Beruflich Dokumente
Kultur Dokumente
David Eddy
CONTENTS
1 INTRODUCTION................................................................................................4
2 PLANNING........................................................................................................4
4 PROCEDURES..................................................................................................12
4.1 Archiving Audit Data.....................................................................................12
4.2 Maintaining Audit Policy................................................................................12
4.2.1 Enabling Auditing for a Table as a Whole...................................................13
4.2.2 Enabling Auditing for Specific Fields..........................................................17
4.2.3 Committing Policy Changes......................................................................19
5 REPORTING....................................................................................................20
6 APPLICATION CONSIDERATIONS...................................................................22
6.1 Authentication and Audit Login.......................................................................22
6.2 Application Context and Event Groups............................................................25
6.3 Application Events........................................................................................27
DISCLAIMER
The information contained in this document represents the current view of Progress Software
Corporation on the issues discussed as of the date of publication. Progress reserves the right,
in its sole discretion, to modify or abandon without notice any of the plans described herein
pertaining to future development and/or business development strategies. Any reference to
third party software and/or features is intended for illustration purposes only. Progress
Software Corporation does not endorse or sponsor such third parties or software. This White
Paper is for informational purposes only. PROGRESS MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
1 INTRODUCTION
Database auditing can be as simple or as complex as one wishes to make it. At its
most elementary, the only measures needed are database-based. However, with
some very minor application changes, a properly-secure auditing system with full user
identity tracking can be used.
This article shows how to set up and maintain a simple database auditing system
using OpenEdge Database Auditing.
2 PLANNING
Progress OpenEdge database auditing requires that certain security functions be
established. There are two ways of doing this:
To begin with, set up a file describing the extents to be added to the database. In
this example, a 256MB extent is used for storage of audit data, which assuming
weekly archiving of audit data should be more than sufficient. The file, audit.st, has
the following contents:
d AuditData,32;512 . f 262144
d AuditData,32;512 .
d AuditIndex,8;8 .
Once this file has been prepared, the storage areas are added to the database to have
auditing enabled:
Note that the database must be shut down in order to execute this command.
Initially, we will select the options which allow the simplest use of the auditing
subsystem. However, as your knowledge and usage of auditing evolves, you may
wish to revisit these options. The following options should be enabled:
Disallow Blank UserId Blocks database connections with blank user IDs.
To prepare a typical application for auditing, you configure the client option to record
the user-id of the application which will be synchronized with the ABL session. You
will typically set this option when you do not synchronize the session and database
connection user-ids so that you can use the OpenEdge run-time database security.
The Trust Application Domain Registry options tells OpenEdge to synchronize the
database connection Registries with the session so that you have a single point of
configuration information and control.
For middle-term, you can choose to implement run-time database security or not by
turning on the 4GL client run-time permission checking option. When you do use run-
time permission checking, you would clear the flag that uses the application user-id
for auditing.
You want to audit the user-id from the point of table and field access-control
implementation. If your table/field access controls are in your application, audit the
session user-id. If your table and field access controls are handled by OpenEdge
itself, then audit the database connection. Follow these rules and you will always
have the user-id that is permitted access to the database data.
Note: You cannot mix these and audit session user-id for application type events and
the database connection user-id for database operations.
You will need to add user entries for both DBA users and users you wish to have
perform auditing. Also, if you do not add a record for your current user identity, you
will need to log out of the database and reconnect (providing an appropriate userid
and password) before proceeding.
Make sure you add an entry for the user that created the database. You may also
wish to define a user SYSPROGRESS and assign that user a password, depending on
your preference for SQL administration (if you use SQL).
Depending on whether you use SQL with the database, your choices here might be
constrained by the fact that by default, the user that created the database is set up
as a DBA user in SQL-92. This may lead to further administrative tasks on the SQL
side of the database which are not discussed here.
Audit Administrator
Audit Data Archiver
Audit Data Reporter
This is done using the Edit Audit Permissions tool (Admin / Security / Edit Audit
Permissions). Use the Grant button to assign a role to a user. The screenshot
below shows the tool in action:
Once again, make sure that you assign at least one user as Audit Administrator. That
user is the one with the rights to set up and change Audit Policy, which defines what
is audited.
To start the Audit Policy tool, select Tools/Audit Policy Maintenance from the Data
Administration tool. (Note that Audit Policy Maintenance does not appear in the main
desktop Tools menu.)
To load the default policies, choose File/Import Policy and browse to the file %DLC
%\auditing\policies.xml:
This database should be configured with 2 APWs and a BIW. Replication can be
enabled if desired.
4 PROCEDURES
You will be prompted for the archive users password (or you can specify it
using password).
You will be prompted for the archive users password (or you can specify it
using password).
Note that the audit archive is written with the same base name as the database.
Care should therefore be taken to either remove the archive file after loading, or if
archiving it, renaming it so that duplicate database names will not cause a collision
(and loss of archive files). Long-term storage of archive files is not needed, since
they are present in the archive database after loading and can be regenerated from
the archive database using proutil auditarchive nodelete if needed.
Note that Audit Policy can be updated while other users are using the database;
changes will be propagated to the other users over several minutes after a new policy
is committed.
This section shows only a small subset of the capabilities of the APMT. The enabling
of a whole table and the enabling of auditing for only a single column are both shown.
For full information on the APMT, see OpenEdge Getting Started: Core Business
Services.
4. Select the Audit Tables tab. Note that there are no tables listed.
5. Add the table(s) by pressing the Add button, then selecting the Browse button.
Here I have selected the Customer table.
6. Set the auditing levels as shown below. These settings will record all useful
data, while still capturing the very unusual event where a create occurs with
no subsequent update.
7. Press Save ( ).
8. Select the Audit Fields tab.
9. Press Add ( ).
10. Select all fields which make up part of a unique key for this table and press
OK. In this case, I only needed to select the CustNum field.
11. Check the Identifying Field box and fill in the ordinal position of that field in
the unique key:
12. Press Save. (If there are multiple fields in the unique key, it might be
necessary to save the multiple selection then individually edit each field to set
its ordinal position.)
3. Select the Audit Fields tab and add the identifying fields for this table:
4. Add the fields to be audited, selecting the appropriate auditing level for each
field. (Note that it may be desirable to audit changes to the identifying field(s)
as well to ensure that changes are properly tracked.)
Note: If you wish to add multiple fields, right-click on the browse and an Add
Multiple Fields popup will appear.
Note: To adjust the audit settings for multiple fields at once, select all the
relevant fields and adjust the audit level settings as desired then press Save.
1. Verify that the policy is active (the Policy active checkbox in the Policy tab).
If it is not, activate it by ticking the checkbox and pressing Save. Alternately,
select the policy in the Available Audit Policies browse and choose the menu
item Policy / Activate Policies.
2. Verify that the changes will have the effect you are expecting by using the
reports:
a. Policy / Report Conflicts ; and
b. Policy / Report Effective Settings
3. Commit the changes to the database using File / Commit Changes.
4. The changed policy will be recorded in the database and the effects will be
seen over the next few minutes as the various connected clients update their
audit policy cache.
5 REPORTING
The audit data is stored in the following tables:
_db-detail
_Db-guid has consists of
_Db-description
_Db-mac-key has
_Db-custom-detail
_aud-audit-data
_client-session _Audit-data-guid consists of
_Client-session-uuid _Database-connection-id (IE1.1)
_Client-name _Client-session-uuid (FK) (IE1.2)
_User-id (IE2.1) _aud-audit-data-value
_User-id (IE1.1)
_Authentication-date-time (IE2.1) _Audit-date-time (IE5.1) _Audit-data-guid (FK)
_Server-uuid created _Audit-event-group (FK) (IE3.1) _Field-name (IE1.1)
_Authentication-domain-type _Db-guid (FK) (IE3.2) _Continuation-sequence
_Authentication-domain-name _Transaction-id (IE3.3)
_Data-type-code
_Db-guid (FK) (IE3.1) _Transaction-sequence (IE3.4)
_Old-string-value
_Session-custom-detail _Event-id (FK) (IE4.1)
_New-string-value
_Audit-data-security-level _Event-context (IE6.1)
_Old-blob-value
_Data-seal _Application-context-id (FK) (IE7.1)
_New-blob-value
_Event-detail
_Old-clob-value
_Audit-custom-detail
_aud-event _New-clob-value
_Audit-data-security-level
_Event-id _Audit-data-security-level
_Data-seal
_Data-seal
_Event-type (IE1.1)
_Event-name (IE1.2) resulted in supplies context to
_Event-description (IE2.1) is the group for
old-value-phrase == value-phrase
new-value-phrase == value-phrase
array-element-value == E[element-number]:value
field-delim == chr(6)
value-delim == chr(7)
array-delim == chr(8)
Note that field values can be stored one field per record if desired; this is set in the
APMT. In that case, field values are stored in _aud-audit-data-value.
Some complications:
See OpenEdge Getting Started: Core Business Services chapter 14: Querying and
Reporting on Audit Data for full information on reporting on audit data.
6 APPLICATION CONSIDERATIONS
The main application issues when first implementing Auditing are:
In addition to this, in the longer term it might be considered desirable to enrich the
auditing data through:
However, when logging in to an application (which typically does not use the _User
table for authentication), this results in what users see as a double prompt for login,
which is undesirable. Therefore, applications which use _User-secured databases
should provide their own _prostar.p or _login.p.
In addition to the above, the Auditing system gives better results if the new CLIENT-
PRINCIPAL object is used for identification. The results are better in the following
ways:
User logins and logouts are audited when using CLIENT-PRINCIPAL (rather
than simply having their presence be implied by logged database activity); and
In light of the above, then, it is proposed that the application entry be altered as
follows:
Sample code:
assign
cDefDomName = OpenEdge
cDefDomType = ABLApplication
cDefDomDesc = Application security management
cDomToken = base64-encode(generate-pbe-key(cDefDomType))
.
assign
lAuthenticated = false
lCancelled = true
.
/* if they CTRL-C the login dialog the undo block above will cause
login to go ahead with OS userid */
/* at this point, decide what to do with the user. for the moment,
if authentication failed, kick them out, regardless of whether they
cancelled or not */
if lCancelled = true or lAuthenticated = false then
quit.
In addition, application exit code needs to be modified to log out the client-principal
and clean it up:
AUDIT-CONTROL:BEGIN-EVENT-GROUP( )
AUDIT-CONTROL:END-EVENT-GROUP( )
AUDIT-CONTROL:SET-APPL-CONTEXT( )
AUDIT-CONTROL:CLEAR-APPL-CONTEXT( )
Enable recording of the application events in one or more databases using the
APMT; and
Place AUDIT-CONTROL:LOG-AUDIT-EVENT( ) calls in the application code as
appropriate
Corporate Headquarters
Progress Software Corporation, 14 Oak Park Drive, Bedford, MA 01730 USA
Tel: 781 280 4000 Fax: 781 280 4095
Asia/Pacific Headquarters
www.progress.com
Progress Software Pty. Ltd., 1911 Malvern Road, Malvern East, 3145, Australia
Tel: 61 39 885 0544 Fax: 61 39 885 9473 Specifications subject to change without notice.
Progress is a registered trademark of Progress Software Corporation. All other 2017 Progress Software Corporation.
trademarks, marked and not marked, are the property of their respective owners. All rights reserved.