Where’s the auditing in Novell Nsure Audit?

A few issues ago I offered a sneak peek at the upcoming Novell Nsure Audit (NNA) technology that will ship with NetWare 6.5 (now slated to be available Aug. 15). I suggested that you should evaluate the system to see if it has value for your enterprise. Evidently, a number of people already had and, for the most part, they didn’t like what they saw.

The general feeling is that large quantities of data are logged (and shunted around the network) but the quality of that data is severely lacking. We’ll get to some examples in a few minutes, but first some new information about auditing and NetWare 6.5.

I previously mentioned that a slimmed down version of Blue Lance’s LT Auditor for NetWare would ship with NetWare 6.5. However, I’ve just learned that this (along with a demo of NetVision’s NVMonitor, another auditing tool) will actually be on a separate CD of demos and evals from multiple third-party vendors. We’ll take a look at what else is included in one of next week’s newsletters.

In the past, Novell has often included rudimentary applications with NetWare as part of what it called a “demonstration of technology,” in the hopes of encouraging third parties to develop richer, more complete offerings. An example is the “FirstMail” e-mail package that’s included with NetWare 3. FirstMail provided basic e-mail but without many of the “bells and whistles” of a full-featured package. Novell Nsure Audit could also be a “demonstration of technology,” which would be fine – even commendable. But Novell is also selling NNA for thousands and thousands of dollars as “a secure logging and auditing product”. It might be secure, it does do logging – but auditing?

NNA will log all changes to data in eDirectory. In fact, if there are multiple replicas of the partition in which the change occurs then there will be multiple log entries for that change. What it doesn’t do, though, is to tell you what the change was. That is, neither the old or new values are stored in the log.

You may know that an object’s “security equal to” value has been changed, but not that it has been change to Admin. Or from “Admin” to something else. You may not even know who made the change since only changes made on the logging server itself carry the identification of the user making the change. Other replicas on other platforms are simply identified by the server name. This, I’m assured by numerous security experts is certainly not auditing – its simply logging, and not very good logging at that. You might not even know when the change occurred. The log carries a timestamp, but it’s in compressed form – “1058719719”, rather than “2003-07-20 12:16:49”. The formula for converting it is available, but you (rather than NNA) will have to do the conversion.

As a demonstration of technology, Novell Nsure Audit isn’t bad. But to try to sell this for thousands of dollars as an auditing package “…that helps you reduce your organization’s liability and risk by ensuring compliance with governmental regulations and business-driven security policies,” is a stretch at best. It might be considered false advertising at worst. When you get your copy of NetWare 6.5, be sure to take a look at that companion CD and the real auditing packages it contains.