S 4.160 Monitoring of Novell eDirectory

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Auditor, Head of IT, Administrator

In order to be able to determine the security status of a system, it is necessary to monitor the system continuously. The goal of such a monitoring function is to detect violations of the applicable security regulations, to detect any security gaps, and to detect misconfigurations that may open up security gaps. A corresponding monitoring concept should be considered part of the security concept for this reason.

It is generally impossible for the administrators to monitor complex systems such as eDirectory manually nowadays. Instead, monitoring must be performed automatically by corresponding system components or products obtained from third party vendors. The configuration of the system monitors also must be adapted regularly to reflect the changes made to a system.

eDirectory provides the iMonitor tool for system monitoring. This is a client/server application where the iMonitor service runs on some (or all) eDirectory servers. The clients may access this service using a browser that must support HTML version 3 for this. The accessing party must authenticate to the iMonitor services and, upon successful authentication, is granted access to the iMonitor data with the rights configured for this party being applicable.

The information on an eDirectory server provided by the iMonitor service may, under some circumstances, be used by unauthorised persons in order to search security gaps in an existing eDirectory installation. For this reason, it is recommendable to only allow access to the iMonitor service with the SSL encryption enabled, particularly if access is possible from outside the government agency's and/or company's network. For this, the corresponding server certificate must be imported into the browser on the client.

There are two different modes of operation for iMonitor access: the direct mode and the proxy mode. For the direct mode, the browser is directly connected to the eDirectory server the status data of which is retrieved. The iMonitor services must be enabled on the eDirectory server. For the proxy mode, a server providing the iMonitor services is accessed, but the actual information is retrieved from another server.

When compared to the proxy mode, one of the advantages of the direct mode is that it requires less bandwidth and that the server-centred functionalities are completely available. However, the proxy mode must be preferred from an information security perspective so that not all eDirectory computers allow for this direct access. Here, a fix dial-in address should be used that must then be controlled and protected accordingly.

The NDS trace utility serves for capturing eDirectory-specific events in a separate log file. This way, all eDirectory events can be logged. Moreover, there is the additional module NAAS (Novell Advanced Auditing Service) that can be used to provide automated evaluation of the eDirectory-specific events.

The following aspects also must be taken into account in the context of monitoring:

• The Data Protection Officer and the Personnel and/or Supervisory Board should be involved in the planning at an early stage, since monitoring usually also requires the collection of personal data so that it is possible to reliably identify who was responsible in the event of a security violation.
• In addition to monitoring and logging the eDirectory-specific events, it is also necessary to monitor and log operating system events in order to obtain a more complete picture of system operations. Recommendations for the secure installation and configuration of the operating system as well as information on this topic can be found in the corresponding modules.

• A central collection point with correspondingly automated evaluation of the log files can be set up using products offered by third-party manufacturers. If a tool for network and system management is used (see also module S 4.2 Network and System Management) it may be possible to import the eDirectory logs directly into the tool depending on which product is used.

• Monitoring can generate large amounts of data depending on the settings. It is not only necessary to evaluate this data regularly, but also to move it to other data media or delete it completely for reasons of storage space. In addition, intensive monitoring may lead to losses in performance. In extreme cases, a server may become overloaded to such an extent that proper operation becomes impossible. For this reason, the suitable monitoring parameters must be checked in a test operation environment and modified if necessary. It must be taken into consideration that modifying the parameters may also have an effect on the overall monitoring concept, since it may become impossible to perform certain monitoring tasks after the changes. This applies especially in cases where additional products are used that place high requirements on the events recorded. Examples of such products include programs that automatically analyse the logged data for behavioural anomalies to detect attacks, for example.

When monitoring the system functions, it is also recommended to regularly check the eDirectory replication used to forward configuration changes to other systems. Errors during replication usually mean that the configuration changes are not performed everywhere and therefore that some users have too many rights, for example.

Review questions:

• Is there a monitoring concept for eDirectory?
• Is the configuration of the system monitoring function for eDirectory adapted to the changing system at regular intervals?
• Is the eDirectory replication checked regularly within the framework of system function monitoring?