21.4 Enabling or Disabling LAF Audit Log Messages for Trustee Events

Use the NSS audit log messages commands to enable or disable messages via Lightweight Auditing Format (LAF) for NSS trustee changes for NSS volumes on OES 2015 or later.

21.4.1 Understanding NSS Audit Log Messages

When the LAFAuditTrustee parameter is enabled, NSS reports changes for the following subset of NSS events:

  • Adding trustees (AddTrustee)

  • Removing trustees (RemoveTrustee)

  • Setting the inherited rights mask (SetInheritedRightsMask)

Comma separated name value pairs are used for the NSS audit log messages. The messages are written to the/var/log/audit/audit.log file.

The types of information reported are described below:

Message Type and ID

All NSS Audit Log messages are of the type AUDIT_KERNEL_OTHER (1316) for LAF. For example, the log messages begin

type=UNKNOWN[1316] msg=audit(message_id):                                                                   

Add Trustee Event Messages

The general format of NSS audit log messages for a single AddTrustee event is:

NSS: AddTrustee: fsuid=<user requesting the operation>,vol=<VOLNAME>,path=<FULL_PATH (relative to the volume)>,trustee=<typeful Fully Distinguished eDirectory username of the trustee being added>,rights=<RIGHTS>,attributes=<ATTRIBUTES>

For example, the following message is for a single event for adding a trustee:

type=UNKNOWN[1316] msg=audit(1164926678.066:7): NSS: AddTrustee: fsuid=0,vol=NSS1,path=/abc/a,trustee=.CN=user5.O=company.T=COMPANY_TREE.,rights=0x1fb,attributes=0xc000

In this example, the trustee user5.company.company_tree is assigned the SRWCEMFA rights, totaling 0x1fb. For a map of rights to values, see Trustee Rights.

Remove Trustee Event Messages

The general format of NSS audit log messages for a single RemoveTrustee event is:

NSS: RemoveTrustee: fsuid=<user requesting the operation>,vol=<VOLNAME>,path=<FULL_PATH (relative to the volume)>,trustee=<typeful Fully Distinguished eDirectory username of the trustee being removed>

For example, the following message is for a single event for removing a trustee:

type=UNKNOWN[1316] msg=audit(1164926734.422:8): NSS: RemoveTrustee: fsuid=0,vol=NSS1,path=/abc/a,trustee=.CN=user5.O=company.T=COMPANY_TREE.

Set Inherited Rights Mask Event Messages

The general format of NSS audit log messages for a single SetInheritedRightsMask event is:

NSS: SetInheritedRightsMask: fsuid=<user>,vol=<VOLNAME>,path=<FULL_PATH(relative to the volume)>,inheritedRightsMask=<RIGHTS>

For example, the following message is for a single event for changes to the inherited rights mask:

type=UNKNOWN[1316] msg=audit(1164926882.005:10): NSS: SetInheritedRightsMask: fsuid=0,vol=NSS1,path=/abc/a,inheritedRightsMask=0x149

In this example, the trustee rights settings can be inherited from the parent directory for the Supervisor (0x0100), Read (0x0001), Create (0x0008), and File Scan (0x0040) rights, totaling 0x0149.

Trustee Rights

The file system trustee rights setting in the message is a hexadecimal value that represents the combination of rights assigned.

The following table maps the trustee rights to hexadecimal values. The values for enabled rights are added to get the reported value for the Rights and Inherited Rights Mask.

Trustee Right

Hexadecimal Value

Supervisor (S)

0x0100

Read (R)

0x0001

Write (W)

0x0002

Create (C)

0x0008

Erase (E, Delete)

0x0010

Modify (M)

0x0080

File Scan (F, See Files)

0x0040

Access Control (A)

0x0020

For example, if the trustee has SRWCEMFA rights, the value is the sum of these or 0x1fb in hexadecimal.

Inherited Rights Mask for Trustee Rights

An inherited rights mask (IRM) specifies which trustee rights are allowed to be inherited downward through a directory. If a trustee bit is set in the IRM of a directory, that bit can be inherited downward in the tree. If a trustee bit is not set in the IRM of a directory, then that right cannot be inherited by the directory's contents, even if a higher level in the directory tree had that right.

The bit definitions for inherited rights masks are the same bits as the trustee rights themselves as described in Trustee Rights. For example, if the Read and File Scan rights can be inherited, the inherited rights mask value is 0x0041 in hexadecimal.

Special Rights

In addition to trustee rights, the following are special rights that might be reported in the Rights field. They cannot be inherited.

Special Right

Hexadecimal Value

Salvage

0x0200

Secure

0x8000

Inheritance Attributes

The attributes reported in the log are flags that tell the trustee how it gets inherited. (They are not file system attributes.) By default, the NetWare trustee model inherits downward and upward (visibility inherits upward; actual rights inherit downward).

The following table maps the inheritance attributes to hexadecimal values. The values for enabled inheritance attributes are added to get the reported value for the Attributes parameter.

Inheritance Attribute

Hexadecimal Value

Inherit Down

Make rights inherit downward.

0x8000

Inherit Up

Make directories above this file visible.

0x4000

Negative Rights (Not currently used)

All other bits are ignored if this parameter is set.

0x2000

For example, an Attribute value of 0xc000 in the audit message indicates that both the Inherit Down and Inherit Up parameters are enabled. This is the typical setting for NSS file systems.

21.4.2 Enabling or Disabling LAF Audit Messages for Trustee Events

Enable or disable the generation of audit messages via LAF for NSS trustee changes. After you enable the audit log messages, the setting persists until the server reboot. After a server reboot, the audit log is disabled again by default. To make the command persist across reboots, add it to the /etc/opt/novell/nss/nssstart.cfg file. The messages are written to the/var/log/audit/audit.log file.

  1. Open a terminal console, then log in as the root user.

  2. At the terminal console prompt, start the NSS Console by entering

    nsscon
  3. At the nsscon prompt, do one of the following:

    • Enable: To enable audit messages for an NSS volume, enter

      nss /LAFAuditTrustee
    • Disable: To disable audit messages for an NSS volume, enter

      nss /NoLAFAuditTrustee

21.4.3 Viewing LAF Audit Messages

View audit messages in the /var/log/audit/audit.log file.

For information about the format of the messages, see Section 21.4.1, Understanding NSS Audit Log Messages.

21.4.4 Additional Information

For information about configuring Linux Audit, see the Linux Audit Quick Start.