UniVerse11.2 Audit Logging

1
UniVerse 11.2 Audit Logging
Ben Peach, Technical Support Engineer

2
Credits and Acknowledgements
Presenter
• Ben Peach, Technical Support Engineer
Developer
• Jing Cui, CISSP, Lead Development Engineer
Support Subject Matter Experts
• Liam Collier, Technical Support Engineer (US)
©2015 Rocket Software, Inc. All Rights Reserved.

3
Abstract
 U2 Database Audit Logging is a security feature that allows the capture of
any event that occurs in the database. This session introduces Audit and
details the architecture and components. It also includes some
recommendations for best practices.

4
Agenda
Overview
Compliance regulations
Architecture
Administration
Components
Best practices

5
Version specific
THIS CONTENT IS SPECIFICALLY DIRECTED TO
UNIVERSE 11.2.
This feature changes at 11.3

6
Overview
What is Audit?
• Ability to capture database events
What does it capture?
• Who – User, Group
• What – Program, Executable
• Where – Account, File
• When – Time, Date

7
Compliance Regulations
PCI DSS
HIPAA and HITECH
GLBA/FFIEC
FISMA
Other regulations
Can Audit help me adhere to security regulations? Yes!

8
MV Security Model
U2 Database Audit Logging:
• Part of a much bigger picture.

9
Architecture
New audman utility
• OS level
• Used to configure and maintain
Install, enable, and disable
Audit configuration file
Audit log files
Audit staging file

10
Install, Enable, and Disable
 Introduced at UniVerse 11.2.0
 Charged on a per-server basis
 No separate installation, just authorization
 Added to license
• 12345678-UV
• 12345678-AUDIT
 Add the package and authorize UniVerse
• uvregen –p AUDIT:1
• Authorize 12345678-UV, not -AUDIT

11
Audit Configuration File
Used to define what is logged
Housed in UniVerse home
• $UVHOME/u2audit.config
• %UVHOME%u2audit.config
Encrypted and encoded
• Text file containing cipher text
Configurable via XAdmin or audman
• Not directly editable

12
Audit Configuration File
Backed up automatically on change
• $UVHOME/audit/config/u2audit.config.date.time
• %UVHOME%auditconfigu2audit.config.date.time
Loaded at startup
• Errors logged in uvsmm.log and uvsmm.errlog
• All events are logged if unable to load configuration
• Can be reloaded without restarting UniVerse
Default configuration file supplied at install
• u2audit.config.default
• A template/example file

13
Audit Log Files
64-bit dynamic hashed file
• Modulo 5000
• Block size 4096
Only 1 log file by default
• AUDIT_LOG_MAX=1
• Must be between 1 and 8
Stored in UniVerse Home directory
• $UVHOME/audit/u2audlogn (n = number of log file)
• %UVHOME%auditu2audlogn (n = number of log file)
• AUDIT_LOG_LOC=/disk1/uv/audit

14
Audit Log Files
Log file named u2audlogn
• Where n is the log number (between 1 and 8)
• &AUDLOGn& in VOC
Files can be automatically encrypted
• AUDIT_LOG_ENC=0 (Off, default)
• AUDIT_LOG_ENC=1 (On)
• When turning encryption on archive and clear all current logs
Each log file has its own dictionary
• Dictionary is reloaded on UniVerse start
• Changes to existing dictionary items lost on UniVerse restart

15
Audit Log Files
Log record ID structure
• 17396.15053.27902.8816.1
• date.time.tick.pid.sequence
• Date – Internal system date
• Time – Internal system time
• Tick – Number of microseconds since this second started
• PID – Process ID
• Sequence – Sequential number to add total uniqueness

16
Audit Log Files
Log record contents
• Event type/class – SYS, DAT, USR
• Origin – Where did the event originate? (uvsh for example)
• Program – The U2 Basic program (log_program_path/stack)
• User, account, file, record ID
• IP Address – Of the host and/or client, if available
• Action – Event dependent, e.g. CreateKey for ADE key creation
• Status – Exist status of the action itself
• Details – Free-form description, varies greatly by event
• Before Action – 0=after, 1=before
• Consolidation – Details of which type of consolidation and specifics

17
Audit Log Files
© 2014 Rocket Software, Inc. All Rights Reserved.

18
Audit Staging Files
Non-session processes are unable to write directly to
hashed files
Failed UV process gets logged to staging
Stored in UniVerse Home directory by default
• $UVHOME/audit/staging
• %UVHOME%auditstaging
• Affected by AUDIT_LOG_LOC in uvconfig
Logged events stored temporarily in individual files
File are encrypted and encoded automatically

19
Audit Staging Files
Sweep applies events to audit log file and clears
staging file
• uvsmm daemon/service
At UniVerse start, then every 120 seconds
Interval can be changed using audman or XAdmin
 audman –writestagedlog –interval n
• Cannot be set to less than uvsmm interval
• Reset at UniVerse restart

20
uv
config control
uv
config control
Architecture
uvsmm
daemon
Shared
memory
audlog1 audlog2 ….8
uv
uvconfig
U2audit
config
staging
UV Daemons
config control
cache
refresh
map
refresh
audman
writestagedlogadmin initiated
audman
admin options
admin user
read staging
and clear
enable
disable
refresh

21
Administration
New utility: audman
• UniVerse bin directory
Extensible Administration Tool (XAdmin)
• GUI
Changing the configuration file
• Defaults: UNIX/Linux – vi, Windows – Notepad.exe
• Can be configured to use different editor
 U2AUDIT_EDITOR environment variable
• audman -config -editor name_of_editor for a “one off” use

22
Administration
Administration tasks
• Configure
• Display configuration
• Reload configuration
• Suspend/resume an audit log file
• Clear an audit log file
• Change sweep interval
• Display audit log file status
• Check/verify audit log file

23
Components
Classes
• System, Data, User
Resources
• A database entity
Events
• Something that can happen to a resource
Policies
• A rule (or set of rules)

24
Classes
System (SYS)
• Pertaining to or performed by a system process or file
 System daemons, system utilities, configuration files, administrative
commands
 uvsmm, uvrw, uvregen, u2audit.config
Data (DAT)
• Pertaining to a data type object
 Hashed files, indexes, schemas, tables, views
User (USR)
• Application dependent, user specified
 Determined by use of AuditLog() in Basic

25
Resources
Resources are logical representations of data and
system objects
• A database entity to which you can point
Three resource classes
• System – uvsmm, uvregen, u2audit.config
• Data – file, index, table, schema, view
• User – determined by use of AuditLog() in Basic

26
Events
Action taken on a resource
• WRITE to a file
Use of a resource
• Execution of a Basic program
Three event classes
• System - events at the database level
• Data - actions taken on data files, schemas, indexes, etc.
• User - actions taken by or on users and groups

27
Policies
Policies are rules defined in the configuration file
Event policy
• Resource/event combination type
• Switch type
Global policy
• Configuration type
• Definition type
Forced policy

28
Policy Terms
List
• Composed of objects of the same type
 Events, processes, programs, users, or files
• Separated by a comma (,) or a vertical bar (|)
 salesEvents=DAT.BASIC.READ,DAT.BASIC.WRITE
Operator
• Specifies inclusion or exclusion
• = set, += add, -= remove
 salesEvents+=DAT.BASIC.DELETE

29
Global Policies
Configuration type
• on_error – Stop process if audit log fails
• privileged_user_audit – Log all administrative actions
• log_program_path – Include program path in log record
• log_program_stack – Include program stack in log record
Definition type
• Account – Define a shortcut or keyword to an account
• Group – Define a shortcut or keyword to a group or ‘list’

30
Global Policy Examples
on_error=on
log_program_path=on
account=hssales:/disk1/uv/HS.SALES
account=salesacct:/disk1/accounts/SALES
account=financeacct:/disk1/accounts/FINANCE
salesEvents=DAT.BASIC.WRITE
salesEvents+=DAT.BASIC.DELETE
financeEvents=DAT.BASIC.*
financeEvents-=DAT.BASIC.READ

31
Event Policies
Resource/Event type
• File – A DAT event on a data resource
• User – Events from a specific user or group
• Process – Events created by a process ID
• Executable – Events from specific UniVerse executables
• Program – Events from specific Basic programs
Switch type
• BeforeAction – Create the log before the event occurs
• Status – Log only success, only fail or both
• Consolidation – Group certain events into one log

32
Event Policy Examples
salesEvents.file=hssales:CUSTOMER
 Note: Physical file is used, no multiple log records due to VOC pointers
salesEvents.file=salesacct:*
financeEvents.file=financeacct:*
DAT.QUERY.*.file=/disk1/accounts/REPORTS:*
SYS.SESSION.*.user=pparker,bwayne,ckent
DAT.SQL.COMMAND.consolidation=counter:10
DAT.BASIC.READ.consolidation=time:60
DAT.BASIC.*.status=success
DAT.BASIC.WRITE.status=both

33
Forced Policies
The following system events are always logged
• SYS.CONFIG.CHANGE
 Changes to Audit configuration
 Plans for more in the future (uvconfig etc.)
• SYS.SECURITY
 SQL GRANT/REVOKE
 Plans for more in the future (Certificates, Security Context)
• SYS.ADE
 Any Automatic Data Encryption action
• SYS.DAEMON
 Events caused by UniVerse daemons/services
 uvsmm, uvcleanupd, uvapi_server, uvchkd, uvrw
These statements represent Rocket Software’s current intentions. Rocket development plans are subject to change or withdrawal without further notice.
Any reliance on these statements is at the relying party’s sole risk and will not create any liability or obligation for Rocket

34
Policy Creation Example

35

36

37
Best Practices
Reporting
Maintenance
What to audit
Log file location

38
Reporting
Create a custom audit log dictionary
Customize your dictionary entries for better
presentation
• SORT &AUDLOG1& USING DICT CUST.DICT.AUD PID
USER EVENTNAME IPADDRESS ACTION
• LIST &AUDLOG2& USING DICT CUST.DICT.AUD USER
TIME

39
Maintenance
Log files are hashed files like any other
• Poor sizing means poor performance
• FILE.STAT, RESIZE, etc.
• Check regularly with fixtool
Backup!
• Make them part of your regular backup
• Consider publishing with U2 Replication
 CAUTION: Can cause large performance overload

40
Maintenance
audlog1 audlog2
write
write
1) Suspend Log 2
audman –suspendlog 2
read
2) Archive, maintenance
Tool of your choice
3) Clear Log 2
audman –clearlog 2
4) Resume Log 2
audman –resumelog 2
Logging continues
uninterrupted!

41
Maintenance
audlog1 audlog2
write
write
1) Suspend Log 1
audman –suspendlog 1
read
2) Archive, maintenance
Tool of your choice
3) Clear Log 1
audman –clearlog 1
4) Resume Log 1
audman –resumelog 1
Records have been archived
using your preferred method
and no downtime at all!

42
Maintenance

43
What to Audit
Compliancy regulations
• Does my compliancy regulation force me to audit these
events/resources?
Performance considerations
• Can I live without auditing this event/resource?
Space considerations
• Do I have enough disk to store these log records?

44
Log File Location
Bottom line: Find the best I/O
• Files can be very busy
• Use a separate disk if possible
• An SSD is preferred

45
Summary
Overview
Compliance regulations
Architecture
Administration
Components
Best practices

46
MV Security Model
U2 Database Audit Logging:
• Part of a much bigger picture.

47
Additional Resources
 Links
http://www.rocketsoftware.com
http://en.wikipedia.org/wiki/Category:Security_compliance
http://www.rocketsoftware.com/resource/u2-technical-documentation
 Need help?
U2support@rocketsoftware.com
support.rocketsoftware.com
http://www.rocketsoftware.com/rocket-u2-professional-services-request

48
Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED
IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY,
WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE.
ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
• CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR
THEIR SUPPLIERS AND/OR LICENSORS); OR
• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF
ROCKET SOFTWARE.

49
Trademarks and Acknowledgements
The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software,
Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by
Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual
property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of
any such marks.
Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure,
Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and
wIntegrate
Other company, product, and service names mentioned herein may be trademarks or service marks of
others.

UniVerse11.2 Audit Logging

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie UniVerse11.2 Audit Logging

Ähnlich wie UniVerse11.2 Audit Logging (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

UniVerse11.2 Audit Logging