U2 Database Audit Logging is a security feature that allows the capture of any event that occurs in the database. This session introduces Audit and details the architecture and components. It also includes some recommendations for best practices.
2. 2
Credits and Acknowledgements
ďĄPresenter
⢠Ben Peach, Technical Support Engineer
ďĄDeveloper
⢠Jing Cui, CISSP, Lead Development Engineer
ďĄSupport Subject Matter Experts
⢠Liam Collier, Technical Support Engineer (US)
Š2015 Rocket Software, Inc. All Rights Reserved.
3. 3
Abstract
ďĄ U2 Database Audit Logging is a security feature that allows the capture of
any event that occurs in the database. This session introduces Audit and
details the architecture and components. It also includes some
recommendations for best practices.
Š2015 Rocket Software, Inc. All Rights Reserved.
5. 5
Version specific
ďĄTHIS CONTENT IS SPECIFICALLY DIRECTED TO
UNIVERSE 11.2.
ďĄThis feature changes at 11.3
Š2015 Rocket Software, Inc. All Rights Reserved.
6. 6
Overview
ďĄWhat is Audit?
⢠Ability to capture database events
ďĄWhat does it capture?
⢠Who â User, Group
⢠What â Program, Executable
⢠Where â Account, File
⢠When â Time, Date
Š2015 Rocket Software, Inc. All Rights Reserved.
7. 7
Compliance Regulations
ďĄPCI DSS
ďĄHIPAA and HITECH
ďĄGLBA/FFIEC
ďĄFISMA
ďĄOther regulations
Can Audit help me adhere to security regulations? Yes!
Š2015 Rocket Software, Inc. All Rights Reserved.
8. 8
MV Security Model
ďĄU2 Database Audit Logging:
⢠Part of a much bigger picture.
Š2015 Rocket Software, Inc. All Rights Reserved.
9. 9
Architecture
ďĄNew audman utility
⢠OS level
⢠Used to configure and maintain
ďĄInstall, enable, and disable
ďĄAudit configuration file
ďĄAudit log files
ďĄAudit staging file
Š2015 Rocket Software, Inc. All Rights Reserved.
10. 10
Install, Enable, and Disable
ďĄ Introduced at UniVerse 11.2.0
ďĄ Charged on a per-server basis
ďĄ No separate installation, just authorization
ďĄ Added to license
⢠12345678-UV
⢠12345678-AUDIT
ďĄ Add the package and authorize UniVerse
⢠uvregen âp AUDIT:1
⢠Authorize 12345678-UV, not -AUDIT
Š2015 Rocket Software, Inc. All Rights Reserved.
11. 11
Audit Configuration File
ďĄUsed to define what is logged
ďĄHoused in UniVerse home
⢠$UVHOME/u2audit.config
⢠%UVHOME%u2audit.config
ďĄEncrypted and encoded
⢠Text file containing cipher text
ďĄConfigurable via XAdmin or audman
⢠Not directly editable
Š2015 Rocket Software, Inc. All Rights Reserved.
12. 12
Audit Configuration File
ďĄBacked up automatically on change
⢠$UVHOME/audit/config/u2audit.config.date.time
⢠%UVHOME%auditconfigu2audit.config.date.time
ďĄLoaded at startup
⢠Errors logged in uvsmm.log and uvsmm.errlog
⢠All events are logged if unable to load configuration
⢠Can be reloaded without restarting UniVerse
ďĄDefault configuration file supplied at install
⢠u2audit.config.default
⢠A template/example file
Š2015 Rocket Software, Inc. All Rights Reserved.
13. 13
Audit Log Files
ďĄ64-bit dynamic hashed file
⢠Modulo 5000
⢠Block size 4096
ďĄOnly 1 log file by default
⢠AUDIT_LOG_MAX=1
⢠Must be between 1 and 8
ďĄStored in UniVerse Home directory
⢠$UVHOME/audit/u2audlogn (n = number of log file)
⢠%UVHOME%auditu2audlogn (n = number of log file)
⢠AUDIT_LOG_LOC=/disk1/uv/audit
Š2015 Rocket Software, Inc. All Rights Reserved.
14. 14
Audit Log Files
ďĄLog file named u2audlogn
⢠Where n is the log number (between 1 and 8)
⢠&AUDLOGn& in VOC
ďĄFiles can be automatically encrypted
⢠AUDIT_LOG_ENC=0 (Off, default)
⢠AUDIT_LOG_ENC=1 (On)
⢠When turning encryption on archive and clear all current logs
ďĄEach log file has its own dictionary
⢠Dictionary is reloaded on UniVerse start
⢠Changes to existing dictionary items lost on UniVerse restart
Š2015 Rocket Software, Inc. All Rights Reserved.
15. 15
Audit Log Files
ďĄLog record ID structure
⢠17396.15053.27902.8816.1
⢠date.time.tick.pid.sequence
⢠Date â Internal system date
⢠Time â Internal system time
⢠Tick â Number of microseconds since this second started
⢠PID â Process ID
⢠Sequence â Sequential number to add total uniqueness
Š2015 Rocket Software, Inc. All Rights Reserved.
16. 16
Audit Log Files
ďĄLog record contents
⢠Event type/class â SYS, DAT, USR
⢠Origin â Where did the event originate? (uvsh for example)
⢠Program â The U2 Basic program (log_program_path/stack)
⢠User, account, file, record ID
⢠IP Address â Of the host and/or client, if available
⢠Action â Event dependent, e.g. CreateKey for ADE key creation
⢠Status â Exist status of the action itself
⢠Details â Free-form description, varies greatly by event
⢠Before Action â 0=after, 1=before
⢠Consolidation â Details of which type of consolidation and specifics
Š2015 Rocket Software, Inc. All Rights Reserved.
18. 18
Audit Staging Files
ďĄNon-session processes are unable to write directly to
hashed files
ďĄFailed UV process gets logged to staging
ďĄStored in UniVerse Home directory by default
⢠$UVHOME/audit/staging
⢠%UVHOME%auditstaging
⢠Affected by AUDIT_LOG_LOC in uvconfig
ďĄLogged events stored temporarily in individual files
ďĄFile are encrypted and encoded automatically
Š2015 Rocket Software, Inc. All Rights Reserved.
19. 19
Audit Staging Files
ďĄSweep applies events to audit log file and clears
staging file
⢠uvsmm daemon/service
ďĄAt UniVerse start, then every 120 seconds
ďĄInterval can be changed using audman or XAdmin
ď audman âwritestagedlog âinterval n
⢠Cannot be set to less than uvsmm interval
⢠Reset at UniVerse restart
Š2015 Rocket Software, Inc. All Rights Reserved.
20. 20
uv
config control
uv
config control
Architecture
Š 2013 Rocket Software, Inc. All Rights Reserved.
uvsmm
daemon
Shared
memory
audlog1 audlog2 âŚ.8
uv
uvconfig
U2audit
config
staging
UV Daemons
config control
cache
refresh
map
refresh
audman
writestagedlogadmin initiated
audman
admin options
admin user
read staging
and clear
enable
disable
refresh
21. 21
Administration
ďĄNew utility: audman
⢠UniVerse bin directory
ďĄExtensible Administration Tool (XAdmin)
⢠GUI
ďĄChanging the configuration file
⢠Defaults: UNIX/Linux â vi, Windows â Notepad.exe
⢠Can be configured to use different editor
ď U2AUDIT_EDITOR environment variable
⢠audman -config -editor name_of_editor for a âone offâ use
Š2015 Rocket Software, Inc. All Rights Reserved.
22. 22
Administration
ďĄAdministration tasks
⢠Configure
⢠Display configuration
⢠Reload configuration
⢠Suspend/resume an audit log file
⢠Clear an audit log file
⢠Change sweep interval
⢠Display audit log file status
⢠Check/verify audit log file
Š2015 Rocket Software, Inc. All Rights Reserved.
23. 23
Components
ďĄClasses
⢠System, Data, User
ďĄResources
⢠A database entity
ďĄEvents
⢠Something that can happen to a resource
ďĄPolicies
⢠A rule (or set of rules)
Š2015 Rocket Software, Inc. All Rights Reserved.
24. 24
Classes
ďĄSystem (SYS)
⢠Pertaining to or performed by a system process or file
ď System daemons, system utilities, configuration files, administrative
commands
ď uvsmm, uvrw, uvregen, u2audit.config
ďĄData (DAT)
⢠Pertaining to a data type object
ď Hashed files, indexes, schemas, tables, views
ďĄUser (USR)
⢠Application dependent, user specified
ď Determined by use of AuditLog() in Basic
Š2015 Rocket Software, Inc. All Rights Reserved.
25. 25
Resources
ďĄResources are logical representations of data and
system objects
⢠A database entity to which you can point
ďĄThree resource classes
⢠System â uvsmm, uvregen, u2audit.config
⢠Data â file, index, table, schema, view
⢠User â determined by use of AuditLog() in Basic
Š2015 Rocket Software, Inc. All Rights Reserved.
26. 26
Events
ďĄAction taken on a resource
⢠WRITE to a file
ďĄUse of a resource
⢠Execution of a Basic program
ďĄThree event classes
⢠System - events at the database level
⢠Data - actions taken on data files, schemas, indexes, etc.
⢠User - actions taken by or on users and groups
Š2015 Rocket Software, Inc. All Rights Reserved.
27. 27
Policies
ďĄPolicies are rules defined in the configuration file
ďĄEvent policy
⢠Resource/event combination type
⢠Switch type
ďĄGlobal policy
⢠Configuration type
⢠Definition type
ďĄForced policy
Š2015 Rocket Software, Inc. All Rights Reserved.
28. 28
Policy Terms
ďĄList
⢠Composed of objects of the same type
ď Events, processes, programs, users, or files
⢠Separated by a comma (,) or a vertical bar (|)
ď salesEvents=DAT.BASIC.READ,DAT.BASIC.WRITE
ďĄOperator
⢠Specifies inclusion or exclusion
⢠= set, += add, -= remove
ď salesEvents+=DAT.BASIC.DELETE
Š2015 Rocket Software, Inc. All Rights Reserved.
29. 29
Global Policies
ďĄConfiguration type
⢠on_error â Stop process if audit log fails
⢠privileged_user_audit â Log all administrative actions
⢠log_program_path â Include program path in log record
⢠log_program_stack â Include program stack in log record
ďĄDefinition type
⢠Account â Define a shortcut or keyword to an account
⢠Group â Define a shortcut or keyword to a group or âlistâ
Š2015 Rocket Software, Inc. All Rights Reserved.
31. 31
Event Policies
ďĄResource/Event type
⢠File â A DAT event on a data resource
⢠User â Events from a specific user or group
⢠Process â Events created by a process ID
⢠Executable â Events from specific UniVerse executables
⢠Program â Events from specific Basic programs
ďĄSwitch type
⢠BeforeAction â Create the log before the event occurs
⢠Status â Log only success, only fail or both
⢠Consolidation â Group certain events into one log
Š2015 Rocket Software, Inc. All Rights Reserved.
32. 32
Event Policy Examples
salesEvents.file=hssales:CUSTOMER
ď Note: Physical file is used, no multiple log records due to VOC pointers
salesEvents.file=salesacct:*
financeEvents.file=financeacct:*
DAT.QUERY.*.file=/disk1/accounts/REPORTS:*
SYS.SESSION.*.user=pparker,bwayne,ckent
DAT.SQL.COMMAND.consolidation=counter:10
DAT.BASIC.READ.consolidation=time:60
DAT.BASIC.*.status=success
DAT.BASIC.WRITE.status=both
Š2015 Rocket Software, Inc. All Rights Reserved.
33. 33
Forced Policies
ďĄThe following system events are always logged
⢠SYS.CONFIG.CHANGE
ď Changes to Audit configuration
ď Plans for more in the future (uvconfig etc.)
⢠SYS.SECURITY
ď SQL GRANT/REVOKE
ď Plans for more in the future (Certificates, Security Context)
⢠SYS.ADE
ď Any Automatic Data Encryption action
⢠SYS.DAEMON
ď Events caused by UniVerse daemons/services
ď uvsmm, uvcleanupd, uvapi_server, uvchkd, uvrw
These statements represent Rocket Softwareâs current intentions. Rocket development plans are subject to change or withdrawal without further notice.
Any reliance on these statements is at the relying partyâs sole risk and will not create any liability or obligation for Rocket
38. 38
Reporting
ďĄCreate a custom audit log dictionary
ďĄCustomize your dictionary entries for better
presentation
⢠SORT &AUDLOG1& USING DICT CUST.DICT.AUD PID
USER EVENTNAME IPADDRESS ACTION
⢠LIST &AUDLOG2& USING DICT CUST.DICT.AUD USER
TIME
Š2015 Rocket Software, Inc. All Rights Reserved.
39. 39
Maintenance
ďĄLog files are hashed files like any other
⢠Poor sizing means poor performance
⢠FILE.STAT, RESIZE, etc.
⢠Check regularly with fixtool
ďĄBackup!
⢠Make them part of your regular backup
⢠Consider publishing with U2 Replication
ď CAUTION: Can cause large performance overload
Š2015 Rocket Software, Inc. All Rights Reserved.
40. 40
Maintenance
Š 2013 Rocket Software, Inc. All Rights Reserved.
audlog1 audlog2
write
write
1) Suspend Log 2
audman âsuspendlog 2
read
2) Archive, maintenance
Tool of your choice
3) Clear Log 2
audman âclearlog 2
4) Resume Log 2
audman âresumelog 2
Logging continues
uninterrupted!
41. 41
Maintenance
Š 2013 Rocket Software, Inc. All Rights Reserved.
audlog1 audlog2
write
write
1) Suspend Log 1
audman âsuspendlog 1
read
2) Archive, maintenance
Tool of your choice
3) Clear Log 1
audman âclearlog 1
4) Resume Log 1
audman âresumelog 1
Records have been archived
using your preferred method
and no downtime at all!
43. 43
What to Audit
ďĄCompliancy regulations
⢠Does my compliancy regulation force me to audit these
events/resources?
ďĄPerformance considerations
⢠Can I live without auditing this event/resource?
ďĄSpace considerations
⢠Do I have enough disk to store these log records?
Š2015 Rocket Software, Inc. All Rights Reserved.
44. 44
Log File Location
ďĄBottom line: Find the best I/O
⢠Files can be very busy
⢠Use a separate disk if possible
⢠An SSD is preferred
Š2015 Rocket Software, Inc. All Rights Reserved.
48. 48
Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED
IN THIS PRESENTATION, IT IS PROVIDED âAS ISâ, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWAREâS CURRENT PRODUCT PLANS AND STRATEGY,
WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE.
ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
⢠CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR
THEIR SUPPLIERS AND/OR LICENSORS); OR
⢠ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF
ROCKET SOFTWARE.
Š2015 Rocket Software, Inc. All Rights Reserved.
49. 49
Trademarks and Acknowledgements
The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software,
Inc. and its subsidiaries (collectively, âRocket Softwareâ). These marks are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by
Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual
property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of
any such marks.
Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure,
Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and
wIntegrate
Other company, product, and service names mentioned herein may be trademarks or service marks of
others.
Š2015 Rocket Software, Inc. All Rights Reserved.