SetAud and NetWare Auditing

NetWare has a built-in system to track certain types of events. The system is called Auditing and is built into the core OS. Auditing was first introduced in NetWare 4.0 and the system has been virtually unchanged up until NetWare 6. With NetWare 6 and above, Novell introduced a new and improved system called NAAS. Legacy auditing is still supported in NetWare 6 however.

This document deals with legacy auditing only and not NAAS.

Please also note that this is not meant to be a detailed description of auditing. For that, please see:

http://www.novell.com/documentation/lg/nw5/docui/index.html#../usreflib/utlrfenu/data/hwrmvij9.html

How does auditing work?

The tracking of events is done by the NetWare OS. For certain types of operations, say a login or a file write, the operating system will check a set of flags to see if the event should be audited and if so, writes a small record into a database, the auditing file. In the legacy auditing in NetWare 4.x, 5.x and 6.x auditing is done per server, container or volume and hence there is one separate database file per audited object.

The auditing databases are stored on the server in a secure location and are only accessible through published APIs, thus it is very difficult to manipulate them unless you have physical access to the server. The bottom line is: NetWare auditing is very secure. Especially if you compare it to some competing OS’es where utilities exist to manipulate the audit logs, even from a remote PC.

In legacy auditing, there are no real-time alerts. You read the auditing file to find out who did what and from where, but you cannot have the auditing subsystem mail you when someone logs in. That feature is available in NAAS, however.

How do I get the data out?

To read the auditing data and to set auditing parameters, you need a front-end application. This is either auditcon.exe that ships with NetWare or a third-party application such as SetAud.exe.

The audit databases are rotated automatically. It is up to you to make sure that you read the data often enough, before it gets overwritten. One way is to extract the data periodically and store it in an offline database for safekeeping.

What rights do I need?

Access to auditing is governed by the Auditing DS object. If you enable auditing on a container called O=Acme, an object called AF0_Acme will be created under that container. Anyone with read rights to that object’s Audit Policy property can read auditing info and anyone with write rights can change the auditing parameters and destroy old audit files. The administrator will automatically have write rights, through inheritance if he has rights to O=Acme. If in doubt, log in as Admin or equivalent when running SetAud.

Why use SetAud?

If you work for an educational-type establishment you will probably have to create a number of OU's for new students every year, or worse have other admins do it, then fire up AuditCon, enable auditing and get all the settings right.

SetAud.exe helps you, as you can create a template file with the events to audit, you then simply invoke setaud.exe, directly or from an automated procedure that creates the users. As an added bonus SetAud can also disable auditing and clear out the logfiles before you delete an OU and also export the auditing logs in a format suitable for importing into Excel.

Use this function when you want to check the auditing status of a container or volume.

Syntax

setaud s container (options)

Queries the auditing status of a selected container. For example setaud s .ema

You can send the results to a file with the redirection operator ">".

setaud s .ema > results

Examples

setaud s .ema –r

Print out the auditing status of all containers starting with .ema

Use this to export the auditing info into a textfile, suitable for importing into Excel or Access.

Syntax

setaud r container/volume outfile

Examples

SETAUD R .EMA OUTFILE.SKV

This will read all auditing records from the container EMA and produce a file like this:

Date;Time;Replica;Event;EventName;UserID;UserName

2000-12-03;01:00:00;Rep: 1;98 ;Start Audit File;16777397 ;(null);Organization

2000-12-03;01:00:00;Rep: 1;67 ;RESET_AUDIT_FILE;16777397 ;(null);

2000-12-03;01:00:04;Rep: 2;98 ;Start Audit File;32834 ;(null);O;.;

2000-12-03;01:00:40;Rep: 1;58 ;ACTIVE_CONNECTION_RCD;117441168

;CN=Kurs11.O=EMA.EMA_TREE.;1:00-00-01-01:00-80-5F-C3-A4-68;

2000-12-03;01:00:40;Rep: 1;174 ;MODIFY_ENTRY;117441168 ;CN=Kurs11.O=EMA.EMA_TREE.;CN=Kurs11ù

;NRD:Registry Data;

The first 7 columns are fixed. Columns 8 and on are dependent on the event type. Note that date/time is reported as YYYY-MM-DD;MM:MM:SS in 24-hour format.

Will include data from the old auditing archive files in the output. Any object can have up to 16 auditing files of a fixed size. The number of files are set when you enable auditing and they are rotated automatically.

Please note that the combined output of the (up to 15) files is not sorted. Please sort the resulting file in the program you use for viewing.

SETAUD R SERVER1_VOL1.EMA OUTFILE.SKV, produces:

This will read all auditing redords for the volume VOL1 on SERVER1. The output will look something like this:

Date;Time;Event;EventName;UserID;UserName;Handle;File

2002-02-06;14:26:58;58 ;ACTIVE_CONNECTION_RCD;25 ;Admin.EMA;1:00-80-5F-C9:8D-DB-49-A0-09-41;0;

2002-02-06;14:26:58;75 ;CREATE_DIRECTORY;25 ;Admin.EMA;0;/Ny mapp;511;4;0;

2002-02-06;14:26:58;12 ;CREATE_FILE;25 ;Admin.EMA;1198;/Ny mapp/TESTDIR.TMP;3;4;0;

2002-02-06;14:26:58;10 ;CLOSE_FILE;25 ;Admin.EMA;1198;/Ny mapp/TESTDIR.TMP;0;0;

2002-02-06;14:26:58;14 ;DELETE_FILE;25 ;Admin.EMA;0:/NYMAPP/TESTDIR.TMP;0;

2002-02-06;14:27:02;44 ;RENAME_MOVE_FILE;25 ;Admin.EMA; ;Ny mapp;Testmapp;0;

2002-02-06;14:27:10;82 ;QUERY_AUDIT_STATUS ;25 ;Admin.EMA;

The first 8 columns are fixed. Columns 9 and on are dependent on the event type (see below).

Note that date/time is reported as YYYY-MM-DD;MM:MM:SS in 24-hour format.

Some common file events:

Create file, Create directory, Open file:

Delete file:

Close file

Read file, Write file

Modify name:

Use this command to enable auditing on a container. You do this once. After that auditing information is automatically stored for the events you have selected. If you want to change what events to audit, you change the parameter-file and re-run the command.

setaud e container controlfile

The control-file is a simple text file that defines what events to audit and various other parameters:

; List of audited events

;

EVENTS:

ADS_ADD_ENTRY ,101

;ADS_REMOVE_ENTRY ,102

;ADS_RENAME_OBJECT ,103

;ADS_MOVE_ENTRY ,104

;ADS_CHANGE_SECURITY_EQUIV ,105

Please see the enclosed file events.txt. To track an event, simply uncomment it, by removing the semicolon, then run SetAud to update the auditing information in NetWare.

Examples

Enable auditing on container SALES.ACME:

setaud e .sales.acme events.txt

Enable auditing on all containers below ACME:

setaud e .adme events.txt -r

This command disables auditing on selected container and deletes the logfiles.

setaud d container

Disable auditing on container SALES.ACME:

setaud e .sales.acme

Options modify the way the program works and are always preceded by hyphens

Example 1

Read the latest auditing records from container sales.acme into a file called report.skv

setaud r .sales.acme report.skv

Example 2

Read all auditing records from container sales.acme into a file called report.skv

setaud r .sales.acme report.skv -o

Example 3

Read all auditing records from all containers below acme into a file called report.skv

setaud r .sales.acme report.skv -o -r

Example 4

Read the latest auditing records from SERVER1_VOL1 into a file called report.skv

setaud r .server1_vol1.acme report.skv

-601, ERR_NO_SUCH_ENTRY

That object does not exist. Most likely because you mistyped the container or volume name or because they are in a different tree and you forgot the –tTREENAME switch.

-168, ERR_AUDITING_NO_RIGHTS 0x89A8

You have no rights to the audited objects. Try logging in as Admin.

-151, NWE_AUDITING_NOT_ENABLED 0x8997

This is normal when you enable auditing. SetAud will first check if auditing is already enabled and if not try to enable it.