Auditing overview

Use the auditing function to store and record activity about administrative and security-related events that occur on the system. The auditing function helps you discover important information about user actions that might affect system integrity, such as who performs the action, when the action takes place, from where the action originates, which resource is targeted by the action, and whether the action is successful.

Capabilities overview

The following list displays a few examples of the events that are tracked by the auditing function:
  • System configuration and state changes
  • User authentication and security token validation
  • Attempts at accessing objects that are secured by role based and object-level access control
  • Deployment configuration and state changes

You can download audit data in the format of event records.

Business value

With these capabilities you can protect your environment from both internal and external security threats. You can analyze the audit data to determine if and how your infrastructure was compromised. Based on that information, you can develop a strategy of the most effective defensive measures.

Also, your organization can use the auditing function to comply with regulatory laws such as the Health Insurance Portability and Accountability ACT (HIPAA) and the Sarbanes-Oxley (SOX) Act. These laws mandate formal practices not only for protecting data and detecting fraud, but also for documenting your efforts to do so.

Audit data

Cloud Pak System stores audit records in an internal database. When the database nears capacity, audit records are automatically extracted and stored in compressed audit record packages in the file system. At the same time, the audit record package is exported to an external storage server, if one is defined. When the space allocated for record packages nears capacity, Cloud Pak System removes them from the local file system. If the storage server is not defined, this can lead to a loss of security event audit records.

The system exports audit record packages as compressed files. Each compressed file contains two files: a comma-separated values (CSV) file with a list of security records and a checksum file that contains a digital signature of the CSV file. The digital signature helps protect audit records against tampering.

Each record in the CSV file contains seven attributes with values in a set order. See the following table for more information.
Table 1. Description of CSV file
Order of attributes in CSV file Attribute Information provided in value
1 Timestamp When did the action occur?
2 Resource (Component) Type To which type of resource or component was the action targeted?
3 Action What action was performed?
4 Resource Identifier To which resource was the action targeted?
5 User Identifier Who performed the action?
6 Source Address Where did the action originate?
7 Additional Data What happened? Was the action successful? If not, what caused the failure?
Note: To answer the 'What happened' question, the value of the Additional Data attribute consists of multiple name-value pairs that are separated by delimiters.
In normal operation, Cloud Pak System packs audit records into audit record packages and pushes those packages to your external storage server when the number of audit records exceeds 60 to 80 percent of the maximum capacity of 50,000 records. The "Total database utilization" found in the console in Security and access > Auditing > General Status represents the percentage of this allocated capacity which is in use. When this percentage reaches 60 to 80 percent, the oldest 20,000 audit records are moved from the internal database into an audit record package. The audit record packages are stored in the file system in a dedicated folder with an allocated capacity of 5 GB. The "Audit record packages folder utilization" found in the console in Security and access > Auditing > General Status represents the utilization percentage of this folder. When that percentage reaches 90%, the system deletes the oldest audit record packages to free up space. If the audit record packages have not already been copied to the external storage server, they are copied prior to deletion.
Remember: Administrators should define an active external storage server. Otherwise, when record packages fill up the allocated file system, the records are deleted and then lost.
Failure to configure an external storage server returns the following warning message and an event is generated each time that Cloud Pak System creates an audit record package:
CWZIP1876W Recordpackage push failed due to no external server.  Configure a server to save system audits
If you receive this warning message, configure a storage server or manually download the audit record packages to another server from the console.

Cloud Pak System generates a warning event to alert administrators when the external storage server is not responding. The internal database is designed to store a large amount of data to give administrators sufficient time to address any connection issues with external storage servers.

Administrators can perform tasks in the console to manually generate and download audit record packages from the internal database. Manually retrieving audit record packages occurs in parallel with pushing audit record packages to the external storage server. When you manually retrieve audit record packages from the internal database, and an external storage server is configured, only those audit records that have not been exported to the external storage server are retrieved.

By default, audit record package processing is not traced. Use the following steps to trace the behavior of audit record package handling:
  1. Click Problem determination > System > System Troubleshooting.
  2. Expand Trace Setting.
  3. Scroll down to the bottom of the list and click Add trace setting.
  4. Type recordpackages in the Name: field and set the trace to FINEST in the drop down menu.
  5. Click OK.
  6. Click Add trace setting.
  7. Type records in the Name: field and set the trace to FINEST in the drop down menu.
  8. Click OK.