to exit the menu.
Disable event recording With this setting, the server turns off auditing and stops entering new auditrecords into the current audit file when it reaches the maximum size limit or
when an unrecoverable write error occurs for the audit file. The server doesn’t
attempt to roll over to a new audit file, even if there is disk space for archivingthe current audit file.
You must reset the current audit file to re-enable event recording. Until you re-enable event recording, users can access the NDS container without any audit
coverage. Consequently, this setting is not recommended for use in NetWare
Enhanced Security networks because it can result in audit data not being
recorded.
Minutes between
warning messages
The server sends warnings to the console at this frequency if the audit file is
full and the overflow option is configured to either “Disable audited events” or
“Disable event recording”. If you have the “Archive audit file” option
configured, then a warning message is sent when the audit file is almost full,
but there is no additional message when the archive occurs.
Chapter 5: Using AUDITCON for Container Auditing 167
5. Choose “Yes” to save the changes and return to menu 1497,1498, or 1499, or choose “No” to leave the audit configuration
unchanged.
Audit files consume disk resources that might be needed by other users. Beforeyou define the number and size of audit files, discuss your projected disk spacerequirements with an administrator for each server that holds a replica of thecontainer.
The server’s NetWare Enhanced Security configuration requires use of the NDSrights-based access control mechanism to protect audit data. Do not enable thepassword-based access control method (by setting ALLOW AUDITPASSWORDS=ON) because this violates the assumptions under which theserver was evaluated.
Change Audit Passwords
“Controlling Access to Online Aud it Data” on page 17 describes the use
of the password-based mechan ism for accessing audit files. This section
describes how to chan ge both level 1 and level 2 passwords. This
section is ap plicable only if the ALLOW AUDIT PASSWORDS option is
set to ON .
This procedu re assumes that th e aud itor (not the system ad ministrator)
is the one performing these procedures and that the ad ministrator has
previously established the p asswords and has shared them w ith the
auditor. The aud itor can change the level 1 password a fter logging in to
the container.
The server’s NetWare Enhanced Security configuration requires use of the NDSrights-based access control mechanism to protect audit data. For NetWareEnhanced Security networks, do not enable the password-based access controlmethod (by setting ALLOW AUDIT PASSWORDS=ON at the server console)because this violates the assumptions under which the server was evaluated.
Prerequisites
t See “General Prerequisites” on page 29 and “Auditing
Configuration Prerequisites” on page 155.
Procedures
1. To change the level 1 password, choose “Change auditpassword” from the “Auditing configuration” menu (1497,
Enter the current (level 1) audit password as prompted byAUDITCON.
AUDITCON does not echo any p assword information to the
screen.
If du al-level passwords are enabled, AUDITCON promp ts you toenter the level 2 passw ord before you can change the level 1
password . AUDITCON allows you to change the level 2 password
using the same procedu re used to change the level 1 password .
2. Enter the new (level 1) audit password when prompted by
AUDITCON.
AUDITCON promp ts you tw ice for the new password . This
ensures that the aud itor d id not make an error when entering the
password.
AUDITCON does not check the password for length,
alphan um eric characters, or other characteristics of strong
passw ords, nor d oes it ensure that it is different from th e previous
passw ord. Uppercase and lowercase characters are treated
identically.
If you use audit passwords to control access to the audit file, be sure not to reuseyour server password as the audit password.
Set Audit Passwords
“Controlling Access to Online Aud it Data” on page 17 describes the use
of the p assword-based mechan ism for accessing au dit files. This section
describes how to set level 1 passw ords and level 2 passw ords (if level
two p asswords are enabled).
The server’s NetWare Enhanced Security configuration requires use of the NDSrights-based access control mechanism to protect audit data. For NetWareEnhanced Security networks, do not enable the password-based access controlmethod (by setting ALLOW AUDIT PASSWORDS=ON at the server console)because this violates the assumptions under which the server was evaluated forC2 status.
Prerequisites
t See “General Prerequisites” on page 29 and “AuditingConfiguration Prerequisites” on page 155.
Chapter 5: Using AUDITCON for Container Auditing 169
Procedures
1. To set the level 1 password, choose “Set audit password”
from the “Auditing configuration” menu (1497, 1498, or 1499).
AUDITCON p romp ts you to enter th e new (level 1) container
password.
2. Enter the new password as prompted by AUDITCON.
AUDITCON does not echo any p assword information to the
screen
If du al-level passw ords are enabled, AUDITCON p romp ts you to
set the level 2 password before you can set the level 1 passw ord.
AUDITCON allows you to set the level 2 password using the sam e
procedu re used to change the level 1 password.
AUDITCON th en promp ts you to reenter the new p assword.
3. Reenter the new password when prompted by AUDITCON.
This ensures that the aud itor d id not m ake an error wh en entering
the new password.
AUDITCON does not check the password for length,
alphanu meric characters, or other characteristics of strong
password s, nor does it ensure that it is different from th e previous
password . Uppercase and low ercase characters are treatedidentically.
If du al-level passw ords are enabled, AUDITCON prom pts for you
to enter th e level 2 password before it will chan ge the level 1
password.
If you use audit passwords to control access to the audit file, be sure not to reuseyour server password as the audit password.
If you use a password to control access to an audit file, and forget the auditpassword, then you must use the rights-based as described in “Controlling
Access to Online Audit Data” on page 17. Once you have access to the audittrail, you can reset the password as described in this section.
Chapter 5: Using AUDITCON for Container Auditing 171
NOT_LOGGED_IN u sers” flag, the server w ill record these events
in the current container au d it file.
These flags pertain on ly to the currently selected container and do n ot
affect other container or volum e aud it files. Unlike the p er-user au d it
flag (which is global across the networ k), the “User restriction” an d“Audit NOT_LOGGED_IN users” flags must be set individu ally for
each volu me and container. The two flags are ind epend ent of each
other, so you can set either flag withou t affecting th e other.
If you set the “User restrictions” flag to “Yes”, you must also preselect thoseusers you want audited, using the procedures shown in “Audit by User” inChapter 4 or “Audit by User” on page 161 in Chapter 5. Setting the “Userrestrictions” flag to “Yes” without preselecting any users will mean that nocontainer events will be recorded in the audit trail.
If you set the “User restrictions” flag to “Yes” but leave the “AuditNOT_LOGGED_IN users” flag set as “No”, then actions of unauthenticatedusers will not be audited.
Unlike the per-user audit flag (which is global across the network), the “Userrestrictions” and “Audit NOT_LOGGED_IN users” flags must be set individuallyfor each volume and container and apply only to that volume or container.
Prerequisites
t See “General Prerequisites” on page 29 and “Auditing
Configuration Prerequisites” on page 155.
Procedures
1. Choose “User restriction” from the “Auditing configuration”menu (1497, 1498, or 1499).
AUDITCON d isplays menu 1480, which allows you to select the
user restriction p aram eters for the container.
Figure 5-15
Menu 1480: UserRestriction
2. Review the settings on the current screen, and change any
Chapter 5: Using AUDITCON for Container Auditing 173
The following figure show s that each of the th ree servers (A, B, and C)
record a high percentage (for example, 99%) of all of the aud it record s,
how ever, each of the servers migh t have au dit records that w ere not
successfully replicated to the other tw o servers.
In par ticular, any da ta that isn’t replicated when a server archives (rolls
over) a container au d it file will never be rep licated. For examp le,
assume server C audits the access attempt to BART.SALES to its local
SALES audit file, attempts to replicate the au dit event to servers A an d
B, and then, su bsequen tly, rolls over the au d it file. If servers A and B are
offline, disconnected, or d o not have sufficient d isk space when server
C tries to replicate the audit record, then the au d it record w ill not becopied to the au dit files on those servers.
Because all container audit events are not necessarily replicated to all servers,some records might be missing from each copy. You must look at all of the audittrails to see the full history for the container. Thus, you should examine the audittrail on server A, then select a different replica (menu 1150) and review the audittrail for the container on server B, and repeat the process for server C.
Audit Report Prerequisites
t See “General Prerequisites” on page 29.
t To process online audit files, you must either have the Read rightto the Audit File object Audit Contents property or have logged in
to the audit trail. (To log in to an audit trail, you must enable auditpasswords at the server console. This configuration is notpermitted in NetWare Enhanced Security facilities.)
The procedures described in this section allow you to generate filter files andreport files on your local workstation. See your client documentation for detailson how to use your workstation’s security mechanisms to protect these files.
AUDITCON lets you create filters so you can extract the specificinformation that you w ant from an au d it file. If you view a report
withou t applying a filter, AUDITCON d isplays the entire content s of
the file.
You can create as m any filters as you want to screen information in the
audit file. Then, any time you want to genera te a report, you can select
and app ly the filter.
An audit filter is a DOS file that contains the filter information. By default,AUDITCON saves the filter file in your current working directory, which can be
on a local drive on your workstation or on a network drive. The name of the fileis typically the filter name, with a file extension of “.ARF” (for Audit Report Filter).While this allows you to create audit filters in a variety of different directories,AUDITCON does not provide a means for you to access filters in a differentdirectory. Consequently, if you want to use a filter that you have previouslydefined, you must run AUDITCON from the directory where the filter is located,or copy the filter to your current directory before you run AUDITCON. Auditreport filters must be protected from modification by storing them only inlocations where they will be protected by NetWare or by client workstationaccess controls.
Prerequisites
t See “General Prerequisites” on page 29 and “Audit Report
Prerequisites” on page 173.
Procedure
1. Choose “Edit report filters” from the “Auditing reports” menu
(1500).
AUDITCON d isplays menu 1501, which lists the filters you have
previously defined . If you have not defined an y filters in thecurrent d irectory, AUDITCON d isplays a n ull entry “_no_filter_”.
default is an asterisk (*), which ind icates that all users can be
reported.
When you create an aud it report , AUDITCON app lies these filters
to records that it reads from the aud it file. AUDITCON reports
only those even ts that match all the filter criteria. That is, the aud it
record time stamp m ust match the date/ time filter and the aud it
record event typ e mu st match the event typ e filter, and so on. If a
filter contains conflicts between “include” and “exclud e” options,
the “exclud e” option takes p riority.
Report by Date/Time
Procedure
1. Choose “Report by date/time” from the “Edit report filter”
menu.
AUDITCON d isplays men u 1503, wh ich lists the existing d ate/
time ran ges defined for the filter. If you are inserting a new filter,
this men u w ill initially be empty.
Figure 5-19
Menu 1503: Report by Date/Time
2. Highlight an entry and press Enter to edit an existing date/time range, or press Insert to define a new range, or highlightan entry and press Delete to remove a time range from the
Chapter 5: Using AUDITCON for Container Auditing 185
Prerequisites
t See “General Prerequisites” on page 29 and the Audit ReportPrerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Report audit file” from the “Auditing reports” menu(1500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON tr ies to create the file and disp lays an error screen if
it cann ot.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON displays m enu 1521 to d isplay the available filters.
These includ e the files with .ARF extensions in you r current
directory and a n ull filter (“_no_filter_”) that will pass all records
in the au dit file.
Figure 5-24
Menu 1521: SelectFilter
3. To use one of the available filters, choose that filter and pressEnter.
AUDITCON also allows you to create a temp orary filter, or
mod ify an existing filter, for u se in this repor t. Choose the d esired
filter (or “_no_filter_”) and press F10. Ed it the filter as described
in “Generating Container Au dit Reports” on page 172, then press
Esc.
You a re given the op tions of discard ing the chang es, saving the
changes to a filter file, or ap plying the filter to the current report
withou t saving the changes.
AUDITCON retrieves records from th e cur rent au d it file, app lies
the sp ecified filter to those records, formats the filtered records,
and writes formatted records to you r ou tpu t file.
Depending on the size of the au d it file and the comp lexity of your
filter, this can be a time consuming process.
AUDITCON d isplays a “Reading file” message in the header areaof your screen an d a “Please wait” notification in the m enu area.
When it is finished , AUDITCON return s to men u 1500.
4. To review the contents of your report, exit to DOS and either
print or use an editor.
Report Audit History
This section d escribes how to generate a formatted text version of the
auditor events in the current au dit file.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit Report
Prerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Chapter 5: Using AUDITCON for Container Auditing 187
Procedures
1. Choose “Report audit history:” from the “Auditing reports”
menu (1500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON returns to m enu 1500.
3. To review the contents of your report, exit to DOS and either
print or use an editor.
Report Old Audit File
This section d escribes how to generate a formatted t ext version of theuser events in an old online aud it file.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit Report
Prerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
1. Choose “Report old audit file” from the “Auditing reports”
menu (1500).
AUDITCON d isplays menu 1540, which lists up to 15 old au dit
files that are still maintained online by th e server. The old audit
files are sorted by d ate and time (oldest first). The dates an d times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 5-25
Menu 1540: SelectOld Audit File
2. Move the cursor to choose the desired audit file, then press
Enter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the output file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON d isplays men u 1542 to d isplay the av ailable filters.
Figure 5-26
Menu 1542: SelectFilter
4. Choose the desired filter and press Enter, or press F10 to edit
Chapter 5: Using AUDITCON for Container Auditing 189
AUDITCON retrieves records from the curren t audit file, applies
the specified filter to those records, formats the filtered records,
and wr ites formatted records to you r outp ut file. Depending on
the size of the au dit file and the complexity of your filter, this can
be a time consum ing process. AUDITCON d isplays a “Reading
file” message in the head er area of your screen and a “Please wait”notification in th e menu area. When it is finished, AUDITCON
return s to menu 1500.
5. To review the contents of your report, exit to DOS and either
print or use an editor.
Report Old Audit History
This section d escribes how to generate a formatted t ext version of the
aud itor events in an old on line aud it file.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit Report
Prerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Report old audit history” from the “Auditingreports” menu (1500).
AUDITCON d isplays menu 1550, which lists up to 15 old au ditfiles that are still maintained online by the server. The old aud it
files are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
2. Move the cursor to choose the desired audit file, then press
Enter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the output file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the current au d it file, formats
the records, and w rites them to your ou tput file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON return s to men u 1500.
4. To review the contents of your report, exit to DOS and eitherprint or use an editor.
View Audit File
This section d escribes how to d isplay a listing of the user events in the
current au dit file on the screen of your w orkstation.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit ReportPrerequisites in “Generating Container Audit Reports” on
2. Use the Home, End, Page Up, Page Down, and arrow keys tomove through the display. When you are finished, press Esc
and answer “Yes” to return to menu 1500.
The “Auditor login” event means that an auditor began accessing the auditfile, while the “Auditor logout” event means that an auditor ceasedaccessing the access file. These events do not indicate user logins or
logouts.
View Old Audit File
This section d escribes how to d isplay a listing of the user even ts from
an old on line aud it file to the screen of your w orkstation.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit Report
Prerequisites in “Generating Container Audit Reports” onpage 172.
Procedures
1. Choose “View old audit file” from the “Auditing reports”
Chapter 5: Using AUDITCON for Container Auditing 197
Prerequisites
t See “General Prerequisites” on page 29 and the Audit ReportPrerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the database file on your local workstation, see yourworkstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedure
1. Choose “Database report audit file” from the “Auditingreports” menu (1500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON displays m enu 1801 to d isplay the available filters.
This includ es the files with .ARF extensions in your curren t
directory and a n ull filter (“_no_filter_”) that will pass all records
in the au dit file.
Figure 5-34
Menu 1801:SelectFilter
3. To use one of the available filters, choose that filter and press
Chapter 5: Using AUDITCON for Container Auditing 199
Database Report Audit History
This section d escribes how to generate a formatted t ext version of the
aud itor events in the current au dit file in a format suitable for loading
into a d atabase.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit Report
Prerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report audit history” from the “Auditingreports” menu (1500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. Whenit is finished, AUDITCON returns to m enu 1500.
3. Exit to DOS and use an appropriate database loadingprogram to insert the audit history records into a database forreview.
See “Format of the Database Outp ut File” on p age 203 for a
description of the format of the da tabase file.
Database Report Old Audit File
This section d escribes how to generate a file containing th e user events
in an old online aud it file in a form suitable for load ing into a d atabase.
Prerequisites
t See “General Prerequisites” on page 29 and the Audit ReportPrerequisites in “Generating Container Audit Reports” on
page 172.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report old audit file” from the “Auditing
reports” menu (1500).AUDITCON d isplays menu 1820, which lists up to 15 old au dit
files that are still maintained online by th e server. The old audit
files are sorted by d ate and time (oldest first). The dates an d times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 5-35
Menu 1820: SelectOld Audit File
2. Move the cursor to choose the desired audit file, then pressEnter.
Chapter 5: Using AUDITCON for Container Auditing 201
AUDITCON promp ts you for the name of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON displays m enu 1822 to d isplay the available filters.
Figure 5-36
Menu 1822: SelectFilter
4. Choose the desired filter and press Enter, or press F10 to edita filter.
AUDITCON retrieves records from the curren t aud it file, applies
the specified filter to those records, formats the filtered records,
and wr ites formatted records to you r outp ut file.
Depen ding on the size of the aud it file and the complexity of yourfilter, this can be a tim e consum ing p rocess. AUDITCON disp lays
a “Reading file” message in the head er area of your screen and a
“Please wait ...” notification in th e menu area. When it is finished ,
AUDITCON retu rns to men u 1500.
5. Exit to DOS and use an appropriate database loadingprogram to insert the audit records into a database for review.
See “Format of the Database Outpu t File” on page 203 for a
description of the format of the da tabase file.
Database Report Old Audit History
This section d escribes how to generate a file containing the au d itor
events in an old online aud it file in a form su itable for loading into a
t See “General Prerequisites” on page 29 and the Audit ReportPrerequisites in “Generating Container Audit Reports” onpage 172.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedures
1. Choose “Database report old audit history” from the“Auditing reports” menu (1500).
AUDITCON d isplays menu 1830, which lists up to 15 old au dit
files that are still maintained online by th e server. The old audit
files are sorted by d ate and time (oldest first). The dates an d times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 5-37
Menu 1830: Select
Old Audit File
2. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the output file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
Chapter 5: Using AUDITCON for Container Auditing 203
If you don’t specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file. AUDITCONdisplays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON returns to m enu 1500.
4. Exit to DOS and use an appropriate database loading
program to insert the audit history records into a database forreview.
See “Format of the Database Outpu t File” on page 203 for a
description of the format of the da tabase file.
Format of the Database Output File
Each line in the outp ut file represents a single aud it record . Each line
consists of a series of comm a-separated fields in th e following ord er:
x Time, as hh:mm:ss
x Date, as mm -dd -yyyy
x A “C” to ind icate the record came from a container au dit trail
x Container object class
x The name of the container wh ere the aud it record w as generated
x A textua l description of the event (for example, “File search”)
x The word “event” followed by the nu merical event n um ber
x
The word “status” followed by the status from the event
x The name of the user for whom the event was generated
x The replica nu mber
x Zero or more pieces of event specific information
This format is suitable to be imp orted into m ost da tabases by specifying
that th e inpu t is a comm a-separated t ext file.
Generating Reports from Offline Audit Files
In add ition to p rocessing online aud it files (see “Generating Con tainer
Aud it Reports” on page 172), AUDITCON also allows you to p rocess
offline aud it files. These offline files can be stored on th e aud itor ’s
workstation, removable media, or even in the aud itor’s directory on the
server file system.
Files stored in the server file system are considered offline, even if they
contain aud it data, because the server d oes not directly manage these
files as au dit files. Offline au dit files are in the sam e nu ll-comp ressed,
binary format as the server ’s audit files described in Appendix A,“Au dit File Formats,” on page 267.
This section d escribes how to p rocess and protect these offline aud it
files.
Offline Report Prerequisites
t See “General Prerequisites” on page 29.
t To process offline audit files, you must either have the Read right
to the Audit File object Audit Contents property or have logged into the audit trail.
AUDITCON controls access to the offline audit file based on the currentcontents of the Audit File object for that file. Your rights to the Audit Fileobject might be different from your rights when the offline audit file wasrecorded, so, for example, you might not be able to read an offline auditfile that you recorded. This is a constraint imposed by AUDITCON, andnot a server access control mechanism. Offline audit files must beprotected by the client Trusted Computing Base or (for removable media)by physical protection.
t You must have previously copied an online audit file from theserver to a diskette, your local workstation hard drive, or a network
drive. (See “Copy Old Audit File” in this chapter for moreinformation on copying a server's audit files.)
1. Choose “Database report audit history” from the “Reports
from old offline files” menu (1602).
AUDITCON d isplays menu 1810.
2. Follow the procedures in “Database Report Audit History” onpage 199 to generate a text audit history report for an offline
audit file.
References in th at section to the “current au dit file” shou ld be
interpreted as references to an offline au dit file.
Container Audit File Maintenance
This section d escribes how you can use AUDITCON to close, copy,
delete, and disp lay the server ’s old au d it files. These mechan isms work
only for old aud it files (the files m aintained online by th e server). You
cannot p erform these operations on offline aud it data files. The only
operation you can perform on the server ’s current au dit file is to reset
the file, which causes the server to create a new current au d it file.
Maintenance of each container audit trail must be performed on a single serverwhich holds a replica of the audit trail. It doesn’t matter which one you choose,but all auditors of the container must use that copy. Failure to use a single copyfor maintenance can cause unexpected results and/or loss of configurationchanges.
Audit File Maintenance Prerequisites
t See “General Prerequisites” on page 29.
Procedure
1. Choose “Audit files maintenance” from the “Available auditoptions” menu (1101).
2. Press Enter.
AUDITCON d isplays menu 1700, which lists more maintenan ce
Chapter 5: Using AUDITCON for Container Auditing 211
Figure 5-39
Menu 1700: Audit
Files Maintenance
Copy Old Audit File
This section d escribes how to copy old on line aud it files to removable
med ia (for examp le, diskettes or magnetic tapes), workstation
directories, or netw ork d rives. The primar y reason for copying an aud it
file is to save the contents of the file before you delete it from the server
(see “Delete Old Au dit File” on page 213). You might a lso want to copy
an old aud it file to removable med ia to save it for evidence or to keep itfor long-term storage.
Prerequisites
t See “General Prerequisites” on page 29.
t To copy an online audit file, you must either have the Read right tothe Audit File object Audit Contents property or have logged in tothe audit trail. (To log in to an audit trail, you must enable audit
passwords at the server console; this configuration is not
permitted in NetWare Enhanced Security facilities.)
t You must have sufficient rights copy the audit file to a directory. Fornetwork directories, you must have at least the Create right. See
your client documentation for more information on rights requiredto create a file on a hard drive or diskette.
Procedure
1. Choose “Copy old audit file” from the “Audit files
maintenance” menu (1700).
AUDITCON d isplays menu 1710, which lists up to 15 old au dit
files that are m aintained online by th e server. The old aud it files
are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
There is no mechanism for copying the contents of the current audit file.If you want to copy this data, you must first reset the audit data file (see“Reset Audit Data File” on page 214).
You can copy only one file at a time. If you want to copy multiple audit files,perform the steps in this section once for each file.
2. Move the cursor to select the desired audit file, then press
Enter.
AUDITCON p romp ts you for the name of the offline aud it file.
3. Enter the filename of the destination audit file and pressEnter.
The pathnam e mu st be a DOS pathn ame on you r local
workstation, for examp le, “A:\ AUDIT301.DAT”,
“C:\ AUDIT\ FILE1.DAT”, or
“F:\ AUDITOR\ VOL1\ A950224.DAT”. If you d o not specify a
drive letter and d irectory, AUDITCON will leave the aud it file in
your current d irectory. The defau lt pathn ame is
“AUDITOLD.DAT” on your local d rive.
AUDITCON d isplays a “Please wait” m essage while it copies the
audit file from the server to you r offline destination file. When it
has copied the file, AUDITCON returns to m enu 1700.
4. If you copy audit files from the server onto your localworkstation’s file system, you must ensure that the audit data
is properly protected by your workstation.
5. If you copied the audit file onto removable media (for
example, a diskette or tape cartridge), attach a diskette ortape label that shows the server name, volume name, yourname, the date, time, and size of the audit file, along with any
other specific comments that you feel are important. Youmust also ensure that the media is physically protected.
Chapter 5: Using AUDITCON for Container Auditing 213
The purpose of this information is to ensu re that in the futu re you
can load the m edium and generate meaningful aud it reports from
it.
When backing up old audit files, you must remember to back up the filefrom each server that holds a replica of the audited container. Otherwise,you can lose some audit records that are stored on some (but not all)copies of the audit file.
One strategy that is commonly used is to set the maximum audit file sizeso that one audit file will fit on a 1.44 MB diskette. See “Audit OptionsConfiguration” on page 164 for information on setting the audit file size.
The frequency at which you should copy the server's audit files to offlinestorage depends on how fast your server fills up audit files. If your serverarchives audit files on a periodic basis (as opposed to filling up the auditfile), then you can set the number of audit files to 10 or 15, and copy/ remove online audit files once per week without expecting to overflow the
number of audit files.
Delete Old Audit File
This section d escribes how to delete an old aud it file from the server ’s
online storage a fter you’ve copied th e file to offline storage or d ecided
that you do not need to save the file.
When you delete an old container audit file, you must delete the file on eachserver that holds a replica of the audited container.
Prerequisites
t See “General Prerequisites” on page 29.
t To delete an online audit file, you must either have the Write rightto the Audit File object Audit Policy property or have logged in to
the audit trail. If dual-level passwords are enabled, you must havethe level 2 password.
Procedure
1. Choose “Delete old audit file” from the “Audit filesmaintenance” menu (1700).
AUDITCON d isplays menu 1720, which lists up to 15 old au dit
files that are maintained on line by the server. The d ates and times
displayed show wh en the au dit file was created (that is, when it
started accum ulating au d it events). The old au d it files are sorted
by d ate and time (oldest first).
Figure 5-41
Menu 1720: Select
Old Audit File
There is no mechanism for deleting the current audit file. If you want todelete the data in the current audit file, you must first reset the audit datafile (“Reset Audit Data File” on page 214).
You can only delete one file at a time. If you want to delete multiple audit
files, perform the steps in this section once for each file.
2. Move the cursor to select the desired audit file, then pressEnter.
AUDITCON confirm s that you w ant to delete the aud it file.
After you delete an online audit file, there is no way to recover the contentsof the file. Do not delete the file unless you are absolutely certain that youwill not require the data in the audit file. If there is any doubt, copy the auditfile (“Copy Old Audit File” on page 211) to offline storage before youdelete the file.
Reset Audit Data File
This section d escribes how to reset the current au d it file. Reset is a
manu al means of causing the current aud it file to be archived , that is, to
cause the current audit file to become an old au dit file and to establish
a new current aud it file.
Manu al reset might be necessary, for examp le, if the server stops
processing container requ ests because the volum e is in an overflow
state. See “Au dit Trail Overflow” on page 215 for information onrecovering from container overflow.
To recover from th e overflow state, an aud itor (w ith the Write right to
the container Au dit File object Aud it Policy p roperty) m ust reset the
current audit trail.
1. Log in to the network as an auditor of the offending container.
2. If you w ant to save the oldest aud it file and you haven’t already
backed it up , then copy th e oldest old au d it file to offline storage
(for examp le, a file in the server or w orkstation or rem ovable
media).
3. Reset the current container audit file, as described in “Reset Aud it
Data File” on page 214. This rolls over the cur rent audit file (to an
old au dit file), deleting the oldest old aud it file, and initializes a
new aud it file.
4. If you want to save any audit files that you haven’t already saved
(includ ing the new est of the old au d it files), then copy those aud it
files to offline storage.
Consider the following suggestions to help p revent container overflow:
1. Perform frequent reviews of the status and size of the audit file.
2. If necessary, manually reset the audit file before it overflows.
3. Enable “Automatic audit file archiving” as described in “AuditOptions Configuration” on page 164. Set the “Aud it file
maximum size” large enough and the “Days between au dit
archives” low enough th at the au dit file will not overflow. Use
caution in setting these param eters to preven t destru ction of aud it
data.
4. Don ’t ov er au d it.
If the audit trail for a container is full, the auditor’s actions (for example,deleting data files, resetting the audit file) might not be audited for that
container. In this case, you must keep a manual log of your actions for usewhen generating a complete history of actions performed on the server.You will be informed via a message from the server to your workstationwhen this occurs.
When the audit trail is reaches its configured threshold, you will receivethe following notification on your workstation screen:
Chapter 5: Using AUDITCON for Container Auditing 217
The audit overflow file for container contname is
almost full. Auditors must begin manual auditing
now!
When the audit trail is completely full, you will receive the followingnotification on your workstation screen:
The audit overflow file for container contname is
full.
To avoid missing this message, you must not issue the SEND /A=N orSEND /A=P commands (or if using Windows* and the NetWare UserTools, do not disable network warnings), as they would cause thesemessages to be suppressed.
Container Audit File Replication
Container au d it files are replicated by NDS to the servers that hold
replicas of the container object. That is, if conta iner LAB1.ENGR.ACME
is replicated by N DS onto three d ifferent servers, then the au dit file for
that container w ill also be replicated onto th e same th ree servers.
Replication of container au d it files is autom atic, and there is no w ay
that you can tell the server to n ot replicate the au d it file, other than to
not rep licate the au dited container.
Replication of container audit files requires disk space on multiple servers. Forexample, if your container audit trail is configured for 16 audit files (1 current, 15
old) of 1 MB and the container is replicated on three servers, then the auditstorage could require as much as 16MB on each server, for a total of 48 MB ofdisk space.
Records in rep licated container au d it trails are not necessarily stored in
the sam e order, however, each rep lica of the aud it file will eventually
includ e nearly all of the au dited events. In som e rare cases (as described
in “Generating Container Au dit Reports” on p age 172) records migh t
be in some instances of the au d it trail but n ot others.
Chapter 6: Using AUDITCON to Audit External Audit Trails 221
c h a p t e r
6 Using AUDITCON to Audit External
Audit Trails
Chap ters 4 and 5 of this man ual d ealt with the u ser of the AUDITCON
utility to aud it server events. NetWare® servers also maintain and
protect “external au dit trails” that contain client au dit records and client
audit h istory.
For an explanation of these external aud it trails, see Chapter 1,
“Concepts of NetWare Aud iting,” on page 1 in this manual.
Figu re 1-4, Figure 1-5, and Figure 1-6 show the client-server interactions
for configuring external aud it trails, app end ing aud it records, and
reviewing collected au dit d ata. Each client w orkstation that u ses the
server ’s external aud it trail mu st have its ow n w orkstation-based au dit
managem ent tool to configure an d man ipulate the external aud it trail.
AUDITCON can manage external audit trails, but cannot generate reports orview the events stored in those audit trails (except for audit history events).There is no standard with respect to the events that are audited by theworkstations or the formats of those audit records.
See the vendor’s documentation provided with your client workstation forinformation on the specific utilities for viewing external audit data.
As shown in Figure 1-4 and Figure 1-6, AUDITCON interacts with the
server ’s external aud it trail by send ing NCPTM messages to th e server.
AUDITCON enables aud iting by creating an Au dit File object for the
external au dit file and assigning rights to va rious w orkstation objects to
app end au dit data to the corresponding au dit file.
The workstation object can be linked to th e Audit File object by setting
the w orkstation object’s Audit File Link p roperty, and the Au dit File
object can be linked to au dited workstations by setting the Au dit File
object’s Audit Link List p roperty (AUDITCON d oes not set up either
the Au dit File Link or Aud it Link List for externa l aud it trails).
Note that mu ltiple workstations can share a single aud it trail and that a
workstation can simu ltaneously sup port m ultiple such au dit trails.
Chapter 6: Using AUDITCON to Audit External Audit Trails 223
Accessing the External Audit Trail
This section d escribes how to access the external au d iting m enu tree
and how to select an external aud it trail for aud iting. Password -based
access is not su pp orted for external au d it trails. You should have read
Chap ter 3, “Using the AUDITCON Utility,” on page 29, which
describes how to ru n AUDITCON and navigate the menu tree.
Getting Started
When you ru n AUDITCON, it disp lays a screen with one of the five
“Available aud it options” menu s. The particular entry menu you see
dep ends only on your current volume and the state of that volume
audit trail.
The external auditing state is independent of the state of volume and containerauditing. You do not have to enable auditing of a volume or container or haveaccess to a volume or container audit trail to perform external auditing.
Prerequisites
t See the “General Prerequisites” on page 29.
t To examine, configure, or modify an external audit trail, you musthave the Read right to the Audit File object's Audit Path property.
tIf you are unfamiliar with NDS concepts, review Guide to NetWare 4 Networks . If you are unfamiliar with the implementation
of your Directory tree, run a graphical utility such as the NetWareAdministrator to browse the tree.
See your client documentation for information on the availability ofNETADMIN and NWADMIN in your client evaluated configuration.
Procedure
1. Choose “External auditing” from the initial “Available audit
options” menu (101, 102, or 103).
2. Press Enter.
AUDITCON d isplays menu 2000, wh ich shows the full screen for
external aud it trail managem ent. The second line of the header
The top line of the screen only shows the session (container name), anddoes not show the name of the external audit trail being manipulated. Youmust remember which external audit trail is in use to ensure that youractions are as intended.
Change Session Context
To perform external au d it management , your session context (shown in
the second line of the head er area) must p oint to the external aud it trail.
AUDITCON provides two m ethods of changing your NDS session
context.
x The first meth od, “Change session context”, described in this
section, allows you to typ e in th e explicit context for the external
audit trail’s Audit File object that you want to au dit. This might be
the preferred m ethod if your network h as many external Audit
File objects and you know exactly which Au dit File object you
want to aud it
x The second m ethod , described in “External Aud iting” onpage 225, permits you to browse through the NDS tree and select
an Audit File object for au diting. This is generally the p referred
meth od because you can select an Aud it File object and begin
auditing that external aud it trail in a single operation.
Chapter 6: Using AUDITCON to Audit External Audit Trails 225
Prerequisites
t See the “General Prerequisites” on page 29.
t You do not have to have any rights to the NDS Audit File object to
set the session context.
Procedure
1. To define a different external audit trail for auditing, choose
“Change session context” in the “External auditing” menu(2000) and press Enter.
AUDITCON d isplays menu 2001, which allows you to edit the
current session context
Figure 6-2
Menu 2001: Edit Session Context
2. Edit the current session context by backspacing and typingover the existing container name or pressing Home andinserting text at the beginning of the line.
3. When you are done, press Enter to change context to the
specified external audit trail object.
If the Aud it File object d oes not exist, AUDITCON disp lays an
error report.
4. Return to menu 2000, then choose “External auditing” tobegin auditing the Audit File object.
AUDITCON does not display the name of the currently selected external audittrail on the screen. It is your responsibility to remember which audit trail you are
working on at all times.
External Auditing
This section describes the second m ethod of changing you r NDS
session context that w as referred to in “Chan ge Session Context” on
page 224. This op tion allows you to brow se the Directory tree to select
an Au dit File object for aud iting, then d isplays a menu that allows you
to begin aud iting th at external aud it trail. If you have already selected
the container, then you do n ot need to browse the Directory tree.
Prerequisites
t See the “General Prerequisites” on page 29.
t To browse the Directory tree for external audit trails, you must havethe Browse right to the container that the Audit File objectcorresponding to the external audit trail is in. Otherwise,
AUDITCON will not be able to find the Audit File object.
Procedure
1. Choose “External auditing” in the “External auditing” menu
(2000) and press Enter.
AUDITCON d isplays menu 2010, which allows you to iteratively
brow se the Directory tree to select an extern al Audit File object for
auditing.
Figure 6-3
Menu 2010: Audit Directory Tree
AUDITCON d isplays the parent of the cur rent container (in this
case, “[Root]”, indicated by “..”), the current container (in this
case, “ACME”, ind icated by “.”), any containers within thecurrent container (in th is case, “SALES.ACME” and
“ENGR.ACME”), and any external Audit File objects within th e
current container (in this case, “EXT1.ACME” and
“EXT2.ACME”).
AUDITCON displays as “external audit trails” those Audit File objects thathave the Audit Type property set to “External”. If your Audit File object was
Chapter 6: Using AUDITCON to Audit External Audit Trails 227
created with a utility that did not set the Audit Type property to “External”,then AUDITCON will be unable to locate it, and you will be unable tomanage it.
2. If the menu does not show the external audit trail you want toaudit, keep choosing the nearest ancestor and pressing Enter
until AUDITCON shows the desired external Audit File object.
For example, if you w ant to au dit “EXT3.ENGR.ACME”, wh ich is
not shown in m enu 2010, you w ould first select “ENGR.ACME”.
AUDITCON chan ges the session context and d isplays menu 2010-
Updated.
Figure 6-4
Menu 2010-Updated: Audit Directory Tree
3. Move the cursor to the desired external Audit File object, andpress F10 to review the external audit trail or press Enter todisplay menu 2010 with the new session context. From 2010
you can select the current object for auditing.
AUDITCON n ow changes your NDS context to the selected
external aud it trail, and u pd ates the context field in the d isplay
header area to show the n ame of the container w here that Aud it
File Object is found .
AUDITCON does not display the name of the currently selected externalaudit trail on the screen. It is your responsibility to remember which audittrail you are working on at all times.
If, instead of using an existing external au dit trail, you w ant to create anew aud it external aud it trail, you should select the container as shown
above. Instead of pressing F10 to select an existing Au dit File object,
Unlike volume or container aud it trails, external aud it trails are not
created au tomatically by enabling aud iting. Rather, you m ust u se
AUDITCON to create a new Au dit File object.
AUDITCON w ill establish a defau lt configuration for the new Aud it
File object, includ ing setting up the Au dit Path p roperty of the Au dit
File object to point to a volum e where the external aud it data will be
stored. How ever, AUDITCON won’t set up the Au dit Link List
prop erty of the Audit File object to point to other objects (for examp le,
workstations) that m ight generate audit d ata, nor will it set up the
Audit File Link p roperty of the other objects to p oint to the Audit File
object.
If your client vendor supplies a tool to set up the Audit Link List and Audit File
Link properties, it is a good idea to use it to assist in the maintenance of youraudit trail. However, it is not necessary to set these properties, and if you do notset them it will not have any negative impact on performance or security.NETADMIN and NetWare Administrator will not delete an Audit File object if ithas a non-empty Audit Link List property.
NetWare does not imp ose any limits on the n um ber of external aud it
trails you can have. Consult your client documentation for guid ance on
how to determine how m any external aud it trails you n eed, and how
they should be managed . Note that AUDITCON does not provide any
mean s for merging records from m ultiple external aud it trails, so it is
best not to create too many d ifferent trails which wou ld require man ua lcorrelation.
If you have more than one type of client that uses external audit trails (that is,from two different workstation vendors), you should not allow them to insert theiraudit records into the same audit trail. Although audit records are identified asto the vendor that created them, post-processing software might not includefacilities to sort out the different vendor record types.
Depending on your client architecture, it might be imp ortant w hat
container the Audit File objects are stored in, and w hat volume holds
the actual aud it data. See your client docum entation for any suchrestrictions.
Creating the external au d it trail consists of selecting the nam e of the
Au dit File object and selecting the volume and server wh ere the Aud it
Chapter 6: Using AUDITCON to Audit External Audit Trails 229
Once the Aud it File object is created, you can use a tool such as
NETADMIN or NetWare Administrator to set NDS rights to allow
aud itors access to the Aud it File object (and the corresponding aud it
data) for man agement p urp oses and to allow clients to app end to the
audit tr ail. See “Controlling Access to Online Aud it Data” on p age 17
for a description of the rights need ed for each of these pu rposes.
Prerequisites
t See the “General Prerequisites” on page 29.
t To browse the Directory tree for containers to place the new
external audit trail, you must have the Browse right to the containerthat the Audit File object corresponding to the external audit trail
will be placed in. You also need the Browse right for the containers(NetWare Server object and Volume object) where the externalaudit data will be stored.
t You must also have the Create (or Supervisor) right to the
container where the new Audit File object will be placed.
Procedure
1. Follow the instructions in “External Auditing” on page 225 to
choose a container, and then press Insert.
2. Type the common name of the external Audit File Object youwant to create (for example, EXT3) in the “Name” field, andpress Enter.
Do not enter the d istingu ished object nam e. (For an explanat ion of
“comm on” an d “distinguished” nam es, see the section
“Und erstanding H ow Netw ork Resources Are Accessed” in Guide
to NetWare 4 NetW orks.)
AUDITCON now displays a list of available volum e objects on
which the files that collect au diting d ata can be p laced.
3. Move the cursor to the desired volume, and press F10 toselect it.
Chapter 6: Using AUDITCON to Audit External Audit Trails 235
When you make changes to the external audit configuration, you mightreceive a message that AUDITCON was unable to update the Audit Fileobject. If this occurs, it is possible that your configuration changes couldbe lost.
Audit Options Configuration
Prerequisites
t See the “General Prerequisites” on page 29 and “Changing anExternal Audit Trail Configuration” on page 234.
Procedure
1. Choose “Audit options configuration” from the “Auditing
configuration” menu (2400).
AUDITCON d isplays menu 2430, which d efines the cur rent aud it
configura tion for the external au d it trail.
Figure 6-9
Menu 2430: SelectAudit Configuration
The following list d escribes the available configuration
param eters for external aud it trails. The first nine param eters(“Aud it file maximum size” through “Broadcast errors to all
users”) have the same m eaning as for volume au diting.
For more information on th ese param eters, refer to the d escription
of the corresponding volume configuration p arameters in “Au dit
Chapter 6: Using AUDITCON to Audit External Audit Trails 237
the entries for “Days between aud it archives” and “H our of day to
archive.”
3. Review the settings on the current screen and change as
required.
4. Press Esc to exit the menu.
Audit files consume disk resources that might be needed by other users. Beforeyou define the number and size of audit files, discuss your projected disk spacerequirements with an administrator for the server.
Disable an External Audit Trail
When you d isable an external aud it trail, you stop the server from
accepting or recording au d it events to the external aud it file, bu t you d o
not d elete the Au dit File object or the audit files. The Audit File object
remains in effect and is reused (to provide a n initial configuration) if
you re-enable aud iting for the external aud it trail.
After external aud iting h as been d isabled, it can be re-enabled u sing the
Enable External Aud iting m enu (see “Enabling External Au diting” on
page 233).
Prerequisites
t See the “General Prerequisites” on page 29 and “Changing anExternal Audit Trail Configuration” on page 234.
Procedure
1. Choose “Disable external audit trail” from the “Auditing
configuration” menu (2400).
AUDITCON asks you to confirm that you wan t to d isable
aud iting for the external aud it trail.
2. Choose “Yes” and press Enter to disable auditing, or “No” tocontinue auditing.
AUDITCON allows you to p rocess online and offline audit files to
extract and review the information the server has collected for you .
Processing consists of displaying aud it information on th e AUDITCON
screen (viewing) and genera ting printable reports (printing ).
This section d escribes how to p rocess online au d it files, that is, the
current au dit file or old audit files that have been archived (rolled over)
by the server bu t are still maintained as au d it files by the server. See
“Generating Reports from O ffline Aud it Files” on p age 252 for
information on how to p rocess offline au dit files.
For external aud it, textual au dit reports are p rovided only for au dit
history (man agemen t) records. For th is reason, there is no p ost-selection
filtering capability p rovided . To see the externally generated aud it
records, you mu st store them into a file (using the “Report au d it file” or“Report old aud it file” options) and th en p ost-process them with a
client-specific aud it u tility.
Audit Report Prerequisites
t See the “General Prerequisites” on page 29.
t To process online audit files, you must have the Read right to theAudit File object Audit Contents property.
t You must have the ability to create new (temporary) files in thedirectory you were in when you started AUDITCON, and there
must be sufficient disk space on that volume. These temporaryfiles hold the audit data as it is extracted from the audit trail.
Because AUDITCON places temporary files in the directory you were inwhen you started AUDITCON, and these temporary files contain auditdata, you must not generate any reports unless your current directory isprotected from access by users who are not authorized to see audit data.
Procedure
1. Choose “Auditing reports” from the “Available audit options”
This section d escribes how to generate a formatted text version of the
auditor events in the current au dit file.
The procedures described in this section allow you to generate audit historyreport files on your local workstation. See your client documentation for detailson how to use your workstation’s security mechanisms to protect these files.
Prerequisites
t See the “General Prerequisites” on page 29 and the “Audit ReportPrerequisites” on page 238.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedure
1. Choose “Report audit history” from the “Auditing reports”
menu (2500).
AUDITCON promp ts you for the nam e of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the current au d it file, formats
the records, and w rites them to your ou tput file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON return s to men u 2500.
3. To review the contents of your report, exit to DOS and eitherprint or use an editor.
Chapter 6: Using AUDITCON to Audit External Audit Trails 241
Dump External Binary to File
This section d escribes how to generate a binary version of the externally
generated events in the cur rent aud it file. You cann ot directly pr int the
server ’s aud it files because
x The server ’s au dit files are not d irectly accessible to netw ork
clients
x The server ’s aud it files are stored in a comp ressed format
Once you have th e stored binary version of the audit d ata, you should
use a client-specific tool to generate textual versions of the aud it da ta.
In add ition, post-selection of the audit records is don e with the client-
specific tool. See your client documen tation for instru ctions on h ow tomanipu late the binary d ata.
The audit file report contains audit records that must be protected. You must useappropriate workstation or server protections to protect against access to thefile by unauthorized individuals.
The current audit file is a “work in progress.” As such, a report that is generatedon the current audit file might not be the same as a subsequent report generatedon the same file.
Note that storing external aud it data (described here) is not the same as
making a comp lete copy of an au d it file (as described in “Copy OldAud it File” on page 257). They d iffer in two w ays:
x Copies of aud it files have nu ll comp ression, but stored external
aud it files have nu lls expanded .
x Copies of aud it files includ e both audit history records and
externally generated audit records, but stored external aud it files
only contain externally generated au d it records.
Each record in the stored external aud it file consists of an external au ditrecord h eader and client-specific aud it data (as d escribed in
t See the “General Prerequisites” on page 29 and the “Audit Report
Prerequisites” on page 238.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedure
1. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an errorscreen if it cannot.
2. Choose “Dump External Binary to File” from the “Auditingreports” menu (2500).
AUDITCON promp ts you for the nam e of the outpu t file.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the cur rent aud it file andwrites unformatted records to your ou tpu t file. Depending on the
size of the au d it file, this can be a time consum ing p rocess.
AUDITCON d isplays a “Reading file” message in the header area
of your screen and a “Please wait ...” notification in th e menu a rea.
When it is finished , AUDITCON returns to m enu 2500.
3. To review the contents of your report, exit to DOS and use aclient-specific tool to examine the audit data.
Chapter 6: Using AUDITCON to Audit External Audit Trails 243
Report Old Audit History
This section d escribes how to generate a formatted t ext version of the
aud itor events in an old on line aud it file.
Prerequisites
t See the “General Prerequisites” on page 29 and “Audit ReportPrerequisites” on page 238.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see yourworkstation documentation for information on using the
workstation's access control mechanisms to protect your files.
Procedure
1. Choose “Report old audit history” from the “Auditingreports” menu (2500).
AUDITCON d isplays menu 2550, which lists up to 15 old au dit
files that are still maintained online by the server. The old aud it
files are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
started accum ulating aud it events).
Figure 6-11
Menu 2550: Select
Old Audit File
2. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON promp ts you for the name of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the current au d it file, formats
the records, and w rites them to your ou tput file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON return s to men u 2500.
4. To review the contents of your report, exit to DOS and eitherprint or use an editor.
Dump Old External Binary to File
This section d escribes how to generate a binary version of the externally
generated events in an old aud it file. You cann ot directly print the
server ’s au dit files, because the server ’s au d it files are not d irectly
accessible to network clients an d the server ’s audit files are stored in a
comp ressed format.
Once you have th e stored binary version of the aud it data, you should
use a client-specific tool to generate textual versions of the audit d ata.
In addition, post-selection of the aud it records is done w ith the client-specific tool. See your client d ocumentation for instructions on how to
man ipulate the binary d ata.
The audit file report contains audit records that must be protected. You must useappropriate workstation or server protections to protect against access to thefile by unauthorized individuals.
Note that storing external aud it data (described here) is not the same as
making a comp lete copy of an au dit file (as described in “Copy Old
Aud it File” on page 257). The tw o d iffer in tw o ways:
x Copies of audit files include both audit history records and
externally generated aud it records, but stored external aud it files
only contain externally generated au d it records.
x Copies of audit files have nu ll compression, but stored external
Chapter 6: Using AUDITCON to Audit External Audit Trails 245
Each record in the stored external aud it file consists of an external au dit
record h eader and client-specific aud it data (as d escribed in
App endix A, “Audit File Formats,” on page 267).
Prerequisites
t See the “General Prerequisites” on page 29 and “Audit ReportPrerequisites” on page 238.
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you musthave at least Create rights on the directory to create the file and
[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Procedure
1. Choose “Dump Old External Binary to File” from the“Auditing reports” menu (2500).
AUDITCON d isplays menu 2560, which lists up to 15 old au dit
files that are still maintained online by the server. The old aud it
files are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
started accumu lating au dit events)
Figure 6-12
Menu 2560: SelectOld Audit File
2. Move the cursor to choose the desired audit file and pressEnter.
AUDITCON promp ts you for the name of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the selected old aud it file and
writes unformatted records to your ou tpu t file. Depending on the
size of the au d it file, this can be a time consum ing p rocess.
AUDITCON d isplays a “Reading file” message in the header area
of your screen and a “Please wait ...” notification in th e menu a rea.
When it is finished , AUDITCON returns to m enu 2500.
4. To review the contents of your report, exit to DOS and use a
client-specific tool to examine the audit data.
View Audit History
This section d escribes how to disp lay a listing of the aud itor events on
the screen of your workstation.
Prerequisites
t See the “General Prerequisites” on page 29 and “Audit Report
Prerequisites” on page 238.
Procedure
1. Choose “View audit history” from the “Auditing reports”
menu (2500).
AUDITCON read s the current aud it file and d isplays screen 2570,
Chapter 6: Using AUDITCON to Audit External Audit Trails 247
Figure 6-13
Menu 2570: Audit History Events
2. Press the Home, End, Page Up, Page Down, and arrow keys tomove through the display. When you are finished, press Escand answer “Yes” to return to menu 2500.
The “Auditor login” event means that an auditor began accessing the auditfile, while the “Auditor logout” event means that an auditor ceasedaccessing the access file. These events do not indicate user logins or
logouts.
View Old Audit History
This section describes how to disp lay a listing of the auditor events
from an old online audit file to the screen of your workstation.
Prerequisites
t See the “General Prerequisites” on page 29 and “Auditing
Configuration Prerequisites” on page 234.
Procedure
1. Choose “View old audit history” from the “Auditing reports”menu (2500).
AUDITCON d isplays menu 2590, which lists up to 15 old au d it
files that are still maintained online by th e server. The old audit
files are sorted by d ate and time (oldest first). The dates and times
displayed show wh en the au dit file was created (that is, when it
started accumu lating aud it events).
Figure 6-14
Menu 2590: SelectOld Audit File
2. Move the cursor to choose the desired audit file, then press
Enter.
AUDITCON retrieves records from th e cur rent au d it file, formats
the records, and d isplays them to your screen (menu 2570).
3. Press the Home, End, Page Up, Page Down, and arrow keys tomove through the display. When you are finished, press Esc
and answer “Yes” to return to menu 2500.
Database Report Audit History
This section d escribes how to generate a formatted text version of the
auditor events in the current au dit file in a format suitable for loading
into a d atabase.
Prerequisites
t See the “General Prerequisites” on page 29 and “Audit ReportPrerequisites” on page 238.
t You must have rights to the directory where you intend to create
the output file. For a network directory on the server, you musthave at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you arecreating the report file on your local workstation, see your
workstation documentation for information on using theworkstation's access control mechanisms to protect your files.
Chapter 6: Using AUDITCON to Audit External Audit Trails 249
Procedure
1. Choose “Database report audit history” from the “Auditing
reports” menu (2500).
AUDITCON promp ts you for the name of the outpu t file.
2. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it canno t.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retr ieves records from th e cur rent au dit file, formats
the records, and w rites them to your ou tpu t file. AUDITCON
displays a “Read ing file” message in the head er area of your
screen and a “Please wait ...” notification in th e menu a rea. When
it is finished, AUDITCON returns to m enu 2500.
3. Exit to DOS and use an appropriate database loading
program to insert the audit history records into a database forreview.
See “Format of the Database Outpu t File” on page 251 in this
chapter for a description of the format of the database file.
Database Report Old Audit History
This section d escribes how to generate a file containing the au d itor
events in an old online aud it file in a form su itable for loading into a
database.
Prerequisites
t See the “General Prerequisites” on page 29 and “Auditing
t You must have rights to the directory where you intend to createthe output file. For a network directory on the server, you must
have at least the Create right on the directory to create the file and[RWCEMF] rights to manage the file after you create it. If you are
creating the report file on your local workstation, see your
workstation documentation for information on using theworkstation’s access control mechanisms to protect your files.
Procedure
1. Choose “Database report old audit history” from the“Auditing reports” menu (2500).
AUDITCON d isplays menu 2830, which lists up to 15 old au dit
files that are still maintained online by th e server. The old audit
files are sorted by d ate and time (oldest first). The dates an d times
displayed show wh en the au dit file was created (that is, when itstarted accumu lating aud it events).
Figure 6-15
Menu 2830: Select
Old Audit File
2. Move the cursor to choose the desired audit file, then pressEnter.
AUDITCON promp ts you for the nam e of the outpu t file.
3. Enter the pathname for the file and press Enter.
AUDITCON attem pts to create the file and d isplays an error
screen if it cannot.
If you do not specify a complete pathname, including the drive letter,AUDITCON leaves the report on your current drive. The safest approachis to specify the full pathname for your output file.
AUDITCON retrieves records from the current au d it file, formats
the records, and w rites them to your ou tput file. AUDITCON
displays a “Read ing file” message in the head er area of your
In addition to p rocessing on line au dit files, AUDITCON a lso allows
you to process offline au dit files. These offline files can be stored on th e
auditor ’s workstation, removable media, or even in the aud itor’s
d irectory on the server file system.
Files stored in the server file system are considered offline, even if they
contain aud it data, because the server d oes not directly manage these
files as au dit files.
Offline au dit files are in the same nu ll-comp ressed, binary format as the
server ’s au dit files described in App endix A, “Audit File Formats,” on
page 267.
This section d escribes how to p rocess and protect these offline aud itfiles.
Offline Report Prerequisites
t See the “General Prerequisites” on page 29.
t To process offline audit files, you must have the Read right to the
Audit File object Audit Contents property.
AUDITCON controls access to the offline audit file based on the current
contents of the Audit File object for that file. Note that your rights to theAudit File object might be different from your rights when the offline auditfile was recorded, so, for example, you might not be able to read an offlineaudit file that you recorded. Note also that this is a constraint imposed byAUDITCON, and not a server access control mechanism. Offline auditfiles must be protected by the client TCB or (for removable media) byphysical protection.
t You must have previously copied an online audit file from theserver to a diskette, your local workstation hard drive, or a networkdrive. See “Copy Old Audit File” on page 257.
t You must have access to an offline audit file. You must have at
least Read and File Scan rights to access offline audit files onnetwork drives. See your workstation documentation forinformation on the use of file system rights on your workstation.
Chapter 6: Using AUDITCON to Audit External Audit Trails 257
Copy Old Audit File
This section d escribes how to copy old on line aud it files to removable
med ia (for examp le, diskettes or magnetic tapes), workstation
directories, or netw ork d rives. The primar y reason for copying an aud it
file is to save the conten ts of the file before you d elete it from the serv er.(see “Delete Old Au dit File” on page 259). You might a lso want to copy
an old aud it file to removable med ia to save it for evidence or to keep it
for long-term storage.
Prerequisites
t See the “General Prerequisites” on page 29.
t To copy an online audit file, you must have the Read right to the
Audit File object Audit Contents property.
t You must have sufficient rights on your workstation or networkdrive to copy the audit file to that directory. For network drives, you
must have at least the Create right. See your client documentationfor more information on rights required to create a file on a hard
drive or diskette.
Procedure
1. Choose “Copy old audit file” from the “Audit files
maintenance” menu (2700).
AUDITCON d isplays menu 2710, which lists up to 15 old au dit
files that are m aintained online by th e server. The old aud it files
are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
2. Move the cursor to choose the desired audit file and pressEnter.
AUDITCON then prom pt you for the n ame of the offline aud it
file.
There is no mechanism for copying the contents of the current audit file.If you want to copy this data, you must first reset the audit data file (see“Reset Audit Data File” on page 260).
You can only copy one file at a time. If you want to copy multiple audit files,perform the steps in this section once for each file.
3. Enter the filename of the destination audit file and pressEnter.
The pathnam e mu st be a DOS pathn ame on you r local
workstation, for examp le, “A:\ AUDIT301.DAT”,
“C:\ AUDIT\ FILE1.DAT”, or
“F:\ AUDITOR\ VOL1\ A950224.DAT.” If you d o not specify a
dr ive letter and directory, AUDITCON will leave the au d it file in
your current d irectory. The default pathname is
“AUDITOLD.DAT” on your local d rive.
AUDITCON d isplays a “Please wait” m essage while it copies the
audit file from the server to you r offline destination file. When it
has copied the file, AUDITCON returns to m enu 2700.
4. If you copy audit files from the server onto your localworkstation’s file system, you must ensure that the audit datais properly protected by your workstation.
5. If you copy the audit file onto removable media (for example,a diskette or tape cartridge), attach a diskette or tape label
that shows the server name, volume name, your name, thedate, time, and size of the audit file, along with any other
specific comments that you feel are important. Finally, youmust ensure that the media is physically protected.
The purpose of this information is to ensu re that you can load themed ium in the futu re and generate meaningful aud it reports from
it.
One strategy that is commonly used is to set the maximum audit file sizeso that one audit file will fit on a 1.44 MB diskette. See “Audit OptionsConfiguration” on page 70 for information on setting the audit file size.
Chapter 6: Using AUDITCON to Audit External Audit Trails 259
If you have a high volume of audit data, you will probably want to archiveyour audit files onto magnetic tape, for example, tape cartridges.AUDITCON does not provide a means for copying audit files directly tomagnetic tape. If you want to use magnetic tape for long-term storage, youmust first copy those files onto your file system, then use a backupprogram to copy the files to magnetic tape.
The frequency at which you copy the server’s audit files to offline storagedepends on how fast your server fills up audit files. If your server rolls overaudit files on a periodic basis (as opposed to filling up the audit file), thenyou can set the number of audit files to 10 or 15, and copy/remove onlineaudit files once per week without expecting to overflow the number ofaudit files.
Delete Old Audit File
This section d escribes how to delete an old aud it file from the server
after you’ve copied th e file to offline storage or d ecided that you d o notneed to save the file.
Prerequisites
t See the “General Prerequisites” on page 29.
t To delete an online audit file, you must have the Write right to theAudit File object Audit Policy property.
Procedure
1. Choose “Delete old audit file” from the “Audit filesmaintenance” menu (2700).
AUDITCON d isplays menu 2720, which lists up to 15 old au dit
files that are m aintained online by th e server. The old aud it files
are sorted by d ate and time (oldest first). The d ates and times
displayed show wh en the au dit file was created (that is, when it
There is no mechanism for deleting the current audit file. If you want todelete the data in the current audit file, you must first reset the audit datafile (“Reset Audit Data File” in this chapter).
You can only delete one file at a time. If you want to delete multiple auditfiles, perform the steps in this section once for each file.
2. Move the cursor to choose the desired audit file, then press
Enter.
AUDITCON asks you to confirm that you w ant to d elete the audit
file.
After you delete an online audit file, there is no way to recover the contentsof the file. Do not delete the file unless you are absolutely certain that youwill not require the data in the audit file. If there is any doubt, copy the auditfile to offline storage before you delete the file.
Reset Audit Data File
This section d escribes how to reset the current au d it file. Reset is a
manu al mean s of causing the curren t au dit file to “roll over,” that is, to
cause the current audit file to become an old au dit file and to establish
a new current aud it file.
Manu al reset might be necessary, for examp le, if the server stops
processing external au dit requ ests becau se the external au d it trail is in
an overflow state. See “Trail Problems” on page 261 for inform ation onrecovering from external aud it trail overflow.
Prerequisites
t See the “General Prerequisites” on page 29.
t To reset the current audit file, you must have the Write right to theAudit File object Audit Policy property.
Procedure
1. Choose “Reset audit data file” from the “Audit filesmaintenance” menu (2700).
AUDITCON requests confirmation that you want to p erform th e
2. If you want to save the oldest audit file, and you haven’talready backed it up, copy the oldest old audit file to offline
storage (for example, a file in the server or workstation orremovable media).
3. Reset the current external audit file, as described in “ResetAudit Data File” on page 260 in this chapter.
This archives the current audit file (to an old au d it file), deleting
the oldest old au d it file, and creates a new au dit file.
4. If you want to save any audit files that you haven’t alreadysaved (including the newest of the old audit files), copy those
audit files to offline storage.
The following pointers help prevent external aud it trail overflow:
1. Review the status and size of the audit file frequently.
2. Manu ally reset the audit file before it overflow s, if necessary.
3. Enable “Autom atic audit file archiving” as d escribed in “Aud it
Options Configuration” on page 235. Set the “Aud it file
maximum size” large enough and the “Days between au dit
archives” low enough th at the au dit file will not overflow.
4. Don’t over aud it.
If the external audit trail is full, the auditor’s actions (for example, deleting datafiles, resetting the audit file) might not be audited. In this case, you must keep amanual log of your actions for use when generating a complete history of actionsperformed on the server. You will be informed via a message from the server toyour workstation when this occurs.
When the audit trail is reaches its configured threshold, you will receive thefollowing notification on your workstation screen:
The audit overflow file for external auditing Audit
File objectname is almost full. Auditors must beginmanual auditing now!
When the audit trail is completely full, you will receive the following notificationon your workstation screen:
The audit overflow file for external auditing Audit
Chapter 6: Using AUDITCON to Audit External Audit Trails 263
To avoid missing this message, you must not issue the SEND /A=N or SEND / A=P commands (or if using Windows and the NetWare User Tools, do notdisable network warnings), as they would cause these messages to besuppressed.
Catastrophic Failure Recovery
This section d escribes wh at to d o if a catastrophic failure destroys th e
volum e containing the external audit data is destroyed . One such
catastrophic failure would be hard d isk failure. You will need to return
the aud it data to the state it was in before the failure.
This section also explains how to han dle planned up grades, such as
moving a volum e moved from a sm all disk to a larger d isk.
There are several potential losses not ad dressed here:
x Loss of offline au dit data. Your offline au d it data (whether it’s
stored in server or w orkstation file systems or on rem ovable
med ia) should be backed u p frequently enough th at its loss wou ld
not be catastroph ic.
x Loss of some, but not all cop ies of the Audit File object describing
the external aud it trail due to failure of one or more servers
hold ing an N DS partition. In this case, NDS will autom atically
use w hatever copies are available. If a server configured for the
partition is brought back online, then it w ill automatically beup dated w ith the Aud it File object information.
There are two m ajor catastrophic failures possible for external au d it.
x Loss of all copies of the Audit File object describing the external
au d it trail. If all copies of the Au dit File object are lost (for
examp le, because there only was one copy, and the server it was
on su ffered a d isk failure), then you might be able to recover the
Au dit File object from a backup of your Directory tree (presu ming
you h ave backed u p your Directory tree). If so, then you canregain access to the existing online aud it data. If not, then no
access is possible to the on line au d it da ta. You must re-create the
external aud it trail using the p rocedu res in “Create External Au dit
Trail” on p age 228.
x Loss of the volum e containing th e external au d it data (for
example, because of a d isk failure). Because extern al aud it files are
Records are stored in the au d it file in a "null-comp ressed" format (0xE0
= 1 nu ll byte, 0xE1 = 2 null bytes, ..., 0xEE = 15 nu ll bytes, 0xEF = next
byte actual). After encoding all natu ral nu lls in the aud it record, the
server th en u ses a nu ll character (0x00) as a record sep arator.
Each audit file is self-contained ; that is, you d on’t have to read previou sau d it files to establish the context for the cur rent file. For examp le, if a
user is logged in w hen the au dit file rolls over, the server writes a
pseu do-login event for that u ser. If a file is open when the au d it file rolls
over, the new audit file contains a pseud o-open event.
The following sections d escribe the format of volume aud it files
internally, within the server, and as disp layed by AUDITCON .
Volume Audit File Header
Each volume au d it file contains an au d it file head er that d efines the
aud it status an d configuration d ata for the au dit file. Table A-1 defines
the form at of the volume aud it file header. The data typ es "BYTE",
"WORD", and "LON G" refer to 8-, 16-, and 32-bit integers, respectively.
The "BYTE" data type is also used for character str ings.
Table A-1
Volume Audit File Header
Type Identifier Description
WORD fileVersionDate Current version of the audit file.
BYTE auditFlags Bit map, including concurrent auditor access,
dual-level passwords, broadcast warnings to
all users.
BYTE errMsgDelayMinutes Number of minutes to delay between error
messages.
BYTE encryptPassword[16] Encrypted level 1 password hash value (not
used in evaluated configuration)
LONG volumeAuditFileMaxSize Nominal audit file maximum size.
LONG volumeAuditFileSizeThreshold Nominal audit file size threshold.
LONG auditRecordCount Number of user audit records in file.
LONG historyRecordCount Number of auditor event records in file.
respectively. The "BYTE" data type is also used for character strings. The
complete nam e of each event in Table A-3 starts with "A_EVENT_"; that
prefix is omitted to save room .
Events 29 through 41, 228 through 235, and 261 are queue managementevents. Queue management events are always recorded in the audit trail ofvolume SYS:, and therefore will not appear in the audit trails of any othervolumes.
As shown in Figure A-1, external audit files consist of an aud it file
head er and a sequence of aud it records. Au dit records can be either
generated by the server (aud it history records) or inserted by external
entities (external au dit records).
Figure A-1
Structure ofExternal AuditRecord
The external au dit record data (shaded ) consists of an external aud it
record h eader generated by NetWare, followed by a sequence of bytes.
The w orkstation p rovided data can be interpreted by th e workstation in
any w ay that is desired.
For example, a w orkstation prod uct can treat this data as a workstation
event head er (for examp le, that lists the time the event occurred on the
workstation and the w orkstation’s aud it record typ e) and ad ditional
da ta. See your vend or’s worksta tion docum entation for information on
the workstation data in you r external aud it file.
The external audit record header contains information written by the server atthe time the audit event record is written to the audit file, for example, the dateand time the event was recorded. Depending upon the workstation’s auditarchitecture, this information might or might not be meaningful.
For example, the workstation might queue audit records for a period of timebefore uploading the records to the server to be written to the audit file. If theinformation in the external audit record header is not sufficient for an auditor toaudit the actions of an individual user, then the workstation NTCB partition mustrecord additional data in the workstation data.
External Audit File Header
The external au d it file head er is the same as th e container au dit file
head er defined in the section “Container Au dit File Header” on