Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

UniVerse11.2 Audit Logging

102 views

Published on

U2 Database Audit Logging is a security feature that allows the capture of any event that occurs in the database. This session introduces Audit and details the architecture and components. It also includes some recommendations for best practices.

Published in: Software
  • Be the first to comment

  • Be the first to like this

UniVerse11.2 Audit Logging

  1. 1. 1 UniVerse 11.2 Audit Logging Ben Peach, Technical Support Engineer
  2. 2. 2 Credits and Acknowledgements Presenter • Ben Peach, Technical Support Engineer Developer • Jing Cui, CISSP, Lead Development Engineer Support Subject Matter Experts • Liam Collier, Technical Support Engineer (US) ©2015 Rocket Software, Inc. All Rights Reserved.
  3. 3. 3 Abstract  U2 Database Audit Logging is a security feature that allows the capture of any event that occurs in the database. This session introduces Audit and details the architecture and components. It also includes some recommendations for best practices. ©2015 Rocket Software, Inc. All Rights Reserved.
  4. 4. 4 Agenda Overview Compliance regulations Architecture Administration Components Best practices ©2015 Rocket Software, Inc. All Rights Reserved.
  5. 5. 5 Version specific THIS CONTENT IS SPECIFICALLY DIRECTED TO UNIVERSE 11.2. This feature changes at 11.3 ©2015 Rocket Software, Inc. All Rights Reserved.
  6. 6. 6 Overview What is Audit? • Ability to capture database events What does it capture? • Who – User, Group • What – Program, Executable • Where – Account, File • When – Time, Date ©2015 Rocket Software, Inc. All Rights Reserved.
  7. 7. 7 Compliance Regulations PCI DSS HIPAA and HITECH GLBA/FFIEC FISMA Other regulations Can Audit help me adhere to security regulations? Yes! ©2015 Rocket Software, Inc. All Rights Reserved.
  8. 8. 8 MV Security Model U2 Database Audit Logging: • Part of a much bigger picture. ©2015 Rocket Software, Inc. All Rights Reserved.
  9. 9. 9 Architecture New audman utility • OS level • Used to configure and maintain Install, enable, and disable Audit configuration file Audit log files Audit staging file ©2015 Rocket Software, Inc. All Rights Reserved.
  10. 10. 10 Install, Enable, and Disable  Introduced at UniVerse 11.2.0  Charged on a per-server basis  No separate installation, just authorization  Added to license • 12345678-UV • 12345678-AUDIT  Add the package and authorize UniVerse • uvregen –p AUDIT:1 • Authorize 12345678-UV, not -AUDIT ©2015 Rocket Software, Inc. All Rights Reserved.
  11. 11. 11 Audit Configuration File Used to define what is logged Housed in UniVerse home • $UVHOME/u2audit.config • %UVHOME%u2audit.config Encrypted and encoded • Text file containing cipher text Configurable via XAdmin or audman • Not directly editable ©2015 Rocket Software, Inc. All Rights Reserved.
  12. 12. 12 Audit Configuration File Backed up automatically on change • $UVHOME/audit/config/u2audit.config.date.time • %UVHOME%auditconfigu2audit.config.date.time Loaded at startup • Errors logged in uvsmm.log and uvsmm.errlog • All events are logged if unable to load configuration • Can be reloaded without restarting UniVerse Default configuration file supplied at install • u2audit.config.default • A template/example file ©2015 Rocket Software, Inc. All Rights Reserved.
  13. 13. 13 Audit Log Files 64-bit dynamic hashed file • Modulo 5000 • Block size 4096 Only 1 log file by default • AUDIT_LOG_MAX=1 • Must be between 1 and 8 Stored in UniVerse Home directory • $UVHOME/audit/u2audlogn (n = number of log file) • %UVHOME%auditu2audlogn (n = number of log file) • AUDIT_LOG_LOC=/disk1/uv/audit ©2015 Rocket Software, Inc. All Rights Reserved.
  14. 14. 14 Audit Log Files Log file named u2audlogn • Where n is the log number (between 1 and 8) • &AUDLOGn& in VOC Files can be automatically encrypted • AUDIT_LOG_ENC=0 (Off, default) • AUDIT_LOG_ENC=1 (On) • When turning encryption on archive and clear all current logs Each log file has its own dictionary • Dictionary is reloaded on UniVerse start • Changes to existing dictionary items lost on UniVerse restart ©2015 Rocket Software, Inc. All Rights Reserved.
  15. 15. 15 Audit Log Files Log record ID structure • 17396.15053.27902.8816.1 • date.time.tick.pid.sequence • Date – Internal system date • Time – Internal system time • Tick – Number of microseconds since this second started • PID – Process ID • Sequence – Sequential number to add total uniqueness ©2015 Rocket Software, Inc. All Rights Reserved.
  16. 16. 16 Audit Log Files Log record contents • Event type/class – SYS, DAT, USR • Origin – Where did the event originate? (uvsh for example) • Program – The U2 Basic program (log_program_path/stack) • User, account, file, record ID • IP Address – Of the host and/or client, if available • Action – Event dependent, e.g. CreateKey for ADE key creation • Status – Exist status of the action itself • Details – Free-form description, varies greatly by event • Before Action – 0=after, 1=before • Consolidation – Details of which type of consolidation and specifics ©2015 Rocket Software, Inc. All Rights Reserved.
  17. 17. 17 Audit Log Files © 2014 Rocket Software, Inc. All Rights Reserved.
  18. 18. 18 Audit Staging Files Non-session processes are unable to write directly to hashed files Failed UV process gets logged to staging Stored in UniVerse Home directory by default • $UVHOME/audit/staging • %UVHOME%auditstaging • Affected by AUDIT_LOG_LOC in uvconfig Logged events stored temporarily in individual files File are encrypted and encoded automatically ©2015 Rocket Software, Inc. All Rights Reserved.
  19. 19. 19 Audit Staging Files Sweep applies events to audit log file and clears staging file • uvsmm daemon/service At UniVerse start, then every 120 seconds Interval can be changed using audman or XAdmin  audman –writestagedlog –interval n • Cannot be set to less than uvsmm interval • Reset at UniVerse restart ©2015 Rocket Software, Inc. All Rights Reserved.
  20. 20. 20 uv config control uv config control Architecture © 2013 Rocket Software, Inc. All Rights Reserved. uvsmm daemon Shared memory audlog1 audlog2 ….8 uv uvconfig U2audit config staging UV Daemons config control cache refresh map refresh audman writestagedlogadmin initiated audman admin options admin user read staging and clear enable disable refresh
  21. 21. 21 Administration New utility: audman • UniVerse bin directory Extensible Administration Tool (XAdmin) • GUI Changing the configuration file • Defaults: UNIX/Linux – vi, Windows – Notepad.exe • Can be configured to use different editor  U2AUDIT_EDITOR environment variable • audman -config -editor name_of_editor for a “one off” use ©2015 Rocket Software, Inc. All Rights Reserved.
  22. 22. 22 Administration Administration tasks • Configure • Display configuration • Reload configuration • Suspend/resume an audit log file • Clear an audit log file • Change sweep interval • Display audit log file status • Check/verify audit log file ©2015 Rocket Software, Inc. All Rights Reserved.
  23. 23. 23 Components Classes • System, Data, User Resources • A database entity Events • Something that can happen to a resource Policies • A rule (or set of rules) ©2015 Rocket Software, Inc. All Rights Reserved.
  24. 24. 24 Classes System (SYS) • Pertaining to or performed by a system process or file  System daemons, system utilities, configuration files, administrative commands  uvsmm, uvrw, uvregen, u2audit.config Data (DAT) • Pertaining to a data type object  Hashed files, indexes, schemas, tables, views User (USR) • Application dependent, user specified  Determined by use of AuditLog() in Basic ©2015 Rocket Software, Inc. All Rights Reserved.
  25. 25. 25 Resources Resources are logical representations of data and system objects • A database entity to which you can point Three resource classes • System – uvsmm, uvregen, u2audit.config • Data – file, index, table, schema, view • User – determined by use of AuditLog() in Basic ©2015 Rocket Software, Inc. All Rights Reserved.
  26. 26. 26 Events Action taken on a resource • WRITE to a file Use of a resource • Execution of a Basic program Three event classes • System - events at the database level • Data - actions taken on data files, schemas, indexes, etc. • User - actions taken by or on users and groups ©2015 Rocket Software, Inc. All Rights Reserved.
  27. 27. 27 Policies Policies are rules defined in the configuration file Event policy • Resource/event combination type • Switch type Global policy • Configuration type • Definition type Forced policy ©2015 Rocket Software, Inc. All Rights Reserved.
  28. 28. 28 Policy Terms List • Composed of objects of the same type  Events, processes, programs, users, or files • Separated by a comma (,) or a vertical bar (|)  salesEvents=DAT.BASIC.READ,DAT.BASIC.WRITE Operator • Specifies inclusion or exclusion • = set, += add, -= remove  salesEvents+=DAT.BASIC.DELETE ©2015 Rocket Software, Inc. All Rights Reserved.
  29. 29. 29 Global Policies Configuration type • on_error – Stop process if audit log fails • privileged_user_audit – Log all administrative actions • log_program_path – Include program path in log record • log_program_stack – Include program stack in log record Definition type • Account – Define a shortcut or keyword to an account • Group – Define a shortcut or keyword to a group or ‘list’ ©2015 Rocket Software, Inc. All Rights Reserved.
  30. 30. 30 Global Policy Examples on_error=on log_program_path=on account=hssales:/disk1/uv/HS.SALES account=salesacct:/disk1/accounts/SALES account=financeacct:/disk1/accounts/FINANCE salesEvents=DAT.BASIC.WRITE salesEvents+=DAT.BASIC.DELETE financeEvents=DAT.BASIC.* financeEvents-=DAT.BASIC.READ ©2015 Rocket Software, Inc. All Rights Reserved.
  31. 31. 31 Event Policies Resource/Event type • File – A DAT event on a data resource • User – Events from a specific user or group • Process – Events created by a process ID • Executable – Events from specific UniVerse executables • Program – Events from specific Basic programs Switch type • BeforeAction – Create the log before the event occurs • Status – Log only success, only fail or both • Consolidation – Group certain events into one log ©2015 Rocket Software, Inc. All Rights Reserved.
  32. 32. 32 Event Policy Examples salesEvents.file=hssales:CUSTOMER  Note: Physical file is used, no multiple log records due to VOC pointers salesEvents.file=salesacct:* financeEvents.file=financeacct:* DAT.QUERY.*.file=/disk1/accounts/REPORTS:* SYS.SESSION.*.user=pparker,bwayne,ckent DAT.SQL.COMMAND.consolidation=counter:10 DAT.BASIC.READ.consolidation=time:60 DAT.BASIC.*.status=success DAT.BASIC.WRITE.status=both ©2015 Rocket Software, Inc. All Rights Reserved.
  33. 33. 33 Forced Policies The following system events are always logged • SYS.CONFIG.CHANGE  Changes to Audit configuration  Plans for more in the future (uvconfig etc.) • SYS.SECURITY  SQL GRANT/REVOKE  Plans for more in the future (Certificates, Security Context) • SYS.ADE  Any Automatic Data Encryption action • SYS.DAEMON  Events caused by UniVerse daemons/services  uvsmm, uvcleanupd, uvapi_server, uvchkd, uvrw These statements represent Rocket Software’s current intentions. Rocket development plans are subject to change or withdrawal without further notice. Any reliance on these statements is at the relying party’s sole risk and will not create any liability or obligation for Rocket
  34. 34. 34 Policy Creation Example ©2015 Rocket Software, Inc. All Rights Reserved.
  35. 35. 35 Policy Creation Example ©2015 Rocket Software, Inc. All Rights Reserved.
  36. 36. 36 Policy Creation Example ©2015 Rocket Software, Inc. All Rights Reserved.
  37. 37. 37 Best Practices Reporting Maintenance What to audit Log file location ©2015 Rocket Software, Inc. All Rights Reserved.
  38. 38. 38 Reporting Create a custom audit log dictionary Customize your dictionary entries for better presentation • SORT &AUDLOG1& USING DICT CUST.DICT.AUD PID USER EVENTNAME IPADDRESS ACTION • LIST &AUDLOG2& USING DICT CUST.DICT.AUD USER TIME ©2015 Rocket Software, Inc. All Rights Reserved.
  39. 39. 39 Maintenance Log files are hashed files like any other • Poor sizing means poor performance • FILE.STAT, RESIZE, etc. • Check regularly with fixtool Backup! • Make them part of your regular backup • Consider publishing with U2 Replication  CAUTION: Can cause large performance overload ©2015 Rocket Software, Inc. All Rights Reserved.
  40. 40. 40 Maintenance © 2013 Rocket Software, Inc. All Rights Reserved. audlog1 audlog2 write write 1) Suspend Log 2 audman –suspendlog 2 read 2) Archive, maintenance Tool of your choice 3) Clear Log 2 audman –clearlog 2 4) Resume Log 2 audman –resumelog 2 Logging continues uninterrupted!
  41. 41. 41 Maintenance © 2013 Rocket Software, Inc. All Rights Reserved. audlog1 audlog2 write write 1) Suspend Log 1 audman –suspendlog 1 read 2) Archive, maintenance Tool of your choice 3) Clear Log 1 audman –clearlog 1 4) Resume Log 1 audman –resumelog 1 Records have been archived using your preferred method and no downtime at all!
  42. 42. 42 Maintenance ©2015 Rocket Software, Inc. All Rights Reserved.
  43. 43. 43 What to Audit Compliancy regulations • Does my compliancy regulation force me to audit these events/resources? Performance considerations • Can I live without auditing this event/resource? Space considerations • Do I have enough disk to store these log records? ©2015 Rocket Software, Inc. All Rights Reserved.
  44. 44. 44 Log File Location Bottom line: Find the best I/O • Files can be very busy • Use a separate disk if possible • An SSD is preferred ©2015 Rocket Software, Inc. All Rights Reserved.
  45. 45. 45 Summary Overview Compliance regulations Architecture Administration Components Best practices ©2015 Rocket Software, Inc. All Rights Reserved.
  46. 46. 46 MV Security Model U2 Database Audit Logging: • Part of a much bigger picture. ©2015 Rocket Software, Inc. All Rights Reserved.
  47. 47. 47 Additional Resources  Links http://www.rocketsoftware.com http://en.wikipedia.org/wiki/Category:Security_compliance http://www.rocketsoftware.com/resource/u2-technical-documentation  Need help? U2support@rocketsoftware.com support.rocketsoftware.com http://www.rocketsoftware.com/rocket-u2-professional-services-request ©2015 Rocket Software, Inc. All Rights Reserved.
  48. 48. 48 Disclaimer THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE. ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: • CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS); OR • ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF ROCKET SOFTWARE. ©2015 Rocket Software, Inc. All Rights Reserved.
  49. 49. 49 Trademarks and Acknowledgements The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software, Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of any such marks. Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure, Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and wIntegrate Other company, product, and service names mentioned herein may be trademarks or service marks of others. ©2015 Rocket Software, Inc. All Rights Reserved.
  50. 50. 50

×