1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. IDENTITY AUDIT 1.0 - GUIDE
  6. Manual

Novell IDENTITY AUDIT 1.0 - GUIDE Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
Guide
Novell
®
Identity Audit
1.0
October 27, 2008
www.novell.com
Identity Audit Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell IDENTITY AUDIT 1.0 - GUIDE

Summary of Contents for Novell IDENTITY AUDIT 1.0 - GUIDE

  • Page 1 AUTHORIZED DOCUMENTATION Guide Novell ® Identity Audit October 27, 2008 www.novell.com Identity Audit Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Identity Audit Guide...

  • Page 5: Table Of Contents

    Comparison to Novell Audit 2.0.2 ........
  • Page 6 5.1.2 Viewing Audit Server Health ......... . . 38 5.1.3 Viewing Event Source Health .
  • Page 7 Creating a Keystore ............73 C Novell Identity Audit Database Views for PostgreSQL Server Views .
  • Page 8 C.1.50 EVENTS_ALL_RPT_V1 (legacy view) ........97 C.1.51 EVENTS_ALL_V (legacy view) .
  • Page 9 C.1.109 VENDOR_RPT_V ..........131 C.1.110 VULN_CALC_SEVERITY_RPT_V .
  • Page 10 Identity Audit Guide...

  • Page 11: About This Guide

    For more information about building your own plug-ins (for example, Jasper Reports*), go to the Sentinel SDK Web page (http://developer.novell.com/wiki/index.php/Develop_to_Sentinel). The build environment for Identity Audit report plug-ins is identical to what is documented for Novell Sentinel. About This Guide...
  • Page 12 Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.

  • Page 13: Introduction

    Novell Identity Audit 1.0 is a drop-in replacement for the Novell Audit 2.0.2 Secure Logging Server for products in the Novell Identity and Security product line. Because Novell Identity Audit uses a new embedded database, customers should keep existing Novell Audit events in the archived Novell Audit database rather than attempting to migrate legacy data.

  • Page 14: Comparison To Novell Sentinel

    1.1.2 Comparison to Novell Sentinel Novell Identity Audit is built on a robust technological foundation, because much of the underlying code is shared with Novell Sentinel. However, Sentinel collects data from a broader range of devices, supports a higher event rate, and provides more tools than Novell Identity Audit. Sentinel...

  • Page 15: Architecture

    Identity Audit does not process double-byte event data. 1.3 Architecture Identity Audit collects data from multiple Novell identity and security applications. These application servers are configured to generate event records, and each hosts a Platform Agent. Event data is forwarded by the Platform Agent to an Audit Connector that resides on the Identity Audit Server.
  • Page 16 The Configuration component retrieves, adds, and modifies configuration information such as data collection and storage settings, rule definitions, and report definitions. It also manages user authentication. The Search component performs fast, indexed searches and retrieves events from the database to present search result sets to the user.

  • Page 17: System Requirements

    Section 2.5, “Supported Event Sources,” on page 18 2.1 Hardware Requirements Novell Identity Audit is supported on 64-bits intel Xeon* and AMD Opteron* hardware. It is not supported on Itanium* hardware. Novell recommends the following hardware for a production system that holds 90 days of online data:...

  • Page 18: Supported Operating Systems

    2.4 Supported Platform Agent Version Identity Audit 1.0 supports collecting log events from many applications that were supported by Novell Audit and its Platform Agent. Platform Agent version 2.0.2 SP6 or above is required for Identity Audit. NOTE: Some Novell applications are bundled with a previous version of the Platform Agent. The recommended version includes important bug fixes, so you should upgrade the Platform Agent if you have a previous version.

  • Page 19: Installation

    Requirements,” on page 17. In particular, you need to have the supported patch levels for some Novell applications in order to receive high-quality events from those event sources. 3.2 Installing Novell Identity Audit The Identity Audit installation package installs everything you need to run Identity Audit: the Identity Audit application and communications bus, the database to store events and configuration information, the Web-based user interface, and the reporting server.
  • Page 20 The novell user and novell group are created, if they do not already exist. The novell user is created without a password. If you want to be able to log in as the novell user later (for example, to install patches), you can create a password for this user after the installation is completed.

  • Page 21: Non-Root Installation

    /tmp 3 (Conditional) If the novell user and novell group do not exist on the server: 3a Extract the script to create the novell user and novell group from the Identity Audit tar file. For example: tar xfz identity_audit_1.0_x86-64.tar.gz identity_audit_1.0_x86-64/ setup/root_create_novell_user.sh...
  • Page 22 12 Confirm the password for database administrator (dbauser). 13 Enter the password for the admin user. 14 Confirm the password for the admin user. 15 Log out and log back in as novell. This loads the PATH environment variable changes made by script. install.sh...

  • Page 23: Configuring Event Sources

    Identity Audit 1.0 supports collecting log events from applications that were supported by the old Novell Audit product and its Platform Agent. Before completing the steps in this section, ensure that your Novell products are supported. For more information, see Section 2.4, “Supported Platform...

  • Page 24: Configuring The Platform Agent

    11 To verify that the Platform Agent version is correct, enter the following command: rpm -qa | grep AUDT The version of novell-AUDTplatformagent should be at least the supported version listed in Section 2.4, “Supported Platform Agent Version,” on page 3.3.2 Configuring the Platform Agent...

  • Page 25: Configuring The Auditing Level

    1 Open a supported Web browser. For more information, see Section 2.3, “Supported Browsers,” on page 2 Go to the Novell Identity Audit page (for example: https://10.10.10.10:8443/ novellidentityaudit). 3 If this is the first time you have logged into Identity Audit, you are presented with a certificate.
  • Page 26 -r novell && groupdel novell 6 (Conditional) If you do want to retain the novell user and its home directory but want to remove all Identity-Audit-related settings: 6a Remove the following environment variable entries for Identity Audit from the novell user’s profile (in...

  • Page 27: Reporting

    ® Novell Identity Audit is installed with a core set of report templates related to Novell applications. Any Identity Audit user can run a report by using the desired parameters (such as start and end date), and the report results are saved with a name of the user’s choosing. After the report runs, the results can be retrieved by any Identity Audit user and viewed as a PDF file Reports are organized by category.
  • Page 28 If desired, click a report definition to expand it. If you see a Sample Report link, you can click View to find out how the completed report looks with a set of sample data. 2 Select the report you want to run and click Run. 3 Set the schedule for running the report.

  • Page 29: Scheduling A Report

    5 Choose the language in which the report labels and descriptions should be displayed (English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese). The data in the report will be displayed in whatever language it was originally produced by the event source.

  • Page 30: Viewing Reports

    NOTE: All time settings are based on the browser’s local time. Scheduled Reports Figure 4-1 Report schedules can be removed or modified by using the Delete and Edit links. 4.2 Viewing Reports Identity Audit users can view reports in the Identity Audit application. Other users might receive report .

  • Page 31: Managing Reports

    For Date Range, D=Current Day, PD=Previous Day, W=Week To Date, PW=Previous Week, M=Month To Date, PM=Previous Month, and DR=Custom Date Range. For Language, en=English, fr=French, de=German, it=Italian, ja=Japanese, pt=Brazilian Portuguese, es=Spanish, zh=Simplified Chinese, and zh_TW=Traditional Chinese. 3 Click View for the report results you want to see. The report results are displayed in a new window in .

  • Page 32: Adding Reports

    “Downloading New or Updated Reports” on page 32 “Adding New Reports to Identity Audit” on page 32 Downloading New or Updated Reports New or updated reports by Novell can be downloaded from the Identity Audit 1.0 Plugins Web site (http://support.novell.com/products/sentinel/identityaudit.html).

  • Page 33: Creating New Reports

    Audit Web interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see Sentinel SDK Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). 4.3.3 Renaming Report Results Report results (but not report definitions) can be renamed in the Identity Audit interface.

  • Page 34: Deleting Reports

    Users can upload updated reports to Identity Audit to replace an existing report. For more information, see Section 4.3.1, “Adding Reports,” on page 4.4 Default Reports This section lists the pre-installed reports of Novell Identity Audit: Novell Access Manager Event Count Trend Novell Access Manager Top 10 Dashboard Novell eDirectory Account Trust Assignments...
  • Page 35 Novell Identity Manager Authentication by User Novell Identity Manager Configuration Changes Novell Identity Manager Event Count Trend Novell Identity Manager Management Approval Overview 6.1r1.rpz Novell Identity Manager Password Management Novell Identity Manager Password Resets Novell Identity Manager Periodic Password Change Violations...
  • Page 36 Identity Audit Guide...

  • Page 37: Data Collection

    Administrators can configure and monitor data collection for Novell Identity Audit. Identity Audit is installed with the ability to collect data from a variety of Novell applications by using the Novell Audit. For information on the supported versions of the, see Section 2.4, “Supported Platform Agent...

  • Page 38: Viewing Audit Server Health

    Changes on this page take effect immediately. 5.1.2 Viewing Audit Server Health The Audit Server is a server that listens for connections from Novell applications. 1 Log into Identity Audit as an administrator. 2 Click Collection in the upper right corner of the page.

  • Page 39: Viewing Event Source Health

    5.1.3 Viewing Event Source Health The health status for each Novell application is indicated by a colored icon. For each online data source, Identity Audit also shows the calculated event rate for incoming events. The event rate is recalculated every 60 seconds.

  • Page 40: Managing Event Sources

    5.2.1 Adding Event Sources After new event sources start sending data to Identity Audit, the IP addresses for those event sources are automatically added to the list of IPs that shows when you click show details for a Novell application.
  • Page 41 5 Specify the port on which the Identity Audit server will listen for messages from the event sources. For more information, see Section 5.3.1, “Port Configuration and Port Forwarding,” on page 6 Set the appropriate client authentication and server key pairs settings. For more information, Section 5.3.2, “Client Authentication,”...

  • Page 42: Port Configuration And Port Forwarding

    Binding to ports less than 1024 requires root privileges. Instead, Novell recommends that you use a port greater than 1024. You can change the source devices to send to a higher port or use port forwarding on the Identity Audit server.
  • Page 43 Certificate Authority (CA) that signed the event source’s certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Identity Audit. 1 Log in to the Identity Audit server as novell. 2 Go to /opt/novell/identity_audit_1.0_x86/data/updates/done 3 Unzip the file audit_connector.zip...
  • Page 44 4 Make sure that the Audit Server tab is selected. 5 Select the Strict option under Client authentication. 6 Click Browse and browse to the truststore file (for example, my.keystore 7 Enter the password for the truststore file. 8 Click Import. 9 If desired, click Details to see more information about the truststore.

  • Page 45: Event Sources

    If there is more than one public-private key pair in the file, select the desired key pair and click 9 Click Details to see more information about the server key pair. 10 Click Save. 5.4 Event Sources The Event Sources page allows administrators to configure how time is determined for events from each event source.
  • Page 46 5 Select all applications for which Identity Audit should use the event time stamp from the original application. For all others, the Identity Audit server time stamp replaces the time stamp from the original application. The changes take effect immediately for all new incoming events. It might take some time for events already in the queue to be processed.

  • Page 47: Searching

    Searching Novell Identity Audit provides the ability to perform a search on events. The search includes all online data currently in the database, but internal events generated by the Identity Audit system are excluded unless the user selects Include System Events. By default, events are sorted based on the search engine’s relevancy algorithm.

  • Page 48: Advanced Search

    Identity Audit is configured to run a default search for non-system events with severity 3 to 5 the first time a user clicks the Search link. Otherwise, it defaults to the last search term the user entered. 2 For a different search, type a search term in the search field (for example, ).

  • Page 49: Viewing Search Results

    To search for a value in a specific field, use the short name of the field, a colon, and the value. For example, to search for an authentication attempt to Identity Audit by user2, use the following text in the search field: evt:authentication AND sun:user2 Other advanced searches might include: pn:NMAS AND sev:5...

  • Page 50: Basic Event View

    Section 6.2.2, “Event View with Details,” on page 50 Section 6.2.3, “Refining Search Results,” on page 51 6.2.1 Basic Event View The information in each event is grouped into Initiator information and Target information. If data isn’t available for a particular event field, the fields are labeled Unknown. Basic Event View Figure 6-3 Occasionally, the search engine might index events faster than they are inserted into the database.

  • Page 51: Refining Search Results

    Event View with Details Figure 6-5 The event above shows the same event as in Figure 6-3 on page 50 but with an expanded view that shows additional data fields that might have been populated. 6.2.3 Refining Search Results After viewing the results of a search, it might be necessary to refine the search results and add additional search criteria.

  • Page 52: Event Fields

    3 Click Search. Some fields cannot be selected to refine a search this way: EventTime Message Any field related to the Reporter Any field related to the Observer Any field related to TargetTrust Any field with a value Unknown 6.3 Event Fields Each event has fields that might or might not be populated, depending on the specific event.
  • Page 53 Visible in Short Visible in Field Description Detailed Name Basic View View Message Detailed event message ProductName Product that generated the event; the event source Displayed after the event name. InitUserName Username of the user who initiated the event InitUserID iuid User ID of the user who initiated the event, based on the raw data reported by the...
  • Page 54 Visible in Short Visible in Field Description Detailed Name Basic View View TargetServicePortName dp Type of port that was the target of event (for example, HTTP) TargetTrustName Role of the user that was a target of the event (for example, FinanceAdmin) Searchable but not displayed in either event view TargetTrustID...
  • Page 55 Visible in Short Visible in Field Description Detailed Name Basic View View ReporterHostName Hostname of the machine that reported the event to an observer Searchable but not displayed in either event view ReporterHostDomain repd Domain of the machine that reported the event to an observer Searchable but not displayed in either event view...
  • Page 56 Some fields are tokenized. Tokenizing the fields makes it possible to search for an individual word in the field without a wildcard. The fields are tokenized based on spaces and other special characters. For these fields, articles such as “a” or “the” are removed from the search index. EventName Message ProductName...

  • Page 57: Data Storage

    Data Storage ® Novell Identity Audit installation installs a PostgreSQL database with all the necessary tables and users to run Identity Audit. The database also includes stored procedures designed to manage database partitions and archive old data. Administrators can manage the database storage and archiving settings via the Web interface.

  • Page 58: Data Storage Configuration

    This page shows whether several database functions are in a healthy state (green), a warning state (yellow), or an error state (red). Online Database: This indicator shows whether the expected number of partitions exists in the database for each of the partitioned tables. The expected number of partitions is based on the number of days configured to be online (or the number of days since installation, if the installation is recent).

  • Page 59: Database Setup

    Archive to this database directory: If the Archive data option is chosen, data is archived to a specified location before it is deleted. This directory must already exist and the novell user must have write access to it. By default, this location is set to...

  • Page 60: Database Structure

    Section 7.3.2, “Database Users,” on page 60 Section 7.3.3, “Database Stored Procedures,” on page 60 7.3.1 Database Structure The database for this security and information event management system created by the installer is named SIEM, and the default tablespace is named SENDATA1. The eight largest tables in the database, which store events, events on which actions have taken place, and aggregated events, are partitioned by day to enable easy management and querying.

  • Page 61: Rules

    Event output is in JavaScript* Object Notation (JSON) which is a lightweight data exchange format. Events consist of field names (such as “evt” for Event Name) followed by a colon and a value (such as “Start”), separated by commas. {"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager" ,"rv99":"0","rv1":"0","repassetid":"0","rv77":"0","agent":"Novell SecureLogin","obsassetid":"0","vul":"0","port":"Novell SecureLogin","msg":"Processing started for Collector Novell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-005056C00005).","dt":"1224204655689","id":"751D97B0- 7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"} Rules...

  • Page 62: Configuring Rules

    8.2 Configuring Rules Identity Audit rules can be configured to filter events based on one or more of the searchable fields. For a list of the Identity Audit searchable event fields, see Table 6-1 on page 52. Each rule can be associated with one or more of the configured actions.

  • Page 63: Ordering Rules

    8 Configure additional actions, as desired. 9 Click Save. 8.2.3 Ordering Rules Because events are evaluated by rules in order until a match is made, you should order rules accordingly. More narrowly defined rules and more important rules should be placed at the beginning of the list.

  • Page 64: Configuring Actions

    8.3 Configuring Actions An event is delivered to one or more channels when it meets the criteria specified by one of the rules. Before the events can be output to a channel, the action to send to that channel must be configured with the appropriate connection information (and authentication credentials, if needed for the SMTP relay).

  • Page 65: Send To Syslog

    To configure the Write to File action, you need the name and path of the file to which the events will be written. The directory must already exist and the novell user must have permissions to write to it. If the file does not already exist, Identity Audit creates it.
  • Page 66 Identity Audit Guide...

  • Page 67: User Administration

    User Administration ® Administrators can add, edit, and delete users in Novell Identity Audit and grant administrative rights. Users can edit the details of their own user profile. Section 9.1, “Adding a User,” on page 67 Section 9.2, “Editing User Details,” on page 68 Section 9.3, “Deleting a User,”...

  • Page 68: Editing User Details

    5 (Optional) Select Grant administrative rights. 6 Click Save. 9.2 Editing User Details Administrators can edit user information for any user in the system. Users can edit their own profiles except for the username and administrative privileges. Section 9.2.1, “Editing Your Own Profile,” on page 68 Section 9.2.2, “Changing Your Own Password,”...

  • Page 69: Changing Your Own Password

    2 Edit any available field. 3 Click Save. 9.2.2 Changing Your Own Password You can change your own password if you know the current password. Otherwise, an administrator must reset the password. 1 Click profile in the upper right corner. 2 Enter your current password.

  • Page 70: Editing Another User's Profile (Admin Only)

    4 Confirm your new password. 5 Click Save. 9.2.3 Editing Another User’s Profile (admin only) 1 Log into Identity Audit as an administrator. 2 Click User Admin in the upper right corner of the page. 3 Click Edit under the user you want to edit. 4 Edit any fields (except the username).

  • Page 71: A Troubleshooting

    Logs for the Web server. Located in the ./tomcat directory. The following logging settings can be changed in the file: config/server_log.prop (reporting) esecurity.ccs.comp.reporting.jasper=ALL (reporting) com.novell.reports.jasper=ALL (report scheduling) esecurity.ccs.comp.scheduler.level=ALL (searching) esecurity.ccs.comp.textsearch.level=ALL The following logging settings can be changed in the 3rdparty/tomcat/conf/ file: logging.properties com.novell.sentinel.scout.server.ReportUploadServlet.level=ALL...
  • Page 72 (this is equivalent to the previous two com.novell.sentinel.scout.server.level=ALL settings) Identity Audit Guide...

  • Page 73: B Truststore

    Truststore Using strict authentication for the connection between Identity Audit and the Novell applications it collects data from can improve data security. B.1 Creating a Keystore A keystore can be created using the Java* “keytool” executable, which comes with any JRE* installation.
  • Page 74 Identity Audit Guide...

  • Page 75: C Novell Identity Audit Database Views For Postgresql Server

    Novell Identity Audit Database Views for PostgreSQL Server This section lists the Novell Identity Audit Schema Views for PostgreSQL Server. C.1 Views Below listed are the views available with Identity Audit. C.1.1 ACTVY_PARM_RPT_V Column Name Datatype Comment ACTVY_PARM_ID uuid Activity parameter identifier...

  • Page 76: Actvy_Ref_Rpt_V

    Column Name Datatype Comment DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.3 ACTVY_REF_RPT_V Column Name Datatype Comment ACTVY_ID...

  • Page 77: Adv_Attack_Map_Rpt_V

    Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.7 ADV_ATTACK_RPT_V View references ADV_ATTACK table that stores Advisor attack information. Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 78: Adv_Attack_Signatures

    Column Name Datatype Comment ATTACK_ID integer ID to identify the attack TRUSECURE_ATTACK_NAME character varying(512) Name of the attack FEED_DATE_CREATED timestamp with time zone Date when the feed first have the information on this attack FEED_DATE_UPDATED timestamp with time zone Last date when the information on this attack has been updated ATTACK_CATEGORY character varying(256)

  • Page 79: Adv_Feed_Rpt_V

    Date from which the entry is valid END_EFFECTIVE_DATE timestamp with time zone Date until which the entry is valid DATE_CREATED timestamp with time zone Date the entry was created Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 80: Adv_Product_Rpt_V

    Column Name Datatype Comment DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.11 ADV_PRODUCT_RPT_V View references ADV_PRODUCT table that stores Advisor product information such as vendor and product ID.

  • Page 81: Adv_Product_Version_Rpt_V

    CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.14 ADV_VENDOR_RPT_V Column Name Datatype Comment VENDOR_ID bigint ID of the vendor VENDOR_NAME character varying(128) Name of the vendor Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 82: Adv_Vuln_Kb_Rpt_V

    Column Name Datatype Comment CONTACT_PERSON character varying(128) Contains the contact person name for the vendor ADDRESS_LINE_1 character varying(128) Address of the vendor ADDRESS_LINE_2 character varying(128) Address of the vendor ADDRESS_LINE_3 character varying(128) Address of the vendor ADDRESS_LINE_4 character varying(128) Address of the vendor CITY character varying(128) City of the vendor...

  • Page 83: Adv_Vuln_Product_Rpt_V

    Sentinel system such as cases and incidents. Column Name Datatype Comment ANN_ID integer Annotation identfier - sequence number. TEXT character varying(4000) Documentation or notes. ACTION character varying(255) Action Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 84: Asset_Category_Rpt_V

    Column Name Datatype Comment DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified MODIFIED_BY integer User who last modified object CREATED_BY integer User who created object C.1.19 ASSET_CATEGORY_RPT_V View references ASSET_CTGRY table that stores information about asset categories. Column Name Datatype Comment...

  • Page 85: Asset_Location_Rpt_V

    Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.23 ASSET_RPT_V View references ASSET table that stores information about the physical and soft assets. Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 86: Asset_Value_Rpt_V

    Column Name Datatype Comment ASSET_ID uuid Asset identifier CUST_ID bigint Customer identifier ASSET_NAME character varying(255) Asset name PHYSICAL_ASSET_ID uuid Physical asset identifier PRODUCT_ID bigint Product identifier ASSET_CATEGORY_ID bigint Asset category identifier ENVIRONMENT_IDENTITY_CD bigint Environment identify code PHYSICAL_ASSET_IND boolean Physical asset indicator ASSET_VALUE_CODE bigint Asset value code...

  • Page 87: Associations_Rpt_V

    Column Name Datatype Comment ATTACHMENT_ID integer Attachment identifier NAME character varying(255) Attachment name SOURCE_REFERENCE character varying(64) Source reference TYPE character varying(32) Attachment type SUB_TYPE character varying(32) Attachment subtype FILE_EXTENSION character varying(32) File extension Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 88: Audit_Record_Rpt_V

    Column Name Datatype Comment ATTACHMENT_DESCRIPTION character varying(255) Attachment description DATA text Attachment data DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.28 AUDIT_RECORD_RPT_V...

  • Page 89: Contacts_Rpt_V

    CORRELATED_EVENTS_RPT_V1 because this view does not include archived correlated events that have been imported back into the database. C.1.32 CORRELATED_EVENTS_RPT_V1 View contains current and historical correlated events (correlated events imported from archives). Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 90: Criticality_Rpt_V

    Column Name Datatype Comment PARENT_EVT_ID uuid Event Universal Unique Identifier (UUID) of parent event CHILD_EVT_ID uuid Event Universal Unique Identifier (UUID) of child event PARENT_EVT_TIME timestamp with time zone Parent event time CHILD_EVT_TIME timestamp with time zone Child event time DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED...

  • Page 91: Cust_Rpt_V

    User who last modified object C.1.37 ENV_IDENTITY_RPT_V View references ENV_IDENTITY_LKUP table that stores information about asset environment identity. Column Name Datatype Comment ENVIRONMENT_IDENTITY_ID bigint Environment identity code ENV_IDENTITY_NAME character varying(255) Environment identity name Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 92: Esec_Content_Grp_Content_Rpt_V

    Column Name Datatype Comment DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.38 ESEC_CONTENT_GRP_CONTENT_RPT_V Column Name Datatype Comment CONTENT_GRP_ID...

  • Page 93: Esec_Content_Pack_Rpt_V

    User who created object C.1.42 ESEC_CTRL_CTGRY_RPT_V Column Name Datatype Comment CTRL_CTGRY_ID uuid Control category identifier CTRL_CTGRY_DESC text Control category description CTRL_CTGRY_NAME character varying(255) Control category name CONTENT_PACK_ID uuid Content pack identifier Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 94: Esec_Ctrl_Rpt_V

    Column Name Datatype Comment CONTENT_EXTERNAL_ID character varying(255) Content external identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.43 ESEC_CTRL_RPT_V Column Name Datatype...

  • Page 95: Esec_Port_Reference_Rpt_V

    PORT_DESCRIPTION character varying(512) Port description. DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 96: Esec_Protocol_Reference_Rpt_V

    Column Name Datatype Comment CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.46 ESEC_PROTOCOL_REFERENCE_RPT_V View references ESEC_PROTOCOL_REFERENCE table that stores industry standard assigned protocol numbers. Column Name Datatype Comment PROTOCOL_NUMBER integer http://www.iana.org/assignments/ protocol-numbers (http://www.iana.org/ assignments/protocol-numbers), the numerical identifiers used to represent protocols that are encapsulated in an IP packet.

  • Page 97: Esec_Uuid_Uuid_Assoc_Rpt_V

    This view is provided for backward compatibility. New reports should use EVENTS_RPT_V2. View contains current events. C.1.54 EVENTS_RPT_V2 This is the primary reporting view. View contains current event and historical events. Column Name Datatype Comment EVENT_ID uuid Event identifier Novell Identity Audit Database Views for PostgreSQL Server...
  • Page 98 Column Name Datatype Comment RESOURCE_NAME character varying(255) Resource name SUB_RESOURCE character varying(255) Subresource name SEVERITY integer Event severity EVENT_PARSE_TIME timestamp with time zone Event time EVENT_DATETIME timestamp with time zone Event time EVENT_DEVICE_TIME timestamp with time zone Event device time SENTINEL_PROCESS_TIME timestamp with time zone Sentinel process time BEGIN_TIME...
  • Page 99 Reserved Value 21 - 25 Reserved for future use by Sentinel to store UUIDs. Use of this field for any other purpose might result in data being overwritten by future functionality. Novell Identity Audit Database Views for PostgreSQL Server...
  • Page 100 Column Name Datatype Comment RV26 - 31 character varying(255) Reserved Value 26 - 31 Reserved for future use by Sentinel. Use of this field for any other purpose might result in data being overwritten by future functionality. RV33 character varying(255) Reserved Value 33 Reserved for EventContex Use of this field for any other purpose...
  • Page 101 CV01 - 10 integer Custom Value 1 - 10 Reserved for use by Customer, typically for association of Business relevant data Novell Identity Audit Database Views for PostgreSQL Server 101...

  • Page 102: Events_Rpt_V3

    Column Name Datatype Comment CV11 - 20 timestamp with time zone Custom Value 11 - 20 Reserved for use by Customer, typically for association of Business relevant data CV21 - 29 character varying(255) Custom Value 21 – 29 Reserved for use by Customer, typically for association of Business relevant data CV30 - 34 character varying(4000)
  • Page 103 Reserved_Tag_2 character varying(255) Reserved_Tag_3 integer Vulnarability_Rating integer Criticality_Rating integer Date_Created timestamp with time zone Date the entry was created Date_Modified timestamp with time zone Date the entry was modified Novell Identity Audit Database Views for PostgreSQL Server 103...
  • Page 104 Column Name Datatype Comment Created_By integer User who created object Modified_By integer User who last modified object RV01 integer Event_Metric integer Event metric Data_Tag_Id integer Data tag ID RV04-RV10 integer RV11-RV20 timestamp with time zone RV21-RV28 character varying(255) Init_IP_Country character varying(255) Initiator country Target_IP_Country character varying(255)

  • Page 105: Evt_Agent_Rpt_V

    Device category Source_UUID uuid Source component Universal Unique Identifier (UUID) DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Novell Identity Audit Database Views for PostgreSQL Server 105...

  • Page 106: Evt_Agent_Rpt_V3

    Column Name Datatype Comment CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.57 EVT_AGENT_RPT_V3 Column Name Datatype Comment Agent_ID bigint Collector identifier Cust_ID bigint Customer identifier Agent character varying(64) Collector Port character varying(64) Port Reporter_Host_Name character varying(255) Reporter host name Sensor_Type...

  • Page 107: Evt_Asset_Rpt_V3

    Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.59 EVT_ASSET_RPT_V3 Asset_Department character varying(100) Asset department DATE_CREATED timestamp with time zone Date the entry was created Novell Identity Audit Database Views for PostgreSQL Server 107...

  • Page 108: Evt_Dest_Evt_Name_Smry_1_Rpt_V

    Asset_Department character varying(100) Asset department DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.60 EVT_DEST_EVT_NAME_SMRY_1_RPT_V View summarizes event count by destination, taxonomy, event name, severity and event time. Column Name Datatype Comment...

  • Page 109: Evt_Dest_Txnmy_Smry_1_Rpt_V

    Date the entry was created Date_Modified timestamp with time zone Date the entry was modified Created_By integer User who created object Modified_By integer User who last modified object Destination_Host_Name character varying(255) Destination host name Novell Identity Audit Database Views for PostgreSQL Server 109...

  • Page 110: Evt_Name_Rpt_V

    C.1.63 EVT_NAME_RPT_V View references EVT_NAME table that stores event name information. Column Name Datatype Comment Event_Name_ID bigint Event name identifier Event_Name character varying(255) Event name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer...

  • Page 111: Evt_Prtcl_Rpt_V

    User who created object MODIFIED_BY integer User who last modified object C.1.68 EVT_SEV_SMRY_1_RPT_V View summarizes event count by severity and event time. Column Name Datatype Comment Severity integer Event severity CUST_ID bigint Customer identifier Novell Identity Audit Database Views for PostgreSQL Server...

  • Page 112: Evt_Src_Collector_Rpt_V

    Column Name Datatype Comment Event_Time timestamp with time Event time zone Event_Count integer Event count Date_Created timestamp with time Date the entry was created zone Date_Modified timestamp with time Date the entry was modified zone Created_By integer User who created object Modified_By integer User who last modified object...

  • Page 113: Evt_Src_Mgr_Rpt_V

    Offset value OFFSET_TIMESTAMP timestamp with time Offset timestamp zone CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time Date the entry was created zone Novell Identity Audit Database Views for PostgreSQL Server 113...

  • Page 114: Evt_Src_Rpt_V

    Column Name Datatype Comment DATE_MODIFIED timestamp with time Date the entry was modified zone C.1.73 EVT_SRC_RPT_V Column Name Datatype Comment EVT_SRC_ID uuid Event source identifier EVT_SRC_NAME character varying(255) Event source name EVT_SRC_GRP_ID uuid Event source group identifier STATE_IND boolean State indicator MAP_FILTER text Map filter...

  • Page 115: Evt_Src_Srvr_Rpt_V

    Taxonomy level 1 Taxonomy _ Level _2 character varying(100) Taxonomy level 2 Taxonomy _ Level _3 character varying(100) Taxonomy level 3 Taxonomy _ Level _4 character varying(100) Taxonomy level 4 Device_Category character varying(255) Novell Identity Audit Database Views for PostgreSQL Server 115...

  • Page 116: Evt_Usr_Rpt_V

    Column Name Datatype Comment DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.77 EVT_USR_RPT_V View references EVT_USR table that stores event user information. Column Name Datatype Comment...

  • Page 117: External_Data_Rpt_V

    Date the entry was created zone DATE_MODIFIED timestamp with time Date the entry was modified zone CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Novell Identity Audit Database Views for PostgreSQL Server 117...

  • Page 118: Hist_Correlated_Events_Rpt_V (Legacy View)

    C.1.81 HIST_CORRELATED_EVENTS_RPT_V (legacy view) This view is provided for backward compatibility. New reports should use CORRELATED_EVENTS_RPT_V1. C.1.82 HIST_EVENTS Column Name Datatype Comment EVT_ID uuid Event Universal Unique Identifier (UUID) EVT_TIME timestamp with time zone Event time CUST_ID bigint Customer identifier SRC_ASSET_ID bigint Source Asset ID...
  • Page 119 TRGT_TRUST_SYS_ID character varying(255) TRGT_TRUST_DOMAIN character varying(255) OBSRVR_IP integer RPTR_IP integer OBSRVR_HOST_DOMAIN character varying(255) RPTR_HOST_DOMAIN character varying(255) OBSRVR_ASSET_ID character varying(255) RPTR_ASSET_ID character varying(255) INIT_SRVC_COMP character varying(255) TARGET_SRVC_COMP character varying(255) EVT_GRP_ID character varying(255) Novell Identity Audit Database Views for PostgreSQL Server 119...

  • Page 120: Hist_Events_Rpt_V (Legacy View)

    Column Name Datatype Comment DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object RV01-RV10 integer RV11-RV20 timestamp with time zone RV21-RV25 uuid...

  • Page 121: Incidents_Assets_Rpt_V

    Date the entry was created zone DATE_MODIFIED timestamp with time Date the entry was modified zone CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Novell Identity Audit Database Views for PostgreSQL Server 121...

  • Page 122: Incidents_Rpt_V

    C.1.87 INCIDENTS_RPT_V View references INCIDENTS table that stores information describing the details of incidents created in the Sentinel Console. Column Name Datatype Comment INC_ID integer Incident identifier – sequence number NAME character varying(255) Incident name INC_CAT character varying(255) Incident category INC_DESC character varying(4000) Incident description...

  • Page 123: L_Stat_Rpt_V

    Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Novell Identity Audit Database Views for PostgreSQL Server 123...

  • Page 124: Network_Identity_Rpt_V

    C.1.92 NETWORK_IDENTITY_RPT_V View references NETWORK_IDENTITY_LKUP table that stores asset network identity information. Column Name Datatype Comment NETWORK_IDENTITY_ID bigint Network identity code NETWORK_IDENTITY_NAME character varying(255) Network identify name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer...

  • Page 125: Physical_Asset_Rpt_V

    VENDOR _ID bigint Vendor identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object Novell Identity Audit Database Views for PostgreSQL Server 125...

  • Page 126: Role_Rpt_V

    Column Name Datatype Comment MODIFIED_BY integer User who last modified object C.1.97 ROLE_RPT_V View references ROLE_LKUP table that stores user role (asset) information. Column Name Datatype Comment ROLE_CODE character varying(5) Role code ROLE_NAME character varying(255) Role name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone...

  • Page 127: Sentinel_Host_Rpt_V

    User who last modified object DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified C.1.102 SENTINEL_RPT_V Column Name Datatype Comment SENTINEL_ID uuid Sentinel identifier Novell Identity Audit Database Views for PostgreSQL Server 127...

  • Page 128: States_Rpt_V

    Column Name Datatype Comment SENTINEL_NAME character varying(255) Sentinel name ONLINE_IND boolean Online indicator STATE_IND boolean State indicator SENTINEL_CONFIG text Sentinel configuration CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time Date the entry was created zone DATE_MODIFIED timestamp with time...

  • Page 129: Users_Rpt_V

    Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Novell Identity Audit Database Views for PostgreSQL Server 129...

  • Page 130: Usr_Account_Rpt_V

    C.1.106 USR_ACCOUNT_RPT_V Column Name Datatype Comment ACCOUNT_ID bigint Account identifier USER_DOMAIN character varying(255) User domain CUST_ID bigint Customer identifier BEGIN_EFFECTIVE_DATE timestamp with time zone Begin effective date END_EFFECTIVE_DATE timestamp with time zone End effective date CURRENT_F boolean Current flag USER_STATUS character varying(50) User status IDENTITY_GUID...

  • Page 131: Vendor_Rpt_V

    View references VULN_RSRC and VULN to calculate eSecurity vulnerability severity rating base on current vulnerabilities. Column Name Datatype Comment RSRC_ID uuid character varying(32) HOST_NAME character varying(255) Host name CRITICALITY integer Asset criticality code Novell Identity Audit Database Views for PostgreSQL Server 131...

  • Page 132: Vuln_Code_Rpt_V

    Column Name Datatype Comment ASSIGNED_VULN_SEVERITY integer VULN_COUNT integer Vulnerability Count CALC_SEVERITY numeric(14,2) C.1.111 VULN_CODE_RPT_V View references VULN_CODE table that stores industry assigned vulnerability codes such as Mitre's CVEs and CANs. Column Name Datatype Comment VULN_CODE_ID uuid VULN_ID uuid Vulnerability identifier VULN_CODE_TYPE character varying(64) Vulnerability code type...

  • Page 133: Vuln_Rpt_V

    Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Novell Identity Audit Database Views for PostgreSQL Server 133...

  • Page 134: Vuln_Rsrc_Rpt_V

    C.1.114 VULN_RSRC_RPT_V View references VULN_RSRC table that stores each resource scanned for a particular scan. Column Name Datatype Comment RSRC_ID uuid SCANNER_ID uuid Scanner identifier character varying(32) IP Address HOST_NAME character varying(255) Host name LOCATION character varying(128) Location DEPARTMENT character varying(128) Department BUSINESS_SYSTEM character varying(128)

  • Page 135: Vuln_Scan_Vuln_Rpt_V

    Product Name PRODUCT_VERSION character varying(64) Product Version SCANNER_TYPE character varying(64) Vulnerability Scanner Type VENDOR character varying(100) Vendor SCANNER_INSTANCE character varying(64) Scanner Instance DATE_CREATED timestamp with time zone Date the entry was created Novell Identity Audit Database Views for PostgreSQL Server 135...

  • Page 136: Workflow_Def_Rpt_V

    Column Name Datatype Comment DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object C.1.119 WORKFLOW_DEF_RPT_V Column Name Datatype Comment PKG_NAME character varying(255) Package name PKG_DATA text Package data DATE_CREATED timestamp with time zone...
  • Page 137 ADV_SEVERITY_RPT_V ADV_SUBALERT_RPT_V ADV_URGENCY_RPT_V HIST_INCIDENTS_RPT_V Novell Identity Audit Database Views for PostgreSQL Server 137...
  • Page 138 138 Identity Audit Guide...

  • Page 139: D Documentation Updates

    Documentation Updates This section contains information about documentation content changes made to the Novell Identity Audit Guide 1.0. If you are an existing user, review the change entries to identify modified content. If you are a new user, simply read the guide in its current state.
  • Page 140 140 Identity Audit Guide...

This manual is also suitable for:

Identity audit 1.0

Table of Contents