------------------------------------------------------------------------- AUDITCON.DOC -- 19980319 -- Email thread on NetWare's Auditing Facilities ------------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Fri, 2 Feb 1996 10:02:28 +0100 From: "David W. Hanson" Subject: Re: 4.1 Auditcon Question >This 3.12 CNE-Wannabe requests a bit of help with a concept for the 3 >to 4.1 Update course/test: > > The Study Guide goes into some detail about AUDITING. Says the first >step is for ADMIN to "...activate (sic) the AUDITCON utility from >SYS:PUBLIC." > > I cannot find for sure whether this is an NLM or an EXE file. I >strongly suspect NLM, though.) Which would mean it needs to be >activated from the console or through RCONSOLE, no? By loading? > > Then, in step 4, the auditor is to log in to AUDITCON. Does this mean >using, at a workstation, the command line: login auditcon ?? If so, >is auditcon a user object? If not, what is it? > > If auditcon is an NLM, does it have to be loaded on the server (like >on a restart, via autoexec.ncf or some other way) before the auditor >can log in? Does logging in as auditcon (if that is in fact what must >be done) automatically put that user into the AUDITCON menu utility? >(The pictures in the guide look like the same utility.) How is this >done? (How is the user automatically put into AUDITCON?) Through >scripting? Thus sayeth the holy DynaText: Enabling Auditing You can enable auditing to track events in NDS and in the file system. NOTE: When auditing is enabled for the NDS container it is enabled for that container only it is not enabled for subordinate containers. Likewise, when auditing is enabled for a volume, it is enabled for that volume only. This reduces overhead on other volumes. At the NDS container level, events relate to the use of NDS. For example, the NDS container level is the appropriate choice when the goal is to monitor the creation of User objects. At the volume level, events relate to the use of files and directories, queues, or NetWare servers. For example, the volume level is the appropriate choice when the goal is to track the number of times a certain user opens a specific file. Enabling Auditing for an NDS Container To enable auditing for an NDS container, do the following: 1.At the DOS prompt, type the following: AUDITCON The "Available Audit Options" menu appears. The current NetWare server and volume appear at the top of the screen. 2.Select "Audit Directory Services". The "Audit Directory Services" menu appears. The session context appears at the top of the screen. 3.(Optional) Change the context by doing the following: 3a.Select "Change Session Context". 3b.At the prompt, type the context of the container for which auditing is being enabled and press . The "Audit Directory Services" menu appears. 4.Select "Audit NDS tree". A list of containers appears. 5.Highlight the container to be audited and press . The "Available Audit Options" menu appears. 6.Select "Enable Container Auditing". 7.At the prompt, type a password for the container and press . 8.At the prompt, retype the password and press . 9.Notify the auditor of the password. Enabling Auditing for a Volume The procedure for enabling auditing at the volume level is similar to enabling auditing at the NDS container level. The difference is that menu selections pertain to the volume being audited. To enable auditing at a volume level, do the following: 1.At the DOS prompt, type the following: AUDITCON The "Available Audit Options" menu appears. The current NetWare server and volume appear at the top of the screen. 2.Select "Enable Volume Auditing". A list of volumes appears. 3.Highlight the volume to be audited and press . The "Available Audit Options" menu appears. 4.Select "Auditor Volume Login". 5.At the prompt, type a password for the volume and press . 6.At the prompt, retype the password and press . 7.Notify the auditor of the password. > Final question on this (for now at least). The audit history file >"...AUD$HIST.DAT is used to audit the auditor. ... This allows Admin >to keep the auditor in check." So how does Admin view the contents of >AUD$HIST.DAT? Thus sayeth the holy DynaText: AUDITCON creates the following audit files when auditing is enabled at the volume or NDS container level: Audit Data file (NET$AUD.DAT) Audit History file (AUD$HIST.DAT) Audit Configuration file (NET$AUD.CFG) The Audit Data file keeps records of all audited transactions at both the NDS and Volume level. the auditing configuration that is set (recorded in the NET$AUD.CFG file) determines the type of records entered into the Audit Data file. The Audit Data file operates like a system log and error file records are automatically entered into the file whenever an audited event occurs. At the NDS container level, the Audit Data file also includes the records of the auditor's activities, such as auditor logins and logouts, and auditing configuration changes.This information is hidden in the root of the volume audited. This information is stored in the NDS database files, which are replicated throughout the network. The Audit Data file and Audit History file store auditing data for the volume, whereas the NDS audit data is stored in the NDS database files. The NDS auditing data is replicated everywhere the partition is replicated. The auditor is responsible for maintaining the audit files. As auditing continues, the audit files include more and more records of audited events. Like the log files on the NetWare server, these files do not circle back on top of themselves. ------------------------------ Date: Thu, 19 Mar 1998 01:35:40 -0800 From: Randy Richardson Subject: Re: Accounting on 4.11 >Does 4.11 have Accounting and can it be used to help with security? >I heard that it writes a log file of login/logout times of each user. See the following URL: http://support.novell.com/cgi-bin/search/search.pl?database_name=tid&search_term=audit ------------------------------