PingDirectory

Auditing configuration changes

Proper server configuration is critical to maintaining security. Be aware of all changes to the server configuration and understand whether the configuration in its current state matches what you intend and expect it to be.

Administrative alerts

The PingDirectory server generates an administrative alert whenever a configuration change is made with the server online. It also generates an alert during startup if it detects unauthorized changes to the dsconfig tool in offline mode or the manage-profile tool.

You should make sure that an appropriate set of alert handlers are in place so that administrators are notified of configuration changes as soon as they occur.

The configuration audit log

The PingDirectory server maintains a logs/config-audit.log file that contains a record of all authorized configuration changes made within the server. This includes:

  • Changes made through the dsconfig command-line tool with the server online

  • Changes made through the dsconfig command-line tool running in offline mode

  • Changes made through the web administration console

  • Changes made through the manage-profile tool

  • Changes made through the configuration API

  • Changes made by clients updating configuration entries over LDAP

The configuration audit log will not include a record of any changes made by directly editing the config.ldif file with the server offline, but the server should detect any such changes at startup and generate an administrative alert in response to them.

Each record in the configuration audit log should include the following information:

  • A timestamp indicating when the change occurred

  • The connection ID and operation ID for the request that was used to make the change

  • The DN of the user who made the change and the type of authentication they used

  • The address of the client system used to request the change

  • A command that is used to undo the change

  • The change that was applied

The configuration archive

The PingDirectory server also maintains a configuration archive, in the config/archived-configs directory. This directory should contain a compressed and timestamped copy of every version of the configuration that the server has used. It also includes a version of the configuration as it existed when setup completed and a “clean” baseline configuration for the current version of the server without any customization applied.

The config-diff tool

The PingDirectory server provides a config-diff tool to compare different versions of the server configuration and identify differences between them. This tool can compare different versions of the configuration from the same server, or it can be used to compare configurations between different servers. Any differences will be written in the form of a dsconfig batch file that can update the source server so that its configuration matches that of the target.