Presentation is loading. Please wait.

Presentation is loading. Please wait.

MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow.

Published byAdrian Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow."— Presentation transcript:

1 MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow

2 © 2006 Progress Software Corporation2 MOVE-9 Audit Enable your Application the Easy Way Agenda  OpenEdge® Auditing Overview  Integrating Auditing into your Application  Coding for Performance  Migrating your existing Audit Data This presentation includes annotations with additional complementary information

3 © 2006 Progress Software Corporation3 MOVE-9 Audit Enable your Application the Easy Way Guaranteed non-repudiable audit trail Introducing OpenEdge 10.1A Auditing  Only audit what is necessary Database CUD Internal events Database utilities Application events  Relationally stored for reporting  Seamless access across the ABL and SQL Who did What, When, Where and How? End-Users Database Privileged Users

4 © 2006 Progress Software Corporation4 MOVE-9 Audit Enable your Application the Easy Way From Schema-Trigger Based Auditing ABL Client Audit Policy Tools Application Code Application Data App DB Audit Event Manager (schema triggers) Audit Data Manager Audit Policy Manager API Policy Data Security Manager SQL Client Application Code Report Manager Audit Report Audit Data Archive DB Archive Daemon Archive Manager Offline Audit Data

5 © 2006 Progress Software Corporation5 MOVE-9 Audit Enable your Application the Easy Way To Auditing in OpenEdge 10.1A ABL Client Database Tools and Utilities Open Tools Audit Policy Tools (APMT) Application Code SQL Client Application Code Audit Data Application Data Policy Data App DB Audit Data Archive DB Audit Event Subsystem DatabaseInternalApplication Security Subsystem Audit Data Subsystem Audit Policy Subsystem API Archive Daemon Archiving Subsystem Reporting Subsystem Audit Report Offline Audit Data

6 © 2006 Progress Software Corporation6 MOVE-9 Audit Enable your Application the Easy Way Agenda  OpenEdge Auditing Overview  Integrating Auditing into your Application  Coding for Performance  Migrating your existing Audit Data

7 © 2006 Progress Software Corporation7 MOVE-9 Audit Enable your Application the Easy Way Integrating Auditing into your Application 1. Before you Begin 2. Asserting the Trusted User Identity 3. Setting Application Context 4. Querying the Audit Data 5. Maintaining Audit Policy in your Application 6. Using Application Events for Read Auditing The Steps

8 © 2006 Progress Software Corporation8 MOVE-9 Audit Enable your Application the Easy Way Step 1: Before you Begin  Upgrade Databases / Clients to 10.1A  Add Type II Storage Areas for Auditing prostrct add addaudit.st  Enable Auditing (prepares for auditing) Preparation d "Audit_Data":20,32;512. f 40960 d "Audit_Data":20,32;512. d "Audit_Index":21,1;64. f 5120 d "Audit_Index":21,1;64. proutil -C enableauditing area “Audit_Data” indexarea “Audit_Index” [deactivateidx] Audit Data Application Data Policy Data App DB

9 © 2006 Progress Software Corporation9 MOVE-9 Audit Enable your Application the Easy Way Database Options and Audit Permissions Security Subsystem

10 © 2006 Progress Software Corporation10 MOVE-9 Audit Enable your Application the Easy Way Import Shipped Audit Policies / Add New Use Audit Policy Maintenance Nothing audited until policies defined / enabled Audit Policy Subsystem

11 © 2006 Progress Software Corporation11 MOVE-9 Audit Enable your Application the Easy Way Step 2: Asserting the Trusted User Identity  Use Data Administration to define Trusted Authentication Systems and Domains and load via: First code! Load trusted authentication domains at startup SECURITY-POLICY:LOAD-DOMAINS (dbalias). ASSIGN gcDomainName = "InternalDomain":U gcDomainType = “Internal":U gcDomainKey = "InternalKey" gcDomainDesc = "Internal Domain":U. SECURITY-POLICY:REGISTER-DOMAIN (gcDomainName, gcDomainKey, gcDomainDesc, gcDomainType). SECURITY-POLICY:LOCK-REGISTRATION.  Or manage completely via code:

12 © 2006 Progress Software Corporation12 MOVE-9 Audit Enable your Application the Easy Way Asserting the Trusted User Identity (who)  Create container object of authenticated credentials  Set current user for login session to created object Modify session login code lOk = SECURITY-POLICY:SET-CLIENT (ghCP). CREATE CLIENT-PRINCIPAL ghCP. ASSIGN ghCP:USER-ID = pcUser ghCP:DOMAIN-NAME = gcDomainName ghCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID),1,22). lOk = ghCP:SEAL(gcDomainKey).

13 © 2006 Progress Software Corporation13 MOVE-9 Audit Enable your Application the Easy Way Client Processes Context Data Application Server Login Credentials Create CLIENT-PRINCIPAL EXPORT Session-id Retrieve CLIENT-PRINCIPAL IMPORT Reset User identity Logout request Session-id Retrieve CLIENT-PRINCIPAL hCp:LOGOUT IMPORT Application Server Shutdown Purge Asserting the Trusted User Identity (who) Re-establishing identity Context Sub-system

14 © 2006 Progress Software Corporation14 MOVE-9 Audit Enable your Application the Easy Way Re-asserting Identity from Context Store in context using ghCP:SESSION-ID /* Check if anything to do first */ IF VALID-HANDLE(ghCP) AND ghCP:USER-ID = pcAssertUser THEN RETURN. /* Re-assert identity – from context if possible */ DELETE OBJECT ghCP NO-ERROR. CREATE CLIENT-PRINCIPAL ghCP NO-ERROR. lOk = ghCP:IMPORT-PRINCIPAL(ctx.rawCP) NO-ERROR. IF lOk AND (ghCP:USER-ID <> pcAssertUser OR ghCP:LOGIN-STATE <> "LOGIN":U) THEN DO: /* an invalid client-principal was imported */ END.

15 © 2006 Progress Software Corporation15 MOVE-9 Audit Enable your Application the Easy Way Pushing Identity back into Context Store in context using ghCP:SESSION-ID IF NOT lOk THEN /* invalid or new user */ DO: ASSIGN ghCP:USER-ID = pcUser ghCP:DOMAIN-NAME = gcDomainName ghCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID),1,22). lOk = ghCP:SEAL(gcDomainKey). ctx.rawCP = ghCP:EXPORT-PRINCIPAL(). END. /* Now reset to current user identity */ lOk = SECURITY-POLICY:SET-CLIENT(ghCP).

16 © 2006 Progress Software Corporation16 MOVE-9 Audit Enable your Application the Easy Way Clean-up – Logging out the User  Log out at true end of session  Only do a logout when user really changes Do not logout with each Application Server roundtrip! IF VALID-HANDLE(ghCP) THEN DO: IF ghCP:LOGIN-STATE = "LOGIN":U THEN ghcp:LOGOUT() NO-ERROR. /* also delete context using ghCP:SESSION-ID */ DELETE OBJECT ghCP NO-ERROR. ghCP = ?. END.

17 © 2006 Progress Software Corporation17 MOVE-9 Audit Enable your Application the Easy Way Step 3: Setting Audit Context and Scope Audit-event-record … Audit-event-record … Audit-event-record … Audit-event-record … Audit-event-record … Audit-event-record … Database Transaction … Audit Event Group … Application Context … Client Login Session … Reporting on when, where and why?

18 © 2006 Progress Software Corporation18 MOVE-9 Audit Enable your Application the Easy Way Application Context and Audit Event Groups Example usage DEFINE VARIABLE ctxID AS CHARACTER. DEFINE VARIABLE grpID AS CHARACTER. ctxID = AUDIT-CONTROL:SET-APPL-CONTEXT (PROGRAM-NAME(1) + “:Create Order", cOrderData,cExtraStuff). … grpID = AUDIT-CONTROL:BEGIN-EVENT-GROUP (PROGRAM-NAME(1) + “:Create Order Line", cLineData,cExtraStuff). … AUDIT-CONTROL:END-EVENT-GROUP. AUDIT-CONTROL:CLEAR-APPL-CONTEXT. Indexed

19 © 2006 Progress Software Corporation19 MOVE-9 Audit Enable your Application the Easy Way Step 4: Querying Audit Transactional Data Client Session Information Audit Transaction Data Modified Values Per field  Only record what you need to report  Use structured event names _sys.tbl.create _sys.tbl.trig.update  Use reporting database Avoids SHARE-LOCK  Stringed values always in American format SESSION:DATE- FORMAT = "mdy“ SESSION:NUMERIC- FORMAT = "American"  Sample ProDataSet query code available on PSDN Audit Report

20 © 2006 Progress Software Corporation20 MOVE-9 Audit Enable your Application the Easy Way What information is recorded? Who did it? When did it happen? What event caused it? What was the event on? What was going on at the time? Any other relevant info?

21 © 2006 Progress Software Corporation21 MOVE-9 Audit Enable your Application the Easy Way Audit Transactional Data Meta-Schema Recursive Join (FK)Foreign Key (IEx.y)Inversion Entry (non-unique) x = Index Number y = Field Order in Index LEGEND

22 © 2006 Progress Software Corporation22 MOVE-9 Audit Enable your Application the Easy Way Locating Specific Audit Data DEFINE VARIABLE cKey AS CHARACTER NO-UNDO. ASSIGN cKey = "PUB.orderline" + CHR(6) + STRING(SPORTS.orderline.ordernum) + CHR(7) + STRING(SPORTS.orderline.linenum). IF CAN-FIND(FIRST SPORTS._aud-audit-data NO-LOCK WHERE SPORTS._aud-audit-data._event-context = cKey) THEN MESSAGE "Audit data exists for " + cKey. Event context field _aud-audit-data._event-context. CHR(6) [CHR(7).. ] CHR(8) is used to delimit array elements By default uses Primary Key Fields

23 © 2006 Progress Software Corporation23 MOVE-9 Audit Enable your Application the Easy Way Recording Field Values  Streamed (default) Modified values stored in _Event-detail field of the primary _aud-audit-data record Minimizes performance impact Limited by max record length – auto overflows Arbitrary field order / content Selectable via table / field policy + CHR(6) + + CHR(6) + [ +] CHR(6) + + CHR(7) CHR(8) is used to delimit array elements  One Record per Field Query for specific field value changes

24 © 2006 Progress Software Corporation24 MOVE-9 Audit Enable your Application the Easy Way Step 5: Maintaining Audit Policy in Application  Published API is low level and exposes data as a ProDataSet See OpenEdge Development Programming Interfaces  Rather use new sample Audit Manager auditing/audmngrclntp.p auditing/audmngrservp.p Calling the APMT API

25 © 2006 Progress Software Corporation25 MOVE-9 Audit Enable your Application the Easy Way Enabling an Audit Policy using the Sample Manager DEFINE VARIABLE ghAuditManager AS HANDLE NO-UNDO. DEFINE VARIABLE cError AS CHARACTER NO-UNDO. DEFINE VARIABLE cPolicy AS CHARACTER NO-UNDO. /* enable policy that tracks menu item selection */ ASSIGN cPolicy = "MenuRun":U. RUN auditing/audmngrservp.p PERSISTENT SET ghAuditManager. RUN enableAuditPolicyName IN ghAuditManager (INPUT “MYDB":U, INPUT cPolicy, OUTPUT cError). IF cError <> "":U THEN MESSAGE "Audit policy: “ QUOTER(cPolicy) " failed to enable." SKIP cError.

26 © 2006 Progress Software Corporation26 MOVE-9 Audit Enable your Application the Easy Way Step 6: Using Application Defined Audit Events  Must defined event _event-id >= 32000  For non-database operations Also good for complex table/field data Can be used for controlled read auditing  Event context _Event-context describes what was audited and is indexed  Propagated to all database connections Recorded where event enabled AUDIT-CONTROL:LOG-AUDIT-EVENT method

27 © 2006 Progress Software Corporation27 MOVE-9 Audit Enable your Application the Easy Way Application Event Examples … /* 32800 = Run Menu Option */ AppID = AUDIT-CONTROL:LOG-AUDIT-EVENT (32800, cMenuCode, cDetail, cMore). … /* READ auditing 32003 = Customer Enquiry */ AppID = AUDIT-CONTROL:LOG-AUDIT-EVENT (32003, STRING(Customer.CustNum), cCustomerDetail, cMore). … Indexed

28 © 2006 Progress Software Corporation28 MOVE-9 Audit Enable your Application the Easy Way Agenda  OpenEdge Auditing Overview  Integrating Auditing into your Application  Coding for Performance  Migrating your existing Audit Data

29 © 2006 Progress Software Corporation29 MOVE-9 Audit Enable your Application the Easy Way Coding for Performance  Tune performance through Audit Policy  Only SET-CLIENT on Appserver when identity really changes  Faster to import CLIENT-PRINCIPAL from context than re-create and re-seal  Careful how ASSIGN indexed fields – do in single statement  Carefully control record and transaction scope Every database update causes an audit event  Consider reporting / query requirements

30 © 2006 Progress Software Corporation30 MOVE-9 Audit Enable your Application the Easy Way Agenda  OpenEdge Auditing Overview  Integrating Auditing into your Application  Coding for Performance  Migrating your existing Audit Data

31 © 2006 Progress Software Corporation31 MOVE-9 Audit Enable your Application the Easy Way See example: auditing/migrateaudit.p Migrating your existing Audit Data  Upgrade database to 10.1A Enable auditing Load audit policy  Set up audit permissions to define an audit archiver  Assert identity to audit archiver using SET-CLIENT or SET-DB-CLIENT Allows manual creation of audit data Migrate audit data into _aud-audit-data _aud-audit-data-value (optional detail) Careful to set -zn SESSION:DATE-FORMAT = "mdy“ SESSION:NUMERIC- FORMAT = "American"

32 © 2006 Progress Software Corporation32 MOVE-9 Audit Enable your Application the Easy Way In Summary  Application changes are not required to use OpenEdge Auditing Assuming use of _User or SETUSERID()  Make OpenEdge Auditing a seamless part of your application  Maximize the benefits of OpenEdge Auditing by changing your application  OpenEdge Auditing is more than just database auditing Worth upgrading to OpenEdge 10.1A just for this feature alone

33 © 2006 Progress Software Corporation33 MOVE-9 Audit Enable your Application the Easy Way Relevant Exchange Sessions  DB-4: Who does What and When regarding Auditing?  DEV-17: Effective Design and Deployment of OpenEdge Audit Policies  MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond

34 © 2006 Progress Software Corporation34 MOVE-9 Audit Enable your Application the Easy Way Education / Documentation References  Education What's New OpenEdge 10.1: Auditing  Documentation http://documentation.progress.com/output/Ope nEdge101a/wwhelp/wwhimpl/js/html/wwhelp.h tmhttp://documentation.progress.com/output/Ope nEdge101a/wwhelp/wwhimpl/js/html/wwhelp.h tm  All code samples shown have been posted to PSDN http://www.psdn.com/library/index.jspa

35 © 2006 Progress Software Corporation35 MOVE-9 Audit Enable your Application the Easy Way Questions?

36 © 2006 Progress Software Corporation36 MOVE-9 Audit Enable your Application the Easy Way Thank you for your time

37 © 2006 Progress Software Corporation37 MOVE-9 Audit Enable your Application the Easy Way

Download ppt "MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow."

Similar presentations

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Client Principal in the wild

Client Principal in the wild
DB-03: A Tour of the OpenEdge™ RDBMS Storage Architecture Richard Banville Technical Fellow.

DB-03: A Tour of the OpenEdge™ RDBMS Storage Architecture Richard Banville Technical Fellow.
1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:

1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:
DEV-2: Getting Started with OpenEdge® Architect – Part I

DEV-2: Getting Started with OpenEdge® Architect – Part I
PUG Norway Lillehammer March 16th & 17th

PUG Norway Lillehammer March 16th & 17th
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
DEV-13: You've Got a Problem, Here’s How to Find It

DEV-13: You've Got a Problem, Here’s How to Find It
Angelo Tracanna Senior Manager, OpenEdge Data Management

Angelo Tracanna Senior Manager, OpenEdge Data Management
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.

11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
DEV-14: Understanding and Programming for the AppServer™

DEV-14: Understanding and Programming for the AppServer™
1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.

1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.
DB Audit Expert v1.1 for Oracle Copyright © 1999-2002 SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.

DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
MOVE-4: Upgrading Your Database to OpenEdge® 10 Gus Björklund Wizard, Vice President Technology.

MOVE-4: Upgrading Your Database to OpenEdge® 10 Gus Björklund Wizard, Vice President Technology.
MOVE-1: Progress Dynamics® on Steroids Anthony D Swindells Engineering Fellow.

MOVE-1: Progress Dynamics® on Steroids Anthony D Swindells Engineering Fellow.
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Similar presentations

Ads by Google