In order to have a clear idea of the security status of a system, it is necessary to monitor this continually. The aim of such monitoring is to discover any violations of the applicable security provisions, identify any existing security weaknesses and detect any configuration errors which could result in security loopholes. A corresponding monitoring concept should also be viewed as part of the security concept.
Usually it is not feasible these days for complex systems like eDirectory to be monitored by individual administrators, but monitoring must be automated, using appropriate system components or products of third party vendors. The configuration of system monitoring must be regularly adapted to the system as it changes.
eDirectory provides the tool iMonitor for system monitoring. This is a client/server application in which the iMonitor service runs on some (or all) eDirectory servers. The clients can access it via a browser, which has to support HTML Version 3. The client seeking access must authenticate itself to the iMonitor services and, following successful authentication, it is granted access to the iMonitor data, with the rights that have been configured for it.
The information which the iMonitor service provides via an eDirectory server could be used by unauthorised persons to search systematically for security weaknesses in an existing eDirectory installation. For this reason it is recommended only allowing access to the iMonitor service with SSL encryption enabled, especially if access is possible from outside of the organisation's own network. For this purpose the appropriate server certificate must be imported into the browser on the client.
There are two different operational modes for iMonitor access, the direct mode and the proxy mode. In the direct mode, the browser is directly linked to the eDirectory server, whose status data is queried. On the eDirectory server the iMonitor services must be activated. In the proxy mode, a server on which the iMonitor services are available is accessed, but the actual information is retrieved from another server.
Compared with the proxy mode, the direct mode has the advantage that it requires less bandwidth and the server-centred functionality is available in full. From the point of view of IT security, however, the proxy mode is to be preferred so as to keep down the number of eDirectory computers allowing this possibility of direct access. A fixed dial-in address should be used here; this must then be monitored and protected appropriately.
The NDS Trace Utility is used to record eDirectory-specific events in a separate log file. This enables all eDirectory events to be logged. There is also a Novell Advanced Auditing Service (NAAS) additional module, which permits automatic evaluation of eDirectory-specific events.
The following aspects of monitoring should be considered:
The Data Privacy Protection Officer and the staff council and/or works council should be included in the early stages of planning, since monitoring generally also requires the capture of person-related data so that in the event of a security violation it is possible to reliably identify who was responsible.
As well as the eDirectory-specific events, operating system events must also be watched and logged in order to obtain a more complete picture of the system processes. Recommendations and information on logging at operating system level are contained in the existing modules in Chapters 5 and 6.
Third-party products are available which allow a central collection point to be set up for log files with corresponding automated evaluation. If a network and system management tool is used (see also module 6.8 Network and System Management), then, depending on the product, it is possible to import the eDirectory logs directly into this tool.
Depending on the settings, large volumes of data may be generated as a result of monitoring. This must not only be regularly evaluated, but for space reasons it must also be deleted or transferred to other data media at regular intervals as well. At the same time it should be borne in mind that intensive monitoring may have an adverse effect on performance. It is possible for a server to become so overloaded as a result that controlled operation is no longer possible. For this reason the appropriate monitoring parameters must be checked during a test run and, if necessary, modified. It should be noted that modification can also affect the entire monitoring concept as it may no longer be possible for certain monitoring tasks to be carried out. This applies especially where additional products are used which place high demands on logged events. These include, for example, programs which automatically analyse log data for behavioural anomalies that might suggest an attack.
Within the framework of the monitoring of system functions it is also recommended regularly checking the eDirectory replication process, through which configuration changes are propagated. Errors in replication usually have the result that configuration changes are not implemented everywhere, so that, for example, a given user might enjoy more privileges than he is supposed to.
Additional controls:
- Has a monitoring concept that is tailored to the requirements been drawn up and implemented?
- Are important system events logged?
- Have monitoring settings been configured for important system files?