User manual NOVELL XDASV2 ADMINISTRATION GUIDE V1

[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Administration Guide Novell® v1 October 15, 2010 XDASv2 for eDirectory, IDM, and NMAS www. novell. com Novell XDASv2 Administration Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] This event should be reported whenever an existing session (as defined above) is terminated. Terminate Session 0. 0. 1. 1 Query Session 0. 0. 1. 2 Query user session This event should be reported attributes whenever attribute information is requested on an existing session. DSE_CHANGE Modify user session This event should be reported whenever attribute information _CONN_STAT attributes E is modified on an existing session. Modify Session 0. 0. 1. 3 A. 3 Data Item and Resource Element Management Events This set of events relate to the creation and management of data items and resource elements within a domain. The type of data item or resource element is dependent upon the domain. For example, files and directories, device special files, and shared memory segments within an operating system, tables and records within a database, messages within an email system. The term data item is used in this context to refer to any type of resource element. Table A-3 Data Item and Resource Element Management Event Taxonomy Event Name Event Identifier Corresponding eDir Event Dexription Use Create Data Item 0. 0. 2. 0 DSE_CREATE Create a data item This event is reported whenever a _ENTRY security-relevant data item or resource element is created. DSE_DELETE Delete a data item This event is reported whenever a _ENTRY security-relevant data item or resource element is deleted DSE_COMPA RE_ATTR_VA LUE Query data item attributes This event is reported whenever a security-relevant data item or resource element is queried ­ either for value, or for an attribute of the data item. Delete Data Item 0. 0. 2. 1 Query Data Item Attribute 0. 0. 2. 2 XDASv2 Events 23 novdocx (en) 16 April 2010 Event Name Event Identifier Corresponding eDir Event Dexription Use Modify Data Item Attribute 0. 0. 2. 3 DSE_DEFINE _ATTR_DEF DSE_REMOV E_ATTR_DEF DSE_REMOV E_CLASS_DE F DSE_DEFINE _CLASS_DEF DSE_MODIFY _CLASS_DEF Modify data item attributes This event is reported whenever a security-relevant data item or resource element is modified ­ either the value, or an attribute of the data item A. 4 Service or Application Management Events This set of events relates to the management of services or applications. For example, the RPM package manager might throw these events as packages are installed or removed from a Linux system. Windows 32 Service Control Manager (SCM) events sent to the Windows 32 System Event Log may be translated into these events as they are imported into OpenXDASv2. This set of events could also be much more domain-specific, including concepts such as installing, removing, or configuring installable executable-modules within a single application domain. The key idea is to ensure that reported events have security significance. Table A-4 Service or Application Management Event Taxonomy Event Name Event Identifier Corresponding eDir Event Description Use Install Service 0. 0. 3. 0 DSE_CHANG E_MODULE_ STATE DSE_CHANG E_MODULE_ STATE Install a service or application Remove a service or application Query the configuration of a service or application Modify configuration of a service or application This event is reported when a service or application is installed This event is reported when a service or application is removed. This event is reported when service or application configuration information is requested. This event is reported when service or application configuration information is modified. This event is reported when a service, operation or function is disabled. Remove Service 0. 0. 3. 1 Query Service Configuration 0. 0. 3. 2 Modify Service Configuration 0. 0. 3. 3 Disable Service 0. 0. 3. 4 DSE_CLOSE_ Disable a service BINDERY or application 24 Novell XDASv2 Administration Guide novdocx (en) 16 April 2010 Event Name Event Identifier Corresponding eDir Event Description Use Enable Service 0. 0. 3. 5 DSE_OPEN_B Enable a service INDERY or application This event ise reported when a service, operation or function is enabled. A. 5 Service or Application Utilization Events This class of events relates to the use of services and applications. They typically map to the execution of a program or a procedure and manipulation of the processing environment. Table A-5 Service or Application Utilization Events Taxonomy Event Name Event Identifier Corresponding eDir Event Description Use Invoke Service 0. 0. 4. 0 DSE_START_ Invoke a service or This event is reported when a UPDATE_SCH application security-relevant service is EMA invoked. DSE_END_UP Terminate a service This event is reported when a DATE_SCHE or application service is terminated. MA Query a processing This event is reported when any context attributes of a process context are queried ­ this event is somewhat specific to operating systems, but some use can be found in other domain-specific applications. DSE_SERVE R_RENAME DSE_SYNTHE TIC_TIME DSE_SERVE R_ADDRESS_ CHANGE Modify processing context This event is reported when any attributes of a process context are modified ­ this event is somewhat specific to operating systems, but some use can be found in other domain-specific applications. Terminate Service 0. 0. 4. 1 Query Process Context 0. 0. 4. 2 Modify Process Context 0. 0. 4. 3 A. 6 Peer Association Management Events Peer association events are related to the association of a user or identity with a group, or the association of two users in some domain-specific context. For example, adding an LDAP user to a group, or associating two users for a domain-specific purpose in an application's identity association database. These events are also related to the association of identities within disparate authentication domains for purposes of federation. For example, when an identity in domain A makes a request to a service governed by domain B, then a peer association is required between these domains ­ often this is called a trust relationship. From an implementation perspective, setting up a trust relationship is often done by establishing an XDASv2 Events 25 novdocx (en) 16 April 2010 identity in domain B, which is used as a proxy for any request coming from any identity in domain A. Trust relationships can be much more complex, however, as individual identities in domain A can have individual associations with specific domain B identities. Table A-6 Peer Association Management Events Taxonomy Event Name Event Identifier Corresponding eDir Event Description Use Create Peer Association Terminate Peer Association Query Association Context Modify Association Context Receive Data Via Association 0. 0. 5. 0 Create an association with a peer Terminate an association with a peer This event is reported when a new peer association is created. This event is reported when an existing peer association is destroyed. 0. 0. 5. 1 0. 0. 5. 2 Query an This event is reported when the association context attributes of a peer association are queried. [. . . ] The sequence field contains a unique numeric value identifying this event from another event which may have been recorded within the same second. For the most part, this value should be taken as a monotonically increasing numeric value that begins at zero and continues until the next second boundary, at which point, it begins again at zero. Event Id Name Data Log Outcome Time Offset Sequence XDASv2 Schema 37 novdocx (en) 16 April 2010 XDAS Field Description Tolerance The tolerance value is a value between 0 and 100, indicating the tolerance of the clock used to record the time in offset. The certainty value is a value between 0 and 100, indicating the percentage certainty of the tolerance value. Zero means there is no certainty of the tolerance, and thus, it shouldn't be trusted to any degree of accuracy. [. . . ]