Novell IDENTITY AUDIT 1.0 User Manual

Download

Novell®

www.novell.com

Guide

Identity Audit

novdocx (en) 22 June 2009

AUTHORIZED DOCUMENTATION

1.0

October 27, 2008

Identity Audit Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 22 June 2009

Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 22 June 2009

4 Identity Audit Guide

Contents

About This Guide 11

1 Introduction 13

1.1 Product Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.1.1 Comparison to Novell Audit 2.0.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.1.2 Comparison to Novell Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 System Requirements 17

2.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2 Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.3 Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4 Supported Platform Agent Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5 Supported Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

novdocx (en) 22 June 2009

3 Installation 19

3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 Installing Novell Identity Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2.1 Quick Installation (as root) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2.2 Non-root Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.3 Configuring Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3.1 Installing the Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3.2 Configuring the Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.3.3 Configuring the Auditing Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.4 Logging In to Identity Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.5 Uninstalling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Reporting 27

4.1 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.1.1 Manually Running a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.1.2 Scheduling a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.3 Managing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.3.1 Adding Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.3.2 Creating New Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.3.3 Renaming Report Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.3.4 Deleting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.3.5 Updating Report Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.4 Default Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Data Collection 37

5.1 Data Collection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.1.1 Enabling and Disabling Data Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Contents 5

5.1.2 Viewing Audit Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.1.3 Viewing Event Source Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.2 Managing Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.1 Adding Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2.2 Deleting Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.3 Audit Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.3.1 Port Configuration and Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3.2 Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.4 Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6 Searching 47

6.1 Running an Event Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1.1 Basic Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1.2 Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.2 Viewing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.2.1 Basic Event View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6.2.2 Event View with Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6.2.3 Refining Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.3 Event Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

novdocx (en) 22 June 2009

7 Data Storage 57

7.1 Database Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

7.2 Data Storage Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

7.3 Database Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.3.1 Database Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.3.2 Database Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.3.3 Database Stored Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

8Rules 61

8.1 Rules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

8.2 Configuring Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8.2.1 Filter Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8.2.2 Adding a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8.2.3 Ordering Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.2.4 Editing a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.2.5 Deleting a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.2.6 Activating or Deactivating a Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.3 Configuring Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

8.3.1 Send to E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

8.3.2 Send to Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.3.3 Write to File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

9 User Administration 67

9.1 Adding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

9.2 Editing User Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

9.2.1 Editing Your Own Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

9.2.2 Changing Your Own Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

9.2.3 Editing Another User’s Profile (admin only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9.2.4 Resetting Another User’s Password (admin only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9.3 Deleting a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6 Identity Audit Guide

A Troubleshooting 71

BTruststore 73

B.1 Creating a Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

C Novell Identity Audit Database Views for PostgreSQL Server 75

C.1 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

C.1.1 ACTVY_PARM_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

C.1.2 ACTVY_REF_PARM_VAL_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

C.1.3 ACTVY_REF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

C.1.4 ACTVY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

C.1.5 ADV_ATTACK_MAP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

C.1.6 ADV_ATTACK_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

C.1.7 ADV_ATTACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

C.1.8 ADV_ATTACK_SIGNATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

C.1.9 ADV_FEED_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

C.1.10 ADV_MASTER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

C.1.11 ADV_PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

C.1.12 ADV_PRODUCT_SERVICE_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

C.1.13 ADV_PRODUCT_VERSION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

C.1.14 ADV_VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

C.1.15 ADV_VULN_KB_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

C.1.16 ADV_VULN_PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

C.1.17 ADV_VULN_SIGNATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

C.1.18 ANNOTATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

C.1.19 ASSET_CATEGORY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

C.1.20 ASSET_HOSTNAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

C.1.21 ASSET_IP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

C.1.22 ASSET_LOCATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

C.1.23 ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

C.1.24 ASSET_VALUE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

C.1.25 ASSET_X_ENTITY_X_ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

C.1.26 ASSOCIATIONS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

C.1.27 ATTACHMENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

C.1.28 AUDIT_RECORD_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

C.1.29 CONFIGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

C.1.30 CONTACTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

C.1.31 CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

C.1.32 CORRELATED_EVENTS_RPT_V1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

C.1.33 CRITICALITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

C.1.34 CUST_HIERARCHY_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

C.1.35 CUST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

C.1.36 ENTITY_TYPE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

C.1.37 ENV_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

C.1.38 ESEC_CONTENT_GRP_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

C.1.39 ESEC_CONTENT_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

C.1.40 ESEC_CONTENT_PACK_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

C.1.41 ESEC_CONTENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

C.1.42 ESEC_CTRL_CTGRY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

C.1.43 ESEC_CTRL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

C.1.44 ESEC_DISPLAY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

C.1.45 ESEC_PORT_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

C.1.46 ESEC_PROTOCOL_REFERENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

C.1.47 ESEC_SEQUENCE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

C.1.48 ESEC_UUID_UUID_ASSOC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.49 EVENTS_ALL_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

novdocx (en) 22 June 2009

Contents 7

C.1.50 EVENTS_ALL_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.51 EVENTS_ALL_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.52 EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.53 EVENTS_RPT_V1 (legacy view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.54 EVENTS_RPT_V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.1.55 EVENTS_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

C.1.56 EVT_AGENT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

C.1.57 EVT_AGENT_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

C.1.58 EVT_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

C.1.59 EVT_ASSET_RPT_V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

C.1.60 EVT_DEST_EVT_NAME_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

C.1.61 EVT_DEST_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

C.1.62 EVT_DEST_TXNMY_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

C.1.63 EVT_NAME_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

C.1.64 EVT_PORT_SMRY_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

C.1.65 EVT_PORT_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

C.1.66 EVT_PRTCL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

C.1.67 EVT_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

C.1.68 EVT_SEV_SMRY_1_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

C.1.69 EVT_SRC_COLLECTOR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

C.1.70 EVT_SRC_GRP_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

C.1.71 EVT_SRC_MGR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

C.1.72 EVT_SRC_OFFSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

C.1.73 EVT_SRC_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

C.1.74 EVT_SRC_SMRY_1_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

C.1.75 EVT_SRC_SRVR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

C.1.76 EVT_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

C.1.77 EVT_USR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

C.1.78 EVT_XDAS_TXNMY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

C.1.79 EXTERNAL_DATA_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

C.1.80 HIST_CORRELATED_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

C.1.81 HIST_CORRELATED_EVENTS_RPT_V (legacy view) . . . . . . . . . . . . . . . . . . . . . 118

C.1.82 HIST_EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

C.1.83 HIST_EVENTS_RPT_V (legacy view). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

C.1.84 IMAGES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

C.1.85 INCIDENTS_ASSETS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

C.1.86 INCIDENTS_EVENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

C.1.87 INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

C.1.88 INCIDENTS_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

C.1.89 L_STAT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

C.1.90 LOGS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

C.1.91 MSSP_ASSOCIATIONS_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

C.1.92 NETWORK_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

C.1.93 ORGANIZATION_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

C.1.94 PERSON_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

C.1.95 PHYSICAL_ASSET_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

C.1.96 PRODUCT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

C.1.97 ROLE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

C.1.98 RPT_LABELS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

C.1.99 SENSITIVITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

C.1.100 SENTINEL_HOST_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

C.1.101 SENTINEL_PLUGIN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

C.1.102 SENTINEL_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

C.1.103 STATES_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

C.1.104 UNASSIGNED_INCIDENTS_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

C.1.105 USERS_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

C.1.106 USR_ACCOUNT_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

C.1.107 USR_IDENTITY_EXT_ATTR_RPT_V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

C.1.108 USR_IDENTITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

novdocx (en) 22 June 2009

8 Identity Audit Guide

C.1.109 VENDOR_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

C.1.110 VULN_CALC_SEVERITY_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

C.1.111 VULN_CODE_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

C.1.112 VULN_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

C.1.113 VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

C.1.114 VULN_RSRC_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

C.1.115 VULN_RSRC_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

C.1.116 VULN_SCAN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

C.1.117 VULN_SCAN_VULN_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

C.1.118 VULN_SCANNER_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

C.1.119 WORKFLOW_DEF_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

C.1.120 WORKFLOW_INFO_RPT_V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

C.2 Deprecated Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

D Documentation Updates 139

D.1 October 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

novdocx (en) 22 June 2009

Contents 9

novdocx (en) 22 June 2009

10 Identity Audit Guide

About This Guide

This guide covers the installation and configuration of Novell® Identity Audit.

 Chapter 1, “Introduction,” on page 13

 Chapter 2, “System Requirements,” on page 17

 Chapter 3, “Installation,” on page 19

 Chapter 6, “Searching,” on page 47

 Chapter 4, “Reporting,” on page 27

 Chapter 5, “Data Collection,” on page 37

 Chapter 7, “Data Storage,” on page 57

 Chapter 8, “Rules,” on page 61

 Chapter 9, “User Administration,” on page 67

 Appendix A, “Troubleshooting,” on page 71

 Appendix B, “Truststore,” on page 73

novdocx (en) 22 June 2009

 Appendix C, “Novell Identity Audit Database Views for PostgreSQL Server,” on page 75

 Appendix D, “Documentation Updates,” on page 139

Audience

This guide is intended for Novell Identity Audit administrators and end users.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

For the most recent version of the Novell Identity Audit 1.0 Guide, visit the Identity Audit

documentation Web site (http://www.novell.com/documentation/identityaudit).

Additional Documentation and Support

To download additional plug-ins (for example, reports), go to the Identity Audit Content Web page

(http://support.novell.com/products/sentinel/secure/identityaudit.html).

For more information about building your own plug-ins (for example, Jasper Reports*), go to the

Sentinel

SDK Web page (http://developer.novell.com/wiki/index.php/Develop_to_Sentinel). The

build environment for Identity Audit report plug-ins is identical to what is documented for Novell Sentinel.

About This Guide 11

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

novdocx (en) 22 June 2009

12 Identity Audit Guide

Introduction

Novell® Identity Audit provides event reporting and monitoring for the Novell Identity and Security Management environment, including Novell eDirectory™, Novell Identity Manager, Novell Access Manager, Novell Modular Authentication Services (NMAS™), Novell SecureLogin, and Novell SecretStore

 Section 1.1, “Product Overview,” on page 13

 Section 1.2, “Interface,” on page 14

 Section 1.3, “Architecture,” on page 15

1.1 Product Overview

Novell Identity Audit 1.0 is an easy to use, lightweight tool for collecting, aggregating, and storing events from Novell Identity Manager, Novell Access Manager, Novell eDirectory, and other Novell identity and security products and technologies. Key features include:

novdocx (en) 22 June 2009

 Web-based administration and reporting interfaces

 Full-event search tool allows searches across multiple event fields

 Selected event output to several channels

 Embedded JasperReports engine allows the use of open source tools for customizing included

reports or creating new reports

 Built-in database eliminates the need for external database licenses or administration

 Simple, intuitive data management tools

Novell Identity Audit is a replacement for Novell Audit and is related to Novell SentinelTM, but there are significant differences.

 Section 1.1.1, “Comparison to Novell Audit 2.0.2,” on page 13

 Section 1.1.2, “Comparison to Novell Sentinel,” on page 14

1.1.1 Comparison to Novell Audit 2.0.2

Novell Identity Audit 1.0 is designed as a replacement product for the Novell Audit product line, which leaves general support in February 2009. Identity Audit is comparable in functionality, but with major improvements in architecture, reporting, and data management. Novell Identity Audit

1.0 is a drop-in replacement for the Novell Audit 2.0.2 Secure Logging Server for products in the Novell Identity and Security product line. Because Novell Identity Audit uses a new embedded database, customers should keep existing Novell Audit events in the archived Novell Audit database rather than attempting to migrate legacy data.

The Novell Audit client component, also known as the Platform Agent, is still used as the data transport mechanism for Novell Identity Audit. This will continue to be supported according to the life cycles of Novell Identity and Access Management products that still use the Platform Agent.

Introduction

1.1.2 Comparison to Novell Sentinel

Novell Identity Audit is built on a robust technological foundation, because much of the underlying code is shared with Novell Sentinel. However, Sentinel collects data from a broader range of devices, supports a higher event rate, and provides more tools than Novell Identity Audit. Sentinel provides additional Security Information and Event Management (SIEM) features, such as real-time dashboards, multi-event correlation, incident tracking and automated remediation, and data collection from non-Novell products. Identity Audit is designed to integrate into a future Sentinel deployment.

Novell Identity Audit 1.0 is not part of the Novell Compliance Management Platform (CMP) and does not include the advanced identity and security integration features delivered in that platform. Sentinel 6.1 is presently the identity audit and monitoring component of the CMP.

1.2 Interface

The Novell Identity Audit Web interface provides the ability to perform the following tasks:

 Upload, run, view, and delete reports

novdocx (en) 22 June 2009

 Search for events

 Edit user profile details

 Create, edit, and delete users and assign administrative rights (administrators only)

 Configure data collection and view the health of event sources (administrator only)

 Configure data storage and view the health of the database (administrators only)

 Create filtering rules and configure associated actions to send matching event data to output

channels (administrators only)

14 Identity Audit Guide

Figure 1-1 Novell Identity Audit interface (Administrator View)

novdocx (en) 22 June 2009

The Identity Audit pages automatically refresh every 30 seconds to show updates by other users, if applicable.

The interface is available in multiple languages (English, French, German, Italian, Japanese, Portuguese, Spanish, Simplified Chinese, and Traditional Chinese). It defaults to the browser’s default language, but users can select another language at login.

NOTE: Although the interface is localized into double-byte languages, the current release of Identity Audit does not process double-byte event data.

1.3 Architecture

Identity Audit collects data from multiple Novell identity and security applications. These application servers are configured to generate event records, and each hosts a Platform Agent. Event data is forwarded by the Platform Agent to an Audit Connector that resides on the Identity Audit Server.

The Audit Connector passes events to the Data Collection component, which parses the events and puts them on the Communication Bus, which is the backbone of the system and brokers most communication between components. As part of Data Collection, incoming events are evaluated by a set of filtering rules. These rules filter events and send them to output channels such as a file, a syslog relay, or an SMTP relay.

In addition, all events are stored in the Identity Audit database (powered by PostgreSQL*), in partitioned tables.

Introduction 15

The Configuration component retrieves, adds, and modifies configuration information such as data collection and storage settings, rule definitions, and report definitions. It also manages user authentication.

The Search component performs fast, indexed searches and retrieves events from the database to present search result sets to the user.

The Reporting component runs reports and formats report results.

Figure 1-2 Architecture for Identity Audit

novdocx (en) 22 June 2009

Users interact with the Identity Audit server and all of its functionality via a Web browser, which connects to an Apache* Tomcat Web server. The Web server makes calls to the various Identity Audit components via the Communications Bus.

16 Identity Audit Guide

System Requirements

In addition to the hardware, operating system, browser, and event source compatibility requirements described below, the user must also have root access for some installation steps.

 Section 2.1, “Hardware Requirements,” on page 17

 Section 2.2, “Supported Operating Systems,” on page 18

 Section 2.3, “Supported Browsers,” on page 18

 Section 2.4, “Supported Platform Agent Version,” on page 18

 Section 2.5, “Supported Event Sources,” on page 18

2.1 Hardware Requirements

Novell Identity Audit is supported on 64-bits intel Xeon* and AMD Opteron* hardware. It is not supported on Itanium* hardware. Novell recommends the following hardware for a production system that holds 90 days of online data:

novdocx (en) 22 June 2009

 1x Quad Core (x86-64)

 16 GB RAM

 1.5 TB usable disk space - 3x 500GB (3 usable), 10K RPM drives in a hardware RAID

configuration

 Approximately 2/3 of the usable disk space is used for database files

 Approximately 1/3 of the usable disk space is used for the search index and temp files

 A small amount of storage is available for archived data that has been removed from the

database, but Novell recommends that you move archived data files from the Identity

Audit server to a long-term storage location.

Table 2-1 Performance

Metric Value Description

Events per second (eps) - steady state

Events per second (eps) - peak 500 Peak event rate during a spike (up to 10 minutes)

Events per second (eps) - peak per application

100 Average event rate during normal operations

300 Peak event rate from each type of Novell application

 Event rates are typically low (less than 15 eps)

for Identity Manager, SecureLogin, SecretStore

 Event rates can be very high from eDirectory

and Access Manager. Event filtering should be implemented to ensure a manageable rate.

 Even during an event spike, no one application

can send more than this many events per second.

, and NMASTM)

System Requirements

Metric Value Description

novdocx (en) 22 June 2009

Online data 90 days or

750 million events

Amount of data Identity Audit can store at a steady state rate of approximately 100 eps, with the recommended storage

2.2 Supported Operating Systems

Identity Audit is certified to run on 64-bits SUSE Linux Enterprise Server 10 SP1 and SP2.

NOTE: Identity Audit is not supported on Novell Open Enterprise Server 2.

2.3 Supported Browsers

The following browsers are supported by Identity Audit. Other browsers may not display information as expected.

 Mozilla* Firefox* 2

 Mozilla Firefox 3

 Microsoft* internet Explorer* 7

The performance of searches and report viewing seems to vary by browser. Novell has observed particularly good performance from Mozilla Firefox 3.

2.4 Supported Platform Agent Version

Identity Audit 1.0 supports collecting log events from many applications that were supported by Novell Audit and its Platform Agent. Platform Agent version 2.0.2 SP6 or above is required for Identity Audit.

NOTE: Some Novell applications are bundled with a previous version of the Platform Agent. The recommended version includes important bug fixes, so you should upgrade the Platform Agent if you have a previous version.

2.5 Supported Event Sources

Identity Audit supports collecting data from the Novell identity and security applications. Some applications require a specific patch level in order to collect data correctly.

 Novell Access Manager 3.0

 Novell eDirectory 8.8.3 with the eDirectory instrumentation patch found on the Novell Support

Web Site (http://download.novell.com/Download?buildid=RH_B5b3M6EQ~)

 Novell Identity Manager 3.6

 Novell NMAS 3.1

 Novell SecretStore 3.4

 Novell SecureLogin 6.0

18 Identity Audit Guide

Installation

This section describes how to install Novell® Identity Audit and configure the event sources to send data to it. These instructions assume that the minimum requirements for each system component have been met. For more information, see Chapter 2, “System Requirements,” on page 17.

 Section 3.1, “Prerequisites,” on page 19

 Section 3.2, “Installing Novell Identity Audit,” on page 19

 Section 3.3, “Configuring Event Sources,” on page 23

 Section 3.4, “Logging In to Identity Audit,” on page 25

 Section 3.5, “Uninstalling,” on page 25

3.1 Prerequisites

Before installing Identity Audit, be sure you meet the system requirements in Chapter 2, “System

Requirements,” on page 17. In particular, you need to have the supported patch levels for some

Novell applications in order to receive high-quality events from those event sources.

novdocx (en) 22 June 2009

3.2 Installing Novell Identity Audit

The Identity Audit installation package installs everything you need to run Identity Audit: the Identity Audit application and communications bus, the database to store events and configuration information, the Web-based user interface, and the reporting server. There are two installation

root

options, a simple installation that can be run as little as possible.

, or a multi-step installation that uses

3.2.1 Quick Installation (as root)

This simple installation must be run as

root

1 Log in as

2 Download or copy

3 Change to the temporary directory (if necessary).

4 Extract the install script from the file by using the following command:

tar xfz identity_audit_1.0_x86-64.tar.gz identity_audit_1.0_x86-64/setup

5 Run the

identity_audit_1.0_x86-64/setup/root_install_all.sh identity_audit_1.0_x86-64.tar.gz

NOTE: You can log in as the command.

to the server where you want to install Identity Audit.

identity_audit_1.0_x86-64.tar.gz

root_install_all.sh

root

to a temporary directory.

script with

and run the command above or use the

root

privileges.

sudo

command to run

root

6 Choose a language by entering a number.

The end user license agreement displays in the selected language.

Installation

7 Read the end user license and enter 1 or y if you agree to the terms and want to continue

installation.

The installation begins. If the previously selected language is not available for the installer (for example, Polish), the installer continues in English.

novdocx (en) 22 June 2009

The novell user and novell group are created, if they do not already exist.

The novell user is created without a password. If you want to be able to log in as the novell user later (for example, to install patches), you can create a password for this user after the installation is completed.

8 Enter the password for database administrator (dbauser).

9 Confirm the password for database administrator (dbauser).

10 Enter the password for the admin user.

11 Confirm the password for the admin user.

20 Identity Audit Guide

novdocx (en) 22 June 2009

The dbauser credentials are used to create tables and partitions in the PostgreSQL database. Identity Audit is configured to start up with runlevels 3 and 5 (Multi-User Mode with boot-up in console or X-Windows mode).

After the Identity Audit service starts, you can log in to the URL (for example: https://

10.10.10.10:8443/novellidentityaudit) specified in the installation output.The system starts processing internal audit events immediately, and it is fully functional after you configure event

sources to send data to Identity Audit.

3.2.2 Non-root Installation

If organizational policy prohibits running the full installation process as run in two steps. The first part of the installation procedure must be performed with access, and the second part is performed as the Identity Audit administrative user (created during the first part).

root

1 Log in as

2 Download or copy

to the server where you want to install Identity Audit.

identity_audit_1.0_x86-64.tar.gz

3 (Conditional) If the novell user and novell group do not exist on the server:

3a Extract the script to create the novell user and novell group from the Identity Audit tar file.

For example:

tar xfz identity_audit_1.0_x86-64.tar.gz identity_audit_1.0_x86-64/

setup/root_create_novell_user.sh

3b As

root

, execute the script by using this command:

identity_audit_1.0_x86-64/setup/root_create_novell_user.sh

The novell user and novell group will own the installation and the running processes of

Identity Audit.

to the

root

, the installation can be

root

/tmp

directory.

-level

4 Create a directory for Identity Audit. For example:

mkdir -p /opt/novell

Installation 21

5 Set the directory to be owned by the novell user and novell group. For example:

chown -R novell:novell /opt/novell

6 Log in as the novell user:

su novell

7 Extract the Identity Audit tar file to the directory you just created. For example:

cd /opt/novell tar xfz /tmp/identity_audit_1.0_x86-64.tar.gz

8 Execute the installation script. For example:

/opt/novell/identity_audit_1.0_x86-64/setup/install.sh

9 Choose a language by entering a number.

The end user license agreement displays in the selected language.

10 Read the end user license and enter

or y if you agree to the terms and want to continue

installation.

The installation begins. If the previously selected language is not available for the installer (for example, Polish), the installer continues in English.

novdocx (en) 22 June 2009

11 Enter the password for database administrator (dbauser).

12 Confirm the password for database administrator (dbauser).

13 Enter the password for the admin user.

14 Confirm the password for the admin user.

15 Log out and log back in as novell. This loads the PATH environment variable changes made by

install.sh

the

16 Execute the

script.

root_install_service.sh

service. This step requires

sudo /opt/novell/identity_audit_1.0_x86-64/setup/root_install_service.sh

22 Identity Audit Guide

script to enable Identity Audit to start up as a

root

level access. For example:

novdocx (en) 22 June 2009

17 Enter the

root

password.

Identity Audit is configured to start up with runlevels 3 and 5 (Multi-User Mode with boot-up in console or X-Windows mode).

After the Identity Audit service starts, you can log in to the URL (for example: https://

10.10.10.10:8443/novellidentityaudit) specified in the installation output.The system starts processing internal audit events immediately, and it is fully functional after you configure event sources to send data to Identity Audit.

3.3 Configuring Event Sources

Identity Audit 1.0 supports collecting log events from applications that were supported by the old Novell Audit product and its Platform Agent. Before completing the steps in this section, ensure that your Novell products are supported. For more information, see Section 2.4, “Supported Platform

Agent Version,” on page 18.

 The 32-bits Platform Agent (http://download.novell.com/Download?buildid=1O9cbsOIO8Y~)

can be downloaded as part of the Novell Audit product.This URL is current for Audit 2.0.2 SP6.

 The 64-bits Platform Agent (http://download.novell.com/Download?buildid=8hsF_lYQZJM~)

can be downloaded as a standalone client.This URL is current for 2.0.2 SP6.This URL is current for Audit 2.0.2 SP6.

 Section 3.3.1, “Installing the Platform Agent,” on page 23

 Section 3.3.2, “Configuring the Platform Agent,” on page 24

 Section 3.3.3, “Configuring the Auditing Level,” on page 25

3.3.1 Installing the Platform Agent

The Platform Agent must be at least the minimum version recommended for Identity Audit. For more information, see Section 2.4, “Supported Platform Agent Version,” on page 18. The appropriate Platform Agent (32-bits or 64-bits) must be installed or updated on all event source machines.

The instructions for installing or upgrading the Platform Agent vary slightly by operating system. The sample instructions below are for a 32-bits Linux* Platform Agent.

iso

1 Download the .

event source machine.

2 Create a directory for Audit. For example,

3 Log in as

root

file for the supported version of Novell Audit to the

mkdir -p audit202

/tmp

directory on the

Installation 23

novdocx (en) 22 June 2009

4 Mount the Audit .

mount -o loop ./NAudit202.iso ./audit202

5 Go to the

audit202

iso

file.

directory.

6 Go to the appropriate directory for the operating system on your event source. For example:

cd Linux

7 Run

pinstall.lin.

./pinstall.lin

8 Read the license agreement and enter y if you are willing to accept the terms.

9 Enter

10 Enter

to install the Platform Agent.

to keep any previous configurations to the

logevent.conf

file.

The Platform Agent is installed.

11 To verify that the Platform Agent version is correct, enter the following command:

rpm -qa | grep AUDT

The version of novell-AUDTplatformagent should be at least the supported version listed in

Section 2.4, “Supported Platform Agent Version,” on page 18.

3.3.2 Configuring the Platform Agent

After installation, the Platform Agent must be configured to send data to the Identity Audit server and, if desired, to send event signatures from the event sources.

IMPORTANT: Configuring the Platform Agent to generate signatures can negatively impact the performance of the event source machines.

To configure the Platform Agent:

1 Log into the event source machine.

2 Open the

logevent

file for editing. The file is in a different location depending on the

operating system:

 Linux:

 Windows*:

 NetWare

 Solaris*:

/etc/logevent.conf

C:\WINDOWS\logevent.cfg

SYS:\etc\logevent.cfg

/etc/logevent.conf

3 Set LogHost to the IP address of the Identity Audit server.

4 Set LogEnginePort=1289, if this entry does not already exist.)

5 If you want the event source to send event signatures, enter LogSigned=always.

6 Save the file.

7 Restart the Platform Agent. The method varies by operating system and application. Reboot the

machine or refer to the application-specific documentation on the Novell Documentation Web

Site (http://www.novell.com/documentation) for more instructions.

24 Identity Audit Guide

3.3.3 Configuring the Auditing Level

The events for which each application generates records are configured differently for each application monitored by Identity Audit. The URLs below have more information about each application.

 Access Manager (http://www.novell.com/documentation/novellaccessmanager/adminguide/

index.html?page=/documentation/novellaccessmanager/adminguide/data/ b8cvd2l.html#b8cvd2l)

 eDirectory (http://www.novell.com/documentation/novellaudit20/index.html?page=/

documentation/novellaudit20/novellaudit20/data/b296n3h.html)

 Identity Manager (http://www.novell.com/documentation/idm36/idm_sentinel/data/

bookinfo.html)

 NMAS (http://www.novell.com/documentation/nmas32/admin/index.html?page=/

documentation/nmas32/admin/data/ahefojr.html)

 SecretStore (http://www.novell.com/documentation/secretstore33/index.html?page=/

documentation/secretstore33/nssadm/data/bsqdjxv.htm)

 SecureLogin (http://www.novell.com/documentation/securelogin60/index.html) (see the

Auditing link)

novdocx (en) 22 June 2009

3.4 Logging In to Identity Audit

The administrative user created during the install can log into the Identity Audit application and create more users, run preloaded reports, upload new reports, perform event searches, and more.

To log into Identity Audit:

1 Open a supported Web browser. For more information, see Section 2.3, “Supported Browsers,”

on page 18.

2 Go to the Novell Identity Audit page (for example: https://10.10.10.10:8443/

novellidentityaudit).

3 If this is the first time you have logged into Identity Audit, you are presented with a certificate.

You must accept it to proceed.

admin

4 Enter

5 Enter the admin password you configured during installation.

6 Select the language for the Identity Audit interface (English, Portuguese, French, Italian,

German, Spanish, Japanese, Traditional Chinese, or Simplified Chinese).

7 Click Login.

3.5 Uninstalling

To fully uninstall an Identity Audit installation, you must run the uninstall script and then perform some manual cleanup steps.

1 Log into the Identity Audit server as

2 Stop the Identity Audit service:

/etc/init.d/identity_audit stop

root

Installation 25

3 Run the uninstallation script:

/opt/novell/identity_audit_1.0_x86-64/setup/root_uninstall_service.sh

4 Delete the Identity Audit home directory and its contents.

rm -rf /opt/novell/identity_audit_1.0_x86-64

The final steps depend on whether you want to retain any information related to the novell user and group.

5 (Conditional) If you do not want to retain any information related to the novell user, run the

following command to remove the user, its home directory, and the group:

userdel -r novell && groupdel novell

6 (Conditional) If you do want to retain the novell user and its home directory but want to remove

all Identity-Audit-related settings:

6a Remove the following environment variable entries for Identity Audit from the novell

user’s profile (in

APP_HOME=/opt/novell/identity_audit_1.0_x86-64

export PATH=$APP_HOME/bin:$PATH

~novell/.bashrc

novdocx (en) 22 June 2009

6b Remove the dbauser entry from the PostgreSQL file

*:*:*:dbauser:password

~novell/.pgpass

Although the dbauser password is shown in clear text, the contents of this file are only

visible to the novell and root users, which already have full access to all functions on the

Identity Audit server.

26 Identity Audit Guide

Reporting

Novell® Identity Audit is installed with a core set of report templates related to Novell applications. Any Identity Audit user can run a report by using the desired parameters (such as start and end date), and the report results are saved with a name of the user’s choosing. After the report runs, the results can be retrieved by any Identity Audit user and viewed as a PDF file

Reports are organized by category. Identity Audit is installed with reports for each supported event source.

 Section 4.1, “Running Reports,” on page 27

 Section 4.2, “Viewing Reports,” on page 30

 Section 4.3, “Managing Reports,” on page 31

 Section 4.4, “Default Reports,” on page 34

novdocx (en) 22 June 2009

4.1 Running Reports

Identity Audit is installed with a set of reports organized into several product categories. Reports run asynchronously, so users can continue to do other things in the application while the report is running. The PDF report results can be viewed by any user after the report finishes running.

Many report definitions include parameters. The user is prompted to set these before running the reports. Depending on how the report developer designed the report, the report parameters can be text, numbers, bits values, or dates. A parameter might have a default value or a list based on values in the Identity Audit database.

 Section 4.1.1, “Manually Running a Report,” on page 27

 Section 4.1.2, “Scheduling a Report,” on page 29

4.1.1 Manually Running a Report

1 In Identity Audit, click Reports to display the available reports.

Reporting

novdocx (en) 22 June 2009

If desired, click a report definition to expand it. If you see a Sample Report link, you can click View to find out how the completed report looks with a set of sample data.

2 Select the report you want to run and click Run.

3 Set the schedule for running the report. If you want the report to run later, you must also enter a

start time.

 Now: This is the default. It runs the report immediately.

 Once: Runs the report once at the specified date and time.

 Daily: Runs the report once a day at the specified time.

 Weekly: Runs the report once a week on the same day at the specified time.

 Monthly: Runs the report on the same day of the month every month, starting at the

specified date and time. For example, if the start date and time is October 28 at 2 P.M, the

report will run on the 28th day of the month at 2 P.M every month.

All time settings are based on the browser’s local time.

4 Specify a name to identify the report results.

Because the username and time are also used to identify the report results, the report name need not to be unique.

28 Identity Audit Guide

5 Choose the language in which the report labels and descriptions should be displayed (English,

French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese).

The data in the report will be displayed in whatever language it was originally produced by the event source.

6 If the report includes time period parameters, choose the date range. All time periods are based

on the local time for the browser.

 Current Day: Shows events from midnight of the current day until 11:59 of the current

day. If the current time is 8AM, the report will show 8 hours of data.

 Previous Day: Shows events from midnight yesterday until 11:59PM yesterday.

 Week To Date: Shows events from midnight Sunday of the current week until the end of

the current day.

 Previous Week: Shows last seven days of events.

 Month to Date: Shows events from midnight the first day of the current month until the

end of the current day.

 Previous Month: Shows a month of events, from midnight of the first day of the previous

month until 11:59 PM of the last day of the previous month

 Custom Date Range: For this setting only, you also need to set a start date and end date

below.

7 If you selected Custom Date Range, set the start date (From Date) and the end date (To Date)

for the report.

novdocx (en) 22 June 2009

If any of the other settings is selected for the report type, these time settings are ignored.

8 Set the Minimum Severity events to be included in the report.

9 Set the Maximum Severity events to be included in the report.

10 If the report should be mailed to a user or users, enter their e-mail addresses, separated by

commas.

To enable mailing reports, the administrator must configure the mail relay under Rules > Configuration.

11 Click Run.

A report results entry is created and mailed to the designated recipients.

4.1.2 Scheduling a Report

When you run a report, you can run the report immediately or schedule it to be run later, either once or on a recurring basis. For scheduled reports, you must choose a frequency and enter a time at which the report should run.

 Now: This is the default. It runs the report immediately.

 Once: Runs the report once at the specified date and time.

 Daily: Runs the report once a day at the specified time.

 Weekly: Runs the report once a week on the same day at the specified time.

 Monthly: Runs the report on the same day of the month every month, starting at the specified

date and time. For example, if the start date and time is October 28 at 2PM, the report will run on the 28th day of the month at 2PM every month.

Reporting 29

NOTE: All time settings are based on the browser’s local time.

Figure 4-1 Scheduled Reports

Report schedules can be removed or modified by using the Delete and Edit links.

novdocx (en) 22 June 2009

4.2 Viewing Reports

Identity Audit users can view reports in the Identity Audit application. Other users might receive

pdf

report .

1 To view the list of report results, click Vi ew.

files in e-mail.

All previously run reports are shown with the user-defined report name, the user who ran them, and what time the report was run.

If the server was restarted while a report was processing, you will see buttons to cancel or restart the report. If you restart the report, it uses the same parameters as the first time it was run. In cases where the report was run using a relative time setting (such as Current Day), the time period for the rerun report is based on the current date and time, not the date and time at which the report was originally run.

2 Click show parameters to see the exact values used to run the report.

30 Identity Audit Guide

+ 110 hidden pages

Novell IDENTITY AUDIT 1.0 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual