Proper server configuration is critical to maintaining security. Be aware of all changes to the server configuration and understand whether the configuration in its current state matches what you intend and expect it to be.
Administrative alerts
PingDirectory Server generates an administrative alert whenever a configuration
change is made with the server online. It also generates an alert during startup if
it detects unauthorized changes to the dsconfig
tool in offline
mode or the manage-profile
tool.
You should make sure that an appropriate set of alert handlers are in place so that administrators are notified of configuration changes as soon as they occur.
The configuration audit log
PingDirectory Server maintains a logs/config-audit.log file that contains a record of all authorized configuration changes made within the server. This includes:
- Changes made through the
dsconfig
command-line tool with the server online - Changes made through the
dsconfig
command-line tool running in offline mode - Changes made through the web administration console
- Changes made through the
manage-profile
tool - Changes made through the configuration API
- Changes made by clients updating configuration entries over LDAP
The configuration audit log will not include a record of any changes made by directly editing the config.ldif file with the server offline, but the server should detect any such changes at startup and generate an administrative alert in response to them.
Each record in the configuration audit log should include the following information:
- A timestamp indicating when the change occurred
- The connection ID and operation ID for the request that was used to make the change
- The DN of the user who made the change and the type of authentication they used
- The address of the client system used to request the change
- A command that is used to undo the change
- The change that was applied
The configuration archive
PingDirectory Server also maintains a configuration archive, in the config/archived-configs directory. This directory should contain a compressed and timestamped copy of every version of the configuration that the server has used. It also includes a version of the configuration as it existed when setup completed and a “clean” baseline configuration for the current version of the server without any customization applied.
The config-diff
tool
PingDirectory Server provides a config-diff
tool to compare
different versions of the server configuration and identify differences between
them. This tool can compare different versions of the configuration from the same
server, or it can be used to compare configurations between different servers. Any
differences will be written in the form of a dsconfig
batch file
that can update the source server so that its configuration matches that of the
target.