Building audit processes

Use the Audit Process Builder to streamline your compliance workflow process by consolidating, in one spot, database activity monitoring tasks such as: asset discovery; vulnerability assessment and hardening; database activity monitoring and audit reporting; report distribution; sign off by key stakeholders; and escalations.

Guardium audit processes provide the following capabilities:
  • Audit processes support company privacy and governance requirements, such as PCI-DSS, SOX, Data Privacy, and HIPAA.
  • The audit process can export audit results to external repositories for additional forensic analysis such as Syslog, CSV or CEF files, or external feed.
  • Generate an Audit Process Log report that shows a detailed activity log for all tasks, including start and end times.
  • The results of each audit process, including the review, sign-off trails, and comments, can be archived and later restored and reviewed through the Investigation Center (if enabled). For more information, see Restoring and viewing audit results in the investigation center.

Elements of the compliance workflow automation process can include,

  • A process definition
  • A set of tasks
  • A distribution plan that defines the following elements:
    • Receivers - Individual users, user groups, roles, email, or ticket.
      Note: To configure tickets, you need to set up external ticket service for alerts. For more information, see Configuring an external ticketing system.
    • The review and signing responsibility for each receiver.
    • The distribution sequence by setting the Continuous flag.
  • A schedule - The audit process can be run immediately, or you can run the process regularly on a defined schedule.

Creating an audit process

To start building an audit process, go to Comply > Tools and Views > Audit Process Builder.

  1. From the Audit Process Builder page, click the New audit process icon to open the Create New Audit Process page.
  2. Click Name and archive to enter a name for your audit process.
  3. Click Show advanced options to manage the following optional information.
    • Archive - Store a copy of audit process output after the retention period has expired. If needed, you can restore archived results.
    • Allow results to be purged prior to review - Deletes the results of an ad hoc process before all workflow activities have finished, such as reviews and sign-offs. This feature allows you to delete results in a specified period (such as 1 day) even if the results have not been reviewed.
    • Keep for a minimum of x days or y runs - Determine how long to keep the archived files. You can select either the number of days or then number of runs to archive. When a new archive file is stored, Guardium deletes the oldest file.
    • CSV/CEF file name - Provide a label for CSV or CEF files that are generated by audit processes.
    • Zip CSV for email - When emailing the file, select whether to compress the file before it is sent.
      Note: Guardium cannot export CSV files larger than 10 GB. Guardium recommends that you select Zip CSV for mail.
    • Email subject - The subject line for all emails for all receivers for that audit process. The subject can include one (or more) of the following variables. The variable is replaced with the following information:
      • %%ProcessName - The audit process description.
      • %%ExecutionStart - The start date and time of the first task.
      • %%ExecutionEnd - The end date and time of the last task.
    • 12.1 and later Custom email template- Use an existing custom email template or create a new template. To create a new template:
      1. Click the New icon to open the New Template window.
      2. Provide a unique name for the template.
      3. Create the message that you want to include in the email. The message can include basic HTML options as well as the following messages:
        • %%ExecutionEnd - Process execution end timestamp.
        • %%ExecutionStart - Process execution start timestamp.
        • %%ProcessName - The name of the audit process.
        • %%UserAction - Required user action, which can be review or sign.
      4. Click OK to save your new template.
      The email template that you saved is available from the Global profile Named Template Finder window. For more information, see Global profile.
      Note: You can also create a custom email template from Named Template on the Global Profile page. For more information, see Creating or updating named messages.
    • Export results - Specify whether to export results when an audit process runs, based on how export results are configured on the Results Export (Files) page. For more information, see Exporting (files) results.
      Note: If you do not configure the export results, these settings are ignored (and audit process results are not exported).
      Specify when to export the results,
      • Select Disabled to export results based on the configuration that you set in Results Export (Files).
      • Select At the end of the process to export the results after the audit process successfully completes.
      • Select At the end of each task to export the result after each task within the audit process completes.
    • Roles - By default, an audit process is assigned to a user with audit process privileges. Select Roles to open the role window and select other roles that can access this audit process.
  4. Click Next to open Add tasks. Click the New icon to begin adding a task. You must define at least one audit task before you can save the process. Each type of task requires different information. For more information about creating and configuring tasks, see Audit process task types
    Attention: For most task types, you need to define other steps first (such as creating a security assessment or privacy set). Guardium suggests that you make sure that you create the required scenarios before you start building the audit process.
  5. After you name the audit process and add one task, click Save to save your work. If needed, add more tasks.
  6. Click Send results to add or change who receives the audit process results. From the Receiver table, click the New icon to begin adding a receiver. Each receiver type provides different options. For more information about receivers and receiver types, see Audit process receivers.
  7. Click Schedule audit process to configure a schedule for running the audit process. For more information, see Scheduling.
    Note: Scheduling applies only to the Guardium unit on which you are defining this audit process. To manage an audit process from a central manager, you can create a distribution profile. For more information, see Working with configuration profiles.
  8. To test the audit process, select Run audit process and then click Run once now.
    Users with the audit-delete role can delete audit process results. If you have audit-delete privileges, Delete Results displays in the Run audit process ribbon. Audit activity is tracked in the User Activity Audit Trail report.
    Note: Audit process results from remote sources are limited to 100,000 results. To change that limit, use the store save_result_fetch_size CLI command.
  9. Click Save to save your changes or Reset to clear all of the changes you made since the last time you saved your work.

    To add comments for the audit process, click the audit process name and then Show advanced options, and in the Comments window, click the New icon.

Stopping an audit process

You can stop audit processes that are currently running or that have not run yet. Stopping an audit process does not deliver partial results; the audit process stops and returns a stopped error message. However, if tasks are complete, the results are still sent.

To stop an audit process from the Audit Process Log (Comply > Tools and Views > Audit Process Log), run the stop_audit_process GuardAPI by taking one of the following steps,
  • Click the Actions menu, and select stop_audit_process.
  • Place your cursor on any line, right-click to open the pop-up menu. Select Invoke and then select stop_audit_process.

For any user, stopping an audit process displays only the line that belongs to that user (just the tasks, not all the details). An admin user can see all the details and can stop anyone's audit processes. A user can stop only their own audit processes.

To stop an audit process on a remote source, select stop_audit_process from a line (not the Action menu) and specify the Target Host , which can be a group of managed units or the IP address of a managed unit.

Note: You cannot stop running audit processes for Privacy Sets Audit Tasks or External Feed Audit Tasks. If the Privacy Set or External Feed tasks are running, they finish even if the process is stopped.

Adding workflow events

Define a formal sequence of event types for certain tasks.

  1. From the Audit Process Builder, create an audit task.
  2. Depending on the task, Events and Additional Columns displays on the Edit task window.

    For example, the Events and Additional Columns is displayed on the Edit task window for the Report Task type and the Admin Users Login report.

  3. Click Events and Additional Columns to display the Event & Sign-off window. The workflow that you created appears as a selection in Event and Sign-off.
  4. Highlight this choice and click Apply to save your selection.
  5. If you need to add additional information (such as company codes, or business unit labels) as part of the workflow report, add this information under Define Additional Columns then click Add. To select a predefined or created groups column, change the Type column to Group.
  6. When you are done, click Close this window.
  7. Click OK to save the task and then Save to save the entire audit process definition.
Notes:
  • Under the Report choices are two procedural reports that are available to admin users (and users with the admin role), Outstanding Events and Event Status Transition. Add these two reports to two new audit tasks to show details of all workflow events and transitions. These reports are not filtered (observed data level security filtering is not applied).
  • Additional Columns is unavailable for some tasks.
  • When you clone a process, the task that is associated with the process is added to the cloned process. But, if you make changes to this task, the workflow that is associated with the original task is not cloned.
  • You can delete an event status only if the status is not in the first status of any events, and if it not used by any action. The validation provides a list of events or actions that prevent the status from being deleted.
  • The owner or creator of a workflow event can always see all statuses of this event, regardless of what roles are assigned to these statuses.  

For more information about the Workflow builder, see Workflow Builder.

Audit processing notes

  • On a central manager, reports can reference data from remote datasources (managed units). Audit processes that use these reports are accessible from the central manager only, and cannot be seen from managed units.
  • Use the store max_audit_reporting CLI command to configure the audit report threshold.

    When you define reports, make sure that the number of days (defined by the FROM-TO fields) does not exceed a certain threshold. The default threshold is one month. If this threshold is exceeded, a runtime error results when the audit task runs on the aggregator.

    No warning message displays when you create a report with an invalid FROM-TO range. Instead, an error displays in the Task Parameters window in the Audit Process setup page.
  • You can create an audit task with a FROM-TO range that is wider than the value of the store max_audit_reporting CLI command. Audit processes defined on the aggregator can be run on managed collectors (when this aggregator is a manager). Audit tasks that are run on collector unit do not have a max_audit_reporting limitation.
  • You can use audit processing for the aggregator server to create ad hoc databases for each aggregator task and specify only the relevant days for that task. You can keep the ad hoc databases for the aggregation server in the system for up to 14 days (depending on the value of the store aggregator drop_ad_hoc_audit_db CLI command). If needed, use these databases for post-run analysis by Guardium support services.
  • All audit processes are stopped when a patch installation runs.