Use the NSS audit log messages commands to enable or disable messages via Lightweight Auditing Format (LAF) for NSS trustee changes for NSS volumes on OES 2015 or later.
When the LAFAuditTrustee parameter is enabled, NSS reports changes for the following subset of NSS events:
Adding trustees (AddTrustee)
Removing trustees (RemoveTrustee)
Setting the inherited rights mask (SetInheritedRightsMask)
Comma separated name value pairs are used for the NSS audit log messages. The messages are written to the/var/log/audit/audit.log file.
The types of information reported are described below:
All NSS Audit Log messages are of the type AUDIT_KERNEL_OTHER (1316) for LAF. For example, the log messages begin
type=UNKNOWN[1316] msg=audit(message_id):
The general format of NSS audit log messages for a single AddTrustee event is:
NSS: AddTrustee: fsuid=<user requesting the operation>,vol=<VOLNAME>,path=<FULL_PATH (relative to the volume)>,trustee=<typeful Fully Distinguished eDirectory username of the trustee being added>,rights=<RIGHTS>,attributes=<ATTRIBUTES>
For example, the following message is for a single event for adding a trustee:
type=UNKNOWN[1316] msg=audit(1164926678.066:7): NSS: AddTrustee: fsuid=0,vol=NSS1,path=/abc/a,trustee=.CN=user5.O=company.T=COMPANY_TREE.,rights=0x1fb,attributes=0xc000
In this example, the trustee user5.company.company_tree is assigned the SRWCEMFA rights, totaling 0x1fb. For a map of rights to values, see Trustee Rights.
The general format of NSS audit log messages for a single RemoveTrustee event is:
NSS: RemoveTrustee: fsuid=<user requesting the operation>,vol=<VOLNAME>,path=<FULL_PATH (relative to the volume)>,trustee=<typeful Fully Distinguished eDirectory username of the trustee being removed>
For example, the following message is for a single event for removing a trustee:
type=UNKNOWN[1316] msg=audit(1164926734.422:8): NSS: RemoveTrustee: fsuid=0,vol=NSS1,path=/abc/a,trustee=.CN=user5.O=company.T=COMPANY_TREE.
The general format of NSS audit log messages for a single SetInheritedRightsMask event is:
NSS: SetInheritedRightsMask: fsuid=<user>,vol=<VOLNAME>,path=<FULL_PATH(relative to the volume)>,inheritedRightsMask=<RIGHTS>
For example, the following message is for a single event for changes to the inherited rights mask:
type=UNKNOWN[1316] msg=audit(1164926882.005:10): NSS: SetInheritedRightsMask: fsuid=0,vol=NSS1,path=/abc/a,inheritedRightsMask=0x149
In this example, the trustee rights settings can be inherited from the parent directory for the Supervisor (0x0100), Read (0x0001), Create (0x0008), and File Scan (0x0040) rights, totaling 0x0149.
The file system trustee rights setting in the message is a hexadecimal value that represents the combination of rights assigned.
The following table maps the trustee rights to hexadecimal values. The values for enabled rights are added to get the reported value for the Rights and Inherited Rights Mask.
Trustee Right |
Hexadecimal Value |
---|---|
Supervisor (S) |
0x0100 |
Read (R) |
0x0001 |
Write (W) |
0x0002 |
Create (C) |
0x0008 |
Erase (E, Delete) |
0x0010 |
Modify (M) |
0x0080 |
File Scan (F, See Files) |
0x0040 |
Access Control (A) |
0x0020 |
For example, if the trustee has SRWCEMFA rights, the value is the sum of these or 0x1fb in hexadecimal.
An inherited rights mask (IRM) specifies which trustee rights are allowed to be inherited downward through a directory. If a trustee bit is set in the IRM of a directory, that bit can be inherited downward in the tree. If a trustee bit is not set in the IRM of a directory, then that right cannot be inherited by the directory's contents, even if a higher level in the directory tree had that right.
The bit definitions for inherited rights masks are the same bits as the trustee rights themselves as described in Trustee Rights. For example, if the Read and File Scan rights can be inherited, the inherited rights mask value is 0x0041 in hexadecimal.
In addition to trustee rights, the following are special rights that might be reported in the Rights field. They cannot be inherited.
Special Right |
Hexadecimal Value |
---|---|
Salvage |
0x0200 |
Secure |
0x8000 |
The attributes reported in the log are flags that tell the trustee how it gets inherited. (They are not file system attributes.) By default, the NetWare trustee model inherits downward and upward (visibility inherits upward; actual rights inherit downward).
The following table maps the inheritance attributes to hexadecimal values. The values for enabled inheritance attributes are added to get the reported value for the Attributes parameter.
Inheritance Attribute |
Hexadecimal Value |
---|---|
Inherit Down Make rights inherit downward. |
0x8000 |
Inherit Up Make directories above this file visible. |
0x4000 |
Negative Rights (Not currently used) All other bits are ignored if this parameter is set. |
0x2000 |
For example, an Attribute value of 0xc000 in the audit message indicates that both the Inherit Down and Inherit Up parameters are enabled. This is the typical setting for NSS file systems.
Enable or disable the generation of audit messages via LAF for NSS trustee changes. After you enable the audit log messages, the setting persists until the server reboot. After a server reboot, the audit log is disabled again by default. To make the command persist across reboots, add it to the /etc/opt/novell/nss/nssstart.cfg file. The messages are written to the/var/log/audit/audit.log file.
Open a terminal console, then log in as the root user.
At the terminal console prompt, start the NSS Console by entering
nsscon
At the nsscon prompt, do one of the following:
Enable: To enable audit messages for an NSS volume, enter
nss /LAFAuditTrustee
Disable: To disable audit messages for an NSS volume, enter
nss /NoLAFAuditTrustee
View audit messages in the /var/log/audit/audit.log file.
For information about the format of the messages, see Section 21.4.1, Understanding NSS Audit Log Messages.
For information about configuring Linux Audit, see the Linux Audit Quick Start.