Working Smarter: Nsure Audit

C/D/H has several clients who are facing requirements from HIPAA, Sarbanes-Oxley, or have a more general requirement to improve their network security. In meeting these goals, C/D/H has seen a marked increase in our client's interest in network auditing solutions.

Auditing is a specific component of section 404 of Sarbanes-Oxley, and our healthcare client's interpretation of HIPAA requirements often involve auditing of authentication, access to applications, and more detailed network access analysis. In addition to meeting compliance requirements, generating and reporting against event logs is a very powerful tool to uncover network or data vulnerabilities. For clients running Novell resources, the choice of auditing tools is simple - Novell Nsure Audit.

Novell Nsure Audit is an event auditing package that will capture Host, eDirectory and file system events on NetWare servers and eDirectory events on OES, SUSE, Solaris and Windows servers. Future releases of the product will expand the audited events on these systems and include "instrumentation" for Windows 2003 Server events, Active Directory, IIS, Windows XP, and many other systems.

Although auditing capabilities are not a new concept, there are a few features of Nsure Audit that are notable:

• The Nsure Audit database server writes events in the data store in a "non-repudiative" fashion. That is, each data entry is digitally signed, allowing for verification that the data has not been modified since it was initially recorded in the system.
• Events are grouped and versioned. Grouping events allows a series of events to be seen as a single entry and drilling down can expose more detailed events. Versioned events store previous values of eDirectory data that can be viewed.
• After storing requested event data in a central repository, the events can be filtered into various channels, including SNMP and SMTP channels, which can provide real-time notifications.
• Syslog channels can send filtered data to an organization's central Syslog server. Though Nsure Audit is being positioned to grow into a central repository, C/D/H has a healthcare client that is currently designing their auditing system in this manner. A central Syslog server will be written to by various server, directory, infrastructure, and workstation platforms.
• The Critical Value Reset channel (CVR) can be configured to write back values for certain eDirectory objects. When a value is changed, it can immediately be written back to its original value by the auditing platform agent. The root administrator's password might be a good candidate for this feature.

As with any data gathering initiative, (e.g., hardware and software inventory or network monitoring) the key to success is in proper planning. In our experience, failure in implementing a system like Nsure Audit can usually be avoided by remembering two things:

• Organizations should be clear about their goals and only capture data that has a potential to provide the information that is desired.
• Systems like Nsure Audit require ongoing care and feeding. Time will need to be set aside to monitor and repair monitoring systems and to review the goals and performance of the system. Spending time to fine tune the system's filters and rules will ensure that the system remains useful.

Novell Nsure Audit is a mature product that can be positioned as the foundation or a major component of your auditing strategy. Our experience has proven that Nsure Audit is a great system to help ensure compliance with regulations and industry standard, don't hesitate to call C/D/H for help.

Doug Brower is an expert in Nsure Audit technology. He has extensive project experience with Novell solutions.