IBM Security Directory Server: Utilizing the Audit.log

Size: px

Start display at page:

Download "IBM Security Directory Server: Utilizing the Audit.log"

Maximillian Armstrong
6 years ago
Views:

Architect Chandrajit G Joshi SDS Development Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio.

1 IBM Security Directory Server Open Mic Webcast #1 November 4, 2014 IBM Security Directory Server: Utilizing the Audit.log Panelists Roy Spencer L2LDAP Technical Lead Ram Reddy L2LDAP Senior Engineer Benjamin Matteson L2LDAP Stephanie Blackwood L2LDAP Manager Brook Heimbaugh L3 Team Leader Dave Bachmann Lead Product Architect Chandrajit G Joshi SDS Development Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA Toll Free: USA Toll: Participant passcode: International dial-in numbers are at: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call IBM Corporation

2 Goal: To understand how to use SDS Audit.log for compliance and problem solving At the end of this presentation, you should be aware of: 1. What IBM Security Directory Server Auditing and how it is used 2. How to enable SDS auditing via command line, WebAdminTool and ibmslapd.conf 3. Different levels of audit.log and when they are commonly used 4. How to use audit.log records to duplicate a condition 5. How to audit for performance 6. A review of pre and post op auditing 2

3 What is SDS Auditing and what is it used for? Every operation processed by IBM Security Directory Server can be recorded -The audit.log record for a transaction is written to log after the operation completes - The level of logging can be set from very minimal data, to essentially every operation - Generally low overhead -The primary purpose is as a security feature, showing detailed data such as the who/what/when of a transaction -Useful tool in duplicating or debugging a problem operation 3

4 The Event Correlation Service (ECS) How to enable the audit.log ibmslapd.conf 4 dn: cn=audit, cn=log Management, cn=configuration cn: Audit ibm-audit: false ibm-auditadd: false ibm-auditattributesongroupevalop: false ibm-auditbind: true ibm-auditcompare: false ibm-auditdelete: false ibm-auditextop: false ibm-auditextopevent: false ibm-auditfailedoponly: true ibm-auditgroupsongroupcontrol: false ibm-auditmodify: false ibm-auditmodifydn: false ibm-auditperformance: false ibm-auditptabindinfo: true ibm-auditsearch: false ibm-auditunbind: true ibm-auditversion: 3 ibm-slapdlog: /<instancehome>/idsslapd-<instance>/logs/audit.log some lines removed Enabling/disabling audit.log via ibmslapd.conf: 1. stop ibmslapd ibmslapd -I <inst> -k 2. manually change the ibmslapd.conf settings for Audit.log in the cn=audit,cn=log Management,cn=Configuration stanza 3. restart ibmslapd ibmslapd -I <inst>

5 Enabling the Audit.log via the WebAdminTool - 1 Login to webadmin as admin dn Server Administration Logs Modify Log Settings Server audit log Edit Settings 5

6 Enabling the Audit.log via the WebAdminTool - 2 On Edit settings page, enable audit.log and select which operations to audit click Finish 6

7 A quick overview of the Audit.log options Enable/Disable Audit.log functionality is enabled/disabled based on how this True/False attribute is set: ibm-audit: false Indicates audit.log is disabled The same is true for: ibm-auditfailedoponly: true Which means, only if the operation in question fails will an audit.log record be written. And/Or If ibm-audit: true Indicates the audit.log is enabled ibm-auditfailedoponly: false Then all operations will be written (success and failures) 7

8 Audit.log options Operations to audit Which operations the audit.log will record are based on the setting set for each of the following most commonly used settings: ibm-auditbind ibm-auditunbind ibm-auditsearch ibm-auditadd Ibm-auditModify ibm-auditcompare Ibm-auditDelete Others: ibm-auditextop ibm-auditextopevent Each time a client application attempts to run any operation in Directory Server, the application must first bind. - if audit.log is enabled, and binds are being audited for, an audit.log record will be written After binding, the operation in question will be processed, and if audit.log is enabled for that operation type, the audit.log record for that transaction will be written When completed, the client application will unbind, and if enabled in the audit.log settings will result in an 'unbind' audit.log record 8

command: http://www.ibm.com/support/docview.wss?

9 Enabling audit.log via command line This can be done via the ldapmodify command: Example: idsldapmodify -h <hostname> -p <port#> -D <admindn> -w <adminpw> -i audit_enable.ldif 9

10 Validating what audit.log levels are enabled The audit.log will contain a message each time the audit.log level is altered: -GLPSRV023I Directory server audit logging started. The audit configuration options are: ibm-slapdlog = /home/in631ec1/idsslapd-in631ec1/logs/audit.log,ibm-auditversion = 3,ibm-audit = true,ibm-auditfailedoponly = true,ibm-auditbind = true,ibmauditunbind = true,ibm-auditsearch = false,ibm-auditadd = false,ibm-auditmodify = false,ibm-auditdelete = false,ibm-auditmodifydn = false,ibm-auditextopevent = false,ibm-auditextop = false,ibm-auditattributesongroupevalop = false,ibmauditcompare = false,ibm-auditgroupsongroupcontrol = false,ibmauditperformance = false,ibm-auditptabindinfo = true. 10

Examples of common audit.log errors - Bind AuditV3--2014-09-22T11:31:48.631000-5:00--V3 unauthenticated Bind--bindDN: cn=root-- client: 127.0.0.1:63132--connectionID: 176346--received: 2014-09-22T11:31:48.

11 Examples of common audit.log errors - Bind AuditV T11:31: :00--V3 unauthenticated Bind--bindDN: cn=root-- client: : connectionID: received: T11:31: :00--Invalid credentials controltype: criticality: false name: cn=root authenticationchoice: simple Admin Acct Status: Not Locked 11

12 Examples of commonly audited operation - Search AuditV T11:44: :00--V3 Search--bindDN: cn=root--client: : connectionID: received: T11:44: :00-- Success controltype: criticality: false base: scope: baseobject derefaliases: neverderefaliases typesonly: false filter: (objectclass=*) attributes: ibmdirectoryversion Header contains: <audit type> <date op completed> - <op type> - <bind dn> - <client system> <connection ID> <date op received> - <result of op> Body contains: <base used>, <scope used>, <filter used> and <attributes requested> 12

13 Using audit.log to duplicate an operation - part 1 AuditV T11:44: :00--V3 Search--bindDN: cn=root--client: : connectionID: received: T11:44: :00-- Success controltype: criticality: false base: scope: baseobject derefaliases: neverderefaliases typesonly: false filter: (objectclass=*) attributes: ibmdirectoryversion The things we need to know before we can duplicate a record seen in an audit.log 1. what is the type of operation in this case: V3 Search 2. what bind dn was used in this case: cn=root 3. What was the base and scope of the search in this case: base: <null> and scope: baseobject 4. What was the filter used, and what attributes were requested In this case: filter: (objectclass=*) and attributes: ibmdirectoryversion 13

14 Using audit.log to duplicate an operation part 2 AuditV T11:44: :00--V3 Search--bindDN: cn=root--client: : connectionID: received: T11:44: :00-- Success controltype: criticality: false base: scope: baseobject derefaliases: neverderefaliases typesonly: false filter: (objectclass=*) attributes: ibmdirectoryversion By using the information from the audit.log, we can duplicate the operation manually by running: <op type> <bind dn> <base> <scope><filter> <attribute> #idsldapsearch -D cn=root -w? -b -s base objectclass=* ibmdirectoryversion 14

15 Enabling Audit.log for performance In 6.1 and later, there is also a new feature to enable performance audit logging. To utilize this feature create an ldif file containing: dn: cn=audit,cn=log Management,cn=Configuration changetype: modify replace: ibm-auditperformance ibm-auditperformance: true call the file 'perfaudit.ldif' and run the following modify: idsldapmodify -D <admin_dn> -w <password> -i perfaudit.ldif. 15

16 Example of an audit.log for performance AuditV T12:24: :00--V3 Search--bindDN: cn=root--client: : connectionID: 1--received: T12:24: :00--Success operationresponsetime: 0 timeonworkq: 0 rdbmlockwaittime: 0 clientiotime: 0 controltype: criticality: false base: o=sample scope: baseobject derefaliases: neverderefaliases typesonly: false filter: (objectclass=*) NumberOfEntriesReturned: 1 A description of what each of these attributes describe an be seen in the admin guide 16

17 Pre and Post Op Auditing The following technical doc describes pre and post op audit.log in detail Summary: Produces a total of two (2) audit.log records. One when the request is initially seen by the ldap server (the pre-op record) and the second when the operation in question completes (the post-op or standard audit.log record) AuditV :55: :00DST--V3 PREOP: 2 threadid: 2057 Search--bindDN: cn=root--client: : connectionID: 1--received: :55: :00DST--Success... AuditV :55: :00DST--V3 POSTOP: 2 threadid: 2057 Search-- binddn: cn=root--client: : connectionID: 1--received: :55: :00DST Success... 17

18 Review of presentation objectives You should now be aware of: 1. What is SDS Auditing and how it is used (a means of recording operations in an SDS environment) 2. How to enable SDS auditing via command line, WebAdminTool and ibmslapd.conf 3. Different levels of audit.log and when they are commonly used (add/modify/delete etc) 4. How to use audit.log records to duplicate a condition 5. How to audit for performance 6. A review of pre and post op auditing 18

Where do you get more information? Main SDS IBM Support Portal site: http://www- 947.ibm.com/support/entry/portal/product/security_systems/ibm_security_directory_server?

uid=swg21405323 Must Gather docs on Audit.log http://www.ibm.com/support/docview.wss?

19 Where do you get more information? Main SDS IBM Support Portal site: ibm.com/support/entry/portal/product/security_systems/ibm_security_directory_server?productContext= Technotes you can review: Enabling Audit.log from command line: Must Gather docs on Audit.log IBM developerworks article: Troubleshooting IBM Tivoli Directory Server performance, Part 1: Resolving slow queries using the TDS audit log - Part Part 2 KnowledgeCenter: Useful links: Collecting Data for Directory Server: Read first for all Directory Server products Follow us: 19

20 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat 20

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to IBM Security Systems improper access from within and

No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access.

services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014.

21 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to IBM Security Systems improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 21

Security Support Open Mic Client Certificate Authentication

IBM Security Access Manager, Tuesday, December 8, 2015 Security Support Open Mic Client Certificate Authentication Panelists Jack Yarborough ISAM Level II Nick Lloyd ISAM Level II Scott Stough ISAM Level