Auditing  Sample Audit Record

Chapter 7: Security

Configuring auditing

To configure the CSI auditing tool:

  1. Set the auditEnabled property to “true” in the global.properties.xml file. See “Audit property group” for information about the property.

  2. Optionally, modify the default parameter settings in the SYBASE\tomcat\conf\csi.xml file, including:

<?xml version="1.0" encoding="UTF-8"?>
<config:configuration xmlns:config="http://www.sybase.com/csi/2.5/config" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

. . .

<!-- CSI auditing provider configuration -->
<!-- This is a default auditing configuration. Users can change it with their own
   auditing providers. User should enable "auditEnabled" property in 
   global.properties.xml and uncomment out the following configuration in order
   for auditing
-->

  <config:auditDestination name="com.sybase.security.core.FileAuditDestination" controlFlag="optional">
   <config:options name="auditFile" value="uaaudit.log" />
   <config:auditFilter name="com.sybase.security.core.DefaultAuditFilter">
     <config:options name="filter" value="(resourceclass= *)" />
   </config:auditFilter>
   <config:auditFormatter name="com.sybase.security.core.XmlAuditFormatter" />
  </config:auditDestination>

Table 7-6 describes several default parameters you can modify in csi.xml. Additional options are available through the CSI API.

Table 7-6: Auditing parameters in csi.xml

Parameter

Description

encoding

The character encoding used when writing the audit data. The default is UTF-8.

auditFile

The file name of the audit log. The default is uaaudit.log.

auditFilter

The filter used to determine what records to audit. Any records in the list are audited. The default filter value is resourceclass=*, which means all audit records from UA, CSI core, and providers such as LDAP, are audited. Alternatively, you can audit your own UA records, such as: resourceclass=client.*, or you can provide a list of records to audit:

The syntax for filter consists of zero or more filter expressions, delimited by parenthesis (brackets denote optional values). For example:

expr1 [expr2...]

Each of these expressions has syntax like the following:

[key1=value [,key2=value...]]

The allowed keys are:

  • resourceclass

  • action

  • decision (valid values includes: permit, decision, abstain, notapplicable)

auditFormatter

The formatter used to transform an audit record from raw format to the format required by the audit log. The default is: com.sybase.security.core. XmlAuditFormatter

logSize

This option may be supplied to specify the maximum audit log file size before a rollover occurs. The default value never rolls over.

compressionThreshold

This option may be supplied to specify the number of uncompressed audit log rollover files that are created, before GZIP compression is used to archive the audit data. The default value is to never compress the data.

deleteThreshold

This option may be supplied to specify the number of audit log files that will be preserved. This value includes the main audit log, so a value of “3” will allow an audit.log, audit.log.0 and audit.log.1 before deleting old logs. The default value is to never delete old audit log data.

errorThreshold

This option may be supplied to specify the maximum number of audit log files that will be allowed; when this threshold is reached, an error occurs and all auditing fails. For example, with this value set to “3”, audit.log, audit.log.0 and audit.log.1 are created according to the maximum log size value. If another audit log rollover is triggered, all audit operations fail until one of the rollover files is removed.

This value is mutually exclusive with the deletion threshold; the smallest value of the two will take effect.



Copyright © 2006. Sybase Inc. All rights reserved. Sample Audit Record

View this book as PDF