Set up the audit-data store  Configure auditing notifications

Chapter 6: Auditing

Specify which events to audit

You can specify which events to audit within a domain either using Enterprise Security Manager, or by defining text expressions called filters. To set up auditing for many events, writing filters can be quicker than using Enterprise Security Manager.

NotePermissions required for defining which events to audit To define which events to audit, you must have UPDATE permission on the domain controlling asset.

StepsDefining which events to audit using Enterprise Security Manager

  1. In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click, and select Configure Audit Events. The Configure Domain Audit Events dialog box displays.

    Figure 6-1: Configure Domain Audit Events

  2. Select an AssetType from the list. The auditable AccessTypes (actions) for the AssetType display. To audit actions when they succeed, select Permit next to the action name. To audit actions when they fail, select Deny.

    You can create and manage custom AssetTypes and AccessTypes using the SMAPI AssetTypeManagement, AccessTypeManagement, AssetTypeQueries, and AccessTypeQueries interfaces. To access the SMAPI documentation, use a browser to open docs/html/index.html in your Enterprise Security installation; then, select the com.sybase.ep.security.management package. If you create new AssetType or AccessType objects, refresh your application server to display the new objects in this dialog box.

    To audit actions performed on custom AccessType objects, select the appropriate actions and decisions for the SYSTEM.AccessType object. To audit actions performed on custom AssetType objects, select the appropriate actions and decisions for the SYSTEM.AssetType object. For example, to audit the creation of a custom AccessType, you must enable the SYSTEM.Create event for the SYSTEM.AccessType object.

NoteIf auditing is enabled, Enterprise Security generates audit records for every audit request it receives; however, Enterprise Portal does not generate audit requests for the following AssetTypes:

If a custom client generates audit requests for these AssetTypes, Enterprise Security creates audit records for them.

StepsDefining which events to audit using filters

Auditing filters allow you to specify what information to audit by defining text expressions.

  1. Define the values for the auditing filters using this syntax:

    INCLUDE_FILTER =([key = value [,key = value...] ])
EXCLUDE_FILTER =([key = value [, key = value...] ])

    Where the acceptable values for key are ResourceClass, Action, and Decision. For both filters, you can include as many key/value pairs as you want.

    NoteThe terms “ResourceClass” and “AssetType” represent the same thing, as do the terms “Action” and “AccessType.”

    The INCLUDE_FILTER expression defines the audit records that are eligible to be audited. The EXCLUDE_FILTER expression defines the audit records that you do not want to audit. If a record satisfies the INCLUDE_FILTER, it is checked against the EXCLUDE_FILTER. A record is audited only if it matches the INCLUDE_FILTER and does not match the EXCLUDE_FILTER.

    For example, the filters below enable auditing for all events where the ResourceClass starts with “SYSTEM” or the Action is “Create,” except when the Action is “AUTHORIZATION” and the Decision is “Permit.” 

    INCLUDE_FILTER=(ResourceClass=SYSTEM.*)(Action=Create)
EXCLUDE_FILTER=(Action=AUTHORIZATION,Decision=Permit)

    NoteYou cannot use a right or left parenthesis, an equal sign, or a comma in the value of a ResourceClass or Action.

    Leading and trailing white space in key names and values is trimmed. White space within a name or value is retained.

    Following are the default values for the filters, which audit all records generated by the Enterprise Security system and externally generated events:

    INCLUDE_FILTER=(ResourceClass=SYSTEM.*)
EXCLUDE_FILTER=

  2. Set the audit filters, auditIncludeFilter and auditExcludeFilter, using the domainrules task—see domainrules.

  3. Restart your application server for the changes to take effect.

StepsReading audit information from the Audit database

  1. To read audit information from the Audit database table, use a SQL statement to retrieve the data. For example, if you are using the default Audit table schema, to retrieve the information from the auditData field for all events that occurred after 1 September 2003, use this statement:

    select auditData from Audit where timeStamp > (select convert(datetime, "9/1/2003"))



Copyright © 2004. Sybase Inc. All rights reserved. Configure auditing notifications

View this book as PDF