Embed Size (px)
Citation preview
Nsure™ Audit: Instrumenting Custom Applications
Rick MeredithJason ArringtonNsure Audit EngineeringNovell, Inc
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
Nsure Audit Overview
Two major componentsPlatform agent• Collects events from instrumented applications• Sends the events to the Logging Server• Caches the event in case of communication
failure• Optionally signs the events for validation
Secure Logging Server• Receives the events from the platform agent• Logs events to file or database• Sends any relevant notifications
© March 9, 2004 Novell Inc.5
Custom Development Options
SDK allows two areas for custom developmentInstrumenting custom applications• Uses Platform Agent• Nearly any application can be instrumented• Currently C and Java APIs are available
Creating custom log channels• Interface with the Secure Logging Server• Custom back-end notifications• Need admin tools for eDirectory
6
Secure Logging Server
Platform Agent
Notification
Service
Logging Service
Filte
r
SMTP
Flat
FileD
river
MonitoringApplications
ReportGenerator
SNMPSYSLO
GStorage
JavaCVR
…SQ
LD
river
Crystal Reports
Java APITCP/IP(TLS)
Alerts/Notifications
JMS
Even
t A
dap
ter
OracleSQL Server
MySQL
File Syste
m
[11:58:18] MyApp\ IMAP\ Authentication: Valid login for account “FMSmith" from 137.65.47.144[11:58:18] MyApp \POP3\ Authentication: Valid login for account "pfeiffer" from 195.224.28.4
C API
Ap
plic
atio
n
Ap
plic
atio
n
Ap
plic
atio
n
…
Monitoring Service
Disconnected
Mode Cache
Administrator
© March 9, 2004 Novell Inc.7
Steps to Instrument an ApplicationInclude the LogEvent header file and library in the application source code
If desired, contact Novell Developer Services to obtain a registered application ID and certificate for your product
Create a log schema configuration (LSC) file to describe the events that your application will send
Call the desired LogEvent functions from the appropriate locations in the application code
Create the necessary objects in eDirectory for the Secure Logging Server to recognize the new application
© March 9, 2004 Novell Inc.8
Log Schema Configuration (LSC) file
Defines the different events, used to translate text
Can be used with auditext to automatically generate the Application Object
#^Frozen Bubble Instrumentation^FBFB^FBubbleInst^EN##EventID,Description,Text1 Title,Text2 Title,Value1 Title,Value1 Type,Value2 #Title,Value2 Type,Group Title,Group Type,Data Title,Data Type,Display SchemaFBFB,Frozen Bubble,Frozen Bubble Instrumentation,,,,,,,,,,FBFB0001,Game Started,,,,,Start Time,,,,,,FBFB0002,Level Started,,,Level,,Timestamp,,,,,,FBFB0003,Level Completed,,,Level,,Timestamp,,,,,,FBFB0004,Level Completion Time,,,Level,,Total Time,,,,,,FBFB0005,Premature Exit,,,Level,,Timestamp,,,,,,FBFB0006,Died,,,Level,,Life Number,,,,,,FBFB0007,Game Ended,,,Level,,Timestamp,,,,,,FBFB0008,Final Score and Time,Username,,Level,,Total Time,,,,,,
© March 9, 2004 Novell Inc.9
Logevent Functions
LogOpen – create the log handle, connect to the server
LogEventDirect – send a log event with any of the available data fields
LogClose – close the log handle
LogEventText, LogEventNameValue, LogEventLong, LogEventRaw are macros that log events with only certain types of data
Unicode interface is also available
© March 9, 2004 Novell Inc.10
Demonstration
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
![[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS keyboard buffer](https://img.pdfslide.us/doc/110x75/5577a1d8d8b42a410a8b5447/defcon-bypassing-preboot-authentication-passwords-by-instrumenting-the-bios-keyboard-buffer.jpg)
