Data security auditors

One way to do this would be to regularly export the data to LDIF (ideally in encrypted form so that it is not exposed in the clear) and examine its content for unusual or undesirable conditions. You could also do this with search operations. However, in large data sets, such searches can be expensive and time consuming.

The server also provides an “audit data security” administrative task and an associated audit-data-security command-line tool that can help with this. When invoked, the task causes the server to efficiently iterate through all entries in the configured set of backends, comparing each one against a configured set of data security auditors.

The report is written into a directory structure on the server filesystem. There is a summary.ldif file that provides a summary of all of the processing that was performed. There is also a subdirectory for each of the backends that were examined with a set of LDIF files containing more detailed output from each of those auditors.

Data security auditors included with PingDirectory Server include:

  • Identify all entries that contain ACIs.
  • Identify administratively disabled users.
  • Identify users with passwords that are expired or are about to expire.
  • Identify users whose accounts are locked because of too many failed authentication attempts because it’s been too long since the user authenticated or because the user did not change their password in a timely manner after an administrative reset.
  • Identify users who have multiple passwords.
  • Identify users who have explicitly configured privileges or root users or topology administrators who inherit the default set of root privileges.
  • Identify users who have passwords encoded with password storage schemes that are considered weak.

The audit-data-security tool offers the provided set of command-line arguments in addition to the usual options for connecting and authenticating to the server and scheduling tasks:

--outputDirectory
The directory (on the server filesystem) where the report files are created. If this is not specified, then it defaults to a directory whose name reflects the current time in the reports/audit-data-security subdirectory.
--reportFilter
An optional filter that can be used to indicate which entries should be examined. If this is provided, then only entries matching that filter are audited. Otherwise, all entries are examined. This can be provided multiple times if multiple filters should be specified, and only entries matching at least one of those filters are examined.
--backendID
An optional set of backend IDs for the backends to examine. If this is not provided, then all supported backends, including local DB backends and the server configuration, are examined.
--includeAuditor
An optional set of the names for the data security auditors that are invoked. By default, all data security auditors defined in the configuration are included, except for those excluded by the --excludeAuditor argument.
--excludeAuditor
An optional set of the names for the data security auditors that are not invoked.

Soft deletes

Normally, when an authorized client deletes an entry, it is completely removed from the server. However, PingDirectory Server provides support for soft deletes, in which the server preserves the entry instead of removing it. Soft deletes can be used as a means of auditing deleted content or resurrecting content removed either maliciously or in error.

When an entry is soft-deleted, the server makes the following changes to it:

  • The server adds the ds-soft-delete-entry auxiliary object class to the entry, which causes it to be hidden from normal search results.
  • The server renames the entry to add the entry’s entryUUID attribute to the set of RDN attributes. This allows a new entry to be created with the same distinguished name (DN) as the former entry without conflicting with the soft-deleted form of the entry.
  • The server adds the following additional operational attributes to the entry:
    • ds-soft-delete-from-dn — The original DN for the entry.
    • ds-soft-delete-timestamp — The time that the entry was soft-deleted.
    • ds-soft-delete-requester-dn — The DN of the user that requested the delete.
    • ds-soft-delete-requester-ip-address — The IP address of the client that requested the delete.

Turning deletes into soft deletes provides a way to verify the content of deleted entries. Even though soft-deleted entries are excluded from search results by default, users with the soft-delete-read privilege can retrieve them by including the soft-deleted entry access request control in the search request, such as by providing the --includeSoftDeletedEntries argument to ldapsearch.

There are two ways that regular deletes can be turned into soft deletes. The first is to include the soft delete request control in the delete request, such as using the --softDelete argument to ldapmodify.

However, it is also possible to have the server automatically convert regular deletes into soft deletes. This can be done by creating a soft-delete policy, which can include the following properties:

auto-soft-delete-connection-criteria
Connection criteria that can identify client connections whose deletes should be converted to soft deletes.
auto-soft-delete-request-criteria
Request criteria that can identify delete requests that should be converted to soft deletes.
soft-delete-retention-time
The maximum length of time that soft-deleted entries should be retained in the server.
soft-delete-retain-number-of-entries
The maximum number of soft-deleted entries that should be retained in the server.

After a soft delete policy has been created, the global configuration can be updated to use it with the following property:

soft-delete-policy
The soft-delete policy that should be used by the server. If this is not configured, then soft deletes are disabled in the server, even for delete requests that use the soft delete request control.

Only soft-delete policies that contain values for at least one of the auto-soft-delete-connection-criteria and auto-soft-delete-request-criteria properties can automatically convert regular deletes to soft deletes. If the server has a soft delete policy without criteria, then soft deletes are only allowed with the soft delete request control.

If necessary, soft-deleted entries can be resurrected with the undelete request control in an add request, such as using the --allowUndelete argument to ldapmodify. The attributes of the add request can be used to provide the details of the undelete. In particular, the DN from the add request specifies the DN to use for the resurrected entry, and the ds-undelete-from-dn attribute specifies the DN of the soft-deleted entry to undelete.