Detailed instructions for use are in the User's Guide.
[. . . ] novdocx (en) 16 April 2010
AUTHORIZED DOCUMENTATION
Administration Guide
Novell®
v1
October 15, 2010
XDASv2 for eDirectory, IDM, and NMAS
www. novell. com
Novell XDASv2 Administration Guide
novdocx (en) 16 April 2010
Legal Notices
Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] This event should be reported whenever an existing session (as defined above) is terminated.
Terminate Session
0. 0. 1. 1
Query Session
0. 0. 1. 2
Query user session This event should be reported attributes whenever attribute information is requested on an existing session. DSE_CHANGE Modify user session This event should be reported whenever attribute information _CONN_STAT attributes E is modified on an existing session.
Modify Session
0. 0. 1. 3
A. 3 Data Item and Resource Element Management Events
This set of events relate to the creation and management of data items and resource elements within a domain. The type of data item or resource element is dependent upon the domain. For example, files and directories, device special files, and shared memory segments within an operating system, tables and records within a database, messages within an email system. The term data item is used in this context to refer to any type of resource element.
Table A-3 Data Item and Resource Element Management Event Taxonomy
Event Name
Event Identifier
Corresponding eDir Event
Dexription
Use
Create Data Item
0. 0. 2. 0
DSE_CREATE Create a data item This event is reported whenever a _ENTRY security-relevant data item or resource element is created. DSE_DELETE Delete a data item This event is reported whenever a _ENTRY security-relevant data item or resource element is deleted DSE_COMPA RE_ATTR_VA LUE Query data item attributes This event is reported whenever a security-relevant data item or resource element is queried either for value, or for an attribute of the data item.
Delete Data Item
0. 0. 2. 1
Query Data Item Attribute
0. 0. 2. 2
XDASv2 Events
23
novdocx (en) 16 April 2010
Event Name
Event Identifier
Corresponding eDir Event
Dexription
Use
Modify Data Item Attribute
0. 0. 2. 3
DSE_DEFINE _ATTR_DEF DSE_REMOV E_ATTR_DEF DSE_REMOV E_CLASS_DE F DSE_DEFINE _CLASS_DEF DSE_MODIFY _CLASS_DEF
Modify data item attributes
This event is reported whenever a security-relevant data item or resource element is modified either the value, or an attribute of the data item
A. 4 Service or Application Management Events
This set of events relates to the management of services or applications. For example, the RPM package manager might throw these events as packages are installed or removed from a Linux system. Windows 32 Service Control Manager (SCM) events sent to the Windows 32 System Event Log may be translated into these events as they are imported into OpenXDASv2. This set of events could also be much more domain-specific, including concepts such as installing, removing, or configuring installable executable-modules within a single application domain. The key idea is to ensure that reported events have security significance.
Table A-4 Service or Application Management Event Taxonomy
Event Name
Event Identifier
Corresponding eDir Event
Description
Use
Install Service
0. 0. 3. 0
DSE_CHANG E_MODULE_ STATE DSE_CHANG E_MODULE_ STATE
Install a service or application Remove a service or application Query the configuration of a service or application Modify configuration of a service or application
This event is reported when a service or application is installed This event is reported when a service or application is removed. This event is reported when service or application configuration information is requested. This event is reported when service or application configuration information is modified. This event is reported when a service, operation or function is disabled.
Remove Service
0. 0. 3. 1
Query Service Configuration
0. 0. 3. 2
Modify Service Configuration
0. 0. 3. 3
Disable Service
0. 0. 3. 4
DSE_CLOSE_ Disable a service BINDERY or application
24
Novell XDASv2 Administration Guide
novdocx (en) 16 April 2010
Event Name
Event Identifier
Corresponding eDir Event
Description
Use
Enable Service
0. 0. 3. 5
DSE_OPEN_B Enable a service INDERY or application
This event ise reported when a service, operation or function is enabled.
A. 5 Service or Application Utilization Events
This class of events relates to the use of services and applications. They typically map to the execution of a program or a procedure and manipulation of the processing environment.
Table A-5 Service or Application Utilization Events Taxonomy
Event Name
Event Identifier
Corresponding eDir Event
Description
Use
Invoke Service
0. 0. 4. 0
DSE_START_ Invoke a service or This event is reported when a UPDATE_SCH application security-relevant service is EMA invoked. DSE_END_UP Terminate a service This event is reported when a DATE_SCHE or application service is terminated. MA Query a processing This event is reported when any context attributes of a process context are queried this event is somewhat specific to operating systems, but some use can be found in other domain-specific applications. DSE_SERVE R_RENAME DSE_SYNTHE TIC_TIME DSE_SERVE R_ADDRESS_ CHANGE Modify processing context This event is reported when any attributes of a process context are modified this event is somewhat specific to operating systems, but some use can be found in other domain-specific applications.
Terminate Service
0. 0. 4. 1
Query Process Context
0. 0. 4. 2
Modify Process Context
0. 0. 4. 3
A. 6 Peer Association Management Events
Peer association events are related to the association of a user or identity with a group, or the association of two users in some domain-specific context. For example, adding an LDAP user to a group, or associating two users for a domain-specific purpose in an application's identity association database. These events are also related to the association of identities within disparate authentication domains for purposes of federation. For example, when an identity in domain A makes a request to a service governed by domain B, then a peer association is required between these domains often this is called a trust relationship. From an implementation perspective, setting up a trust relationship is often done by establishing an
XDASv2 Events
25
novdocx (en) 16 April 2010
identity in domain B, which is used as a proxy for any request coming from any identity in domain A. Trust relationships can be much more complex, however, as individual identities in domain A can have individual associations with specific domain B identities.
Table A-6 Peer Association Management Events Taxonomy
Event Name
Event Identifier
Corresponding eDir Event
Description
Use
Create Peer Association Terminate Peer Association Query Association Context Modify Association Context Receive Data Via Association
0. 0. 5. 0
Create an association with a peer Terminate an association with a peer
This event is reported when a new peer association is created. This event is reported when an existing peer association is destroyed.
0. 0. 5. 1
0. 0. 5. 2
Query an This event is reported when the association context attributes of a peer association are queried. [. . . ] The sequence field contains a unique numeric value identifying this event from another event which may have been recorded within the same second. For the most part, this value should be taken as a monotonically increasing numeric value that begins at zero and continues until the next second boundary, at which point, it begins again at zero.
Event Id Name Data Log
Outcome Time
Offset Sequence
XDASv2 Schema
37
novdocx (en) 16 April 2010
XDAS Field
Description
Tolerance
The tolerance value is a value between 0 and 100, indicating the tolerance of the clock used to record the time in offset. The certainty value is a value between 0 and 100, indicating the percentage certainty of the tolerance value. Zero means there is no certainty of the tolerance, and thus, it shouldn't be trusted to any degree of accuracy. [. . . ]