Auditing configuration changes
Proper server configuration is critical to maintaining security. Be aware of all changes to the server configuration and understand whether the configuration in its current state matches what you intend and expect it to be.
Administrative alerts
The PingDirectory server generates an administrative alert whenever a configuration change is made with the server online. It also generates an alert during startup if it detects unauthorized changes to the dsconfig
tool in offline mode or the manage-profile
tool.
You should make sure that an appropriate set of alert handlers are in place so that administrators are notified of configuration changes as soon as they occur.
The configuration audit log
The PingDirectory server maintains a logs/config-audit.log
file that contains a record of all authorized configuration changes made within the server. This includes:
-
Changes made through the
dsconfig
command-line tool with the server online -
Changes made through the
dsconfig
command-line tool running in offline mode -
Changes made through the web administration console
-
Changes made through the
manage-profile
tool -
Changes made through the configuration API
-
Changes made by clients updating configuration entries over LDAP
The configuration audit log will not include a record of any changes made by directly editing the config.ldif
file with the server offline, but the server should detect any such changes at startup and generate an administrative alert in response to them.
Each record in the configuration audit log should include the following information:
-
A timestamp indicating when the change occurred
-
The connection ID and operation ID for the request that was used to make the change
-
The DN of the user who made the change and the type of authentication they used
-
The address of the client system used to request the change
-
A command that is used to undo the change
-
The change that was applied
The configuration archive
The PingDirectory server also maintains a configuration archive, in the config/archived-configs
directory. This directory should contain a compressed and timestamped copy of every version of the configuration that the server has used. It also includes a version of the configuration as it existed when setup completed and a “clean” baseline configuration for the current version of the server without any customization applied.
The config-diff
tool
The PingDirectory server provides a config-diff
tool to compare different versions of the server configuration and identify differences between them. This tool can compare different versions of the configuration from the same server, or it can be used to compare configurations between different servers. Any differences will be written in the form of a dsconfig
batch file that can update the source server so that its configuration matches that of the target.