IT Baseline Protection Manual S 2.150 Auditing of Novell Netware 4.x networks
S 2.150 Auditing of Novell Netware 4.x networks
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Auditors
One important technique of ensuring the security of a network is to allow independent auditors to check the events taking place in a network. For this purpose, Netware 4.x allows a large number of events to be tracked in the NDS and the file system through activation of an auditing function with the utility program named SYS:PUBLIC\AUDITCON.EXE. Netware 4.x permits any required number of users to be assigned the role of an auditor. This program offers the following functions, among others:
Auditors can monitor all NDS file events on the Netware server, in the containers, or on a particular volume.
Auditing of the file system can be activated on the volume and container levels.
Auditors can trace network events and activities, but except for the auditing data and auditing log files, they can only open or edit files for which they have been granted access rights by the administrator.
Note: If the logging function is activated, the log file can become very large. For this reason, a limit should be imposed on the maximum size of the file in order to prevent a shortage of memory. As the maximum size depends on the number of users and the activities they perform however, no fixed values can be specified here.
The data accumulated in this process is usually related to persons, and thus subject to the Federal Data Privacy Act. These data must only be used so as to ensure data privacy, maintain data backups and guarantee correct operation (also refer to S 2.110 Data privacy guidelines for logging procedures).
To configure an independent auditor who can check the activities of an administrator, but possesses no other administrative rights in the network, the following steps must be taken:
In the case of Netware 4.10, the auditing for the file system and for the NDS must be activated and a password must be assigned. Anyone who knows this password is able to evaluate the audited data. Under Netware 4.10, therefore, great care must be taken to ensure that no unauthorised persons obtain this password. No further allocation of rights is required under Netware 4.10.
In Netware version 4.11 and higher, the information is stored in the NDS audit file objects. This considerably improves the security. In addition, there is much more scope for monitoring under Netware 4.11, as the number of auditing mechanisms and functions has been substantially increased.
Create a user object for the auditor. The authorisation should not be granted for a conventional user account, as this could destroy the security.
In Netware version 4.11 and higher, the auditor must receive the necessary right to the corresponding NDS audit file objects.
Activate the network auditing function. The person who creates the NDS audit file object receives the supervisor right for the NDS audit file object and the right Write for the access control list property. This user also receives the rights Read and Write for the audit policy property and the right Read for the audit contents property. The creator of this NDS audit file object is therefore able to administrate and evaluate the auditing.
The allocation of a auditor password in the utility SYS:PUBLIC\AUDITCON.EXE in order to become independent from the administrator (Netware 4.10 and for reasons of compatibility also in Netware 4.11).
In Netware version 4.11 and higher, the auditor should be made independent from the administrator through the allocation of NDS rights. It can also be determined whether a particular auditor is allowed to view audit files and/or manage the auditing.
If, for carefully considered reasons, it is not desirable or possible to configure the role of an independent auditor, the log files can also be evaluated by the administrator. Should this be the case, it should be pointed out that the Administrator's activities are difficult to monitor. Consequently, the results of evaluation should be presented at least to the IT security officer, IT in-charge, or another specially appointed staff member.
Additional controls:
Who evaluates the auditing files?
Can the activities of the administrator be monitored to a sufficient extent?
Is the IT security management notified of irregularities?
Has a limit been imposed on the maximum size of the log files in order to prevent memory shortages?