Guide to Auditing with NAAS
(Last modified: 27Feb2004)
This document (10067501) is provided subject to the disclaimer at the end of this document.
goal
Guide to Auditing with NAAS
fact
Novell NetWare 6.0
Novell Advanced Audit Service
NAAS v 1.0
NAAS is a discontinued product. The replacement product is Nsure Audit. For information on downloading, installing, and configuring Nsure Audit, please see TID 10091433.
fix
This document describes how to capture basic audit data after the initial installation and configuration NAAS. For instructions on the basic installation and configuration of NAAS, see NAA2S Quick Start Guide.
Basic steps for to auditing with NAAS 1.0 (each step explained below)
A. Edit and save the event policy
B. Troubleshooting step: Verify that the SQL database engine is running on the server.
C. Troubleshooting step: Verify auditor has rights to view captured data.
D. Start or Restart auditing at the server console.
E. Load the auditing shims
F. Wait for the event to happen and the Audit Agent to commit data to the Audit Server
G. Run Audit Reports
A. EDIT AND SAVE THE EVENT POLICY
1. In ConsoleOne, change the ·policy contents· in properties of the DSEventPolicy, NSSEvent Policy, FSEventPolicy, or policy you made yourself. The three default policies are all that is needed to do basic auditing of the entire tree.
B. TROUBLESHOOTING: VERIFY SQL DATABASE ENGINE IS RUNNING
1. If using Pervasive, type MGRSTART at the server console to load the Pervasive database engine.
C. TROUBLESHOOTING: VERIFY AUDITOR HAS RIGHTS TO VIEW CAPTURED DATA.
1. In ConsoleOne right click on the user that was set as Auditor
2. Click on ·Extensions of this object·
3. The naasAuditor extension should be listed
D. START OR RESTART AUDITING AT THE SERVER CONSOLE
1. Start the Audit Server with ST_SRVR.NCF
2. Start the Audit Agent with ST_AGENT.NCF
3. type JAVA-SHOW to verify that auditing is active
audit.server.SocketServer class should be displayed
audit.client.tester class should be displayed
4. Auditing must be stopped and restarted after changes are made in ConsoleOne. This is accomplished by restarting the server. By design, you must restart the server to restart auditing. This eliminates the possibility of someone simply unloading NAAS to get around system security.
Troubleshooting Note: The Audit Server or Agent may not load if the server was upgraded from a prior version of NetWare. Make sure the file SYS:\ETC\HOSTS has an entry for the server itself. Same for RESOLV.CFG and HOSTNAME.
Sample entry for hosts.cfg
this_server 123.45.67.89
E. LOAD THE AUDITING SHIMS
1. Load the desired shims at the server console:
fsshim.nlm for auditing traditional file system events
nssshim for auditing nss events
dsshim for auditing ds events
Verify that the shims loaded properly by typing
m fsshim
m nssshim
m dsshim
F. WAIT FOR THE EVENT TO HAPPEN AND THE AUDIT AGENT TO SEND DATA TO THE AUDIT SERVER
1. Audit Agents forward captured data to the Audit Server according to the "commit period" set in properties of the NAASAgent Policy. Note: Setting the commit period to less than 30-60 seconds may cause excessive network traffic.
G. RUN AUDIT REPORTS
1. In ConsoleOne, highlight the root container of the partition
2. Click on NAAS, then on Report
3. You can create filters for viewing the report, but to see everything run the report without filters.
document
| Document Title: | Guide to Auditing with NAAS |
| Document ID: | 10067501 |
| Solution ID: | NOVL68701 |
| Creation Date: | 11Jan2002 |
| Modified Date: | 27Feb2004 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.