Invoke data security audit processing in order to identify potential risks or other notable security characteristics contained in directory data.
This tool schedules an internal task with the server that examines all or a subset of entries in the server, writing a series of reports on potential risks with the data. Reports are written to the output directory organized by backend name and audit items. The list of available auditors can be obtained using 'dsconfig list-auditors --property name'. Either the --includeAuditor or the --excludeAuditor arguments may be used to limit the scope of the audit.
Additionally, the entries scanned can be limited by specifying the backends to scan, or by specifying an LDAP filter that is used to selected entries to be processed.
This tool schedules an operation to run within the Directory Server's process. LDAP connection options must be supplied that allow this tool to communicate with the server through its task interface. Tasks can be scheduled to run immediately or at a later time (see Task Scheduling Options below). Once scheduled, tasks can be managed using the manage-tasks tool.
audit-data-security
audit-data-security --backendID userRoot1 --backendID userRoot2 \
--excludeAuditor PRIVILEGE
audit-data-security --backendID userRoot \
--reportFilter "(employeeType=temporary)" \
--reportFilter "(employeeType=part-time)"
-V
--version
| Description | Display Directory Server version information |
-H
--help
| Description | Display general usage information |
--help-ldap
| Description | Display help for using LDAP options |
--help-sasl
| Description | Display help for using SASL options |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-Z
--useSSL
| Description | Use SSL for secure communication with the server |
-q
--useStartTLS
| Description | Use StartTLS to secure communication with the server |
--useNoSecurity
| Description | Use no security when communicating with the server |
-h {host}
--hostname {host}
| Description | Address on which the local Directory Server is listening |
| Default Value | localhost |
| Required | No |
| Multi-Valued | No |
-p {port}
--port {port}
| Description | Directory Server port number |
| Default Value | 389 |
| Required | No |
| Multi-Valued | No |
-D {bindDN}
--bindDN {bindDN}
| Description | DN used to bind to the server |
| Default Value | cn=Directory Manager |
| Required | No |
| Multi-Valued | No |
-w {bindPassword}
--bindPassword {bindPassword}
| Description | Password used to bind to the server |
| Required | No |
| Multi-Valued | No |
-j {bindPasswordFile}
--bindPasswordFile {bindPasswordFile}
| Description | Bind password file |
| Required | No |
| Multi-Valued | No |
-o {name=value}
--saslOption {name=value}
| Description | SASL bind options |
| Required | No |
| Multi-Valued | Yes |
-X
--trustAll
| Description | Trust all server SSL certificates |
-P {trustStorePath}
--trustStorePath {trustStorePath}
| Description | Certificate trust store path |
| Required | No |
| Multi-Valued | No |
-T {trustStorePassword}
--trustStorePassword {trustStorePassword}
| Description | Certificate trust store PIN |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | Certificate trust store PIN file |
| Required | No |
| Multi-Valued | No |
-K {keyStorePath}
--keyStorePath {keyStorePath}
| Description | Certificate key store path |
| Required | No |
| Multi-Valued | No |
-W {keyStorePassword}
--keyStorePassword {keyStorePassword}
| Description | Certificate key store PIN |
| Required | No |
| Multi-Valued | No |
-u {keyStorePasswordFile}
--keyStorePasswordFile {keyStorePasswordFile}
| Description | Certificate key store PIN file |
| Required | No |
| Multi-Valued | No |
-N {nickname}
--certNickname {nickname}
| Description | Nickname of the certificate for SSL client authentication |
| Required | No |
| Multi-Valued | No |
--propertiesFilePath {propertiesFilePath}
| Description | Path to the file that contains default property values used for command-line arguments |
| Required | No |
| Multi-Valued | No |
--usePropertiesFile
| Description | Specify that a properties file will be used to get default command-line argument values |
--task
| Description | Indicates that this tool should be invoked as a task which runs inside the Directory Server rather than as a separate process. At present, this argument is optional, but in a future release it may be required for running as a task |
-t {startTime}
--start {startTime}
| Description | Indicates the date/time, expressed in format 'YYYYMMDDhhmmss', when the operation starts when scheduled as a server task. A value of '0' causes the task to be scheduled for immediate execution. When this option is specified, the operation is scheduled to start at the specified time, after which this utility will exit immediately |
| Required | No |
| Multi-Valued | No |
--completionNotify {emailAddress}
| Description | Email address of a recipient to be notified when the task completes. This option may be specified more than once |
| Required | No |
| Multi-Valued | Yes |
--errorNotify {emailAddress}
| Description | Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once |
| Required | No |
| Multi-Valued | Yes |
--dependency {taskID}
| Description | ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution |
| Required | No |
| Multi-Valued | Yes |
--failedDependencyAction {action}
| Description | Action this task will take should one of its dependent tasks fail. The value must be one of the following: PROCESS,CANCEL,DISABLE. If not specified, the default value is CANCEL |
| Required | No |
| Multi-Valued | Yes |
-Q
--quiet
| Description | Use quiet mode |
-O {filter}
--outputDirectory {filter}
| Description | Directory where reports will be written. If omitted the reports are written to reports/audit-data-security/ |
| Required | No |
| Multi-Valued | No |
-f {filter}
--reportFilter {filter}
| Description | LDAP filter(s) for identifying entries for data security audit. Only entries matching any of the provided filters will be included in the audit |
| Required | No |
| Multi-Valued | Yes |
--backendID {backendName}
| Description | ID of the backend(s) to audit |
| Required | No |
| Multi-Valued | Yes |
--includeAuditor {auditor}
| Description | Auditors executed during audit |
| Required | No |
| Multi-Valued | Yes |
--excludeAuditor {auditor}
| Description | Auditors that will not be executed during audit |
| Required | No |
| Multi-Valued | Yes |