Defining and following an audit trail

When you secure applications, it is important to monitor, or audit, the effectiveness of your security. One way to do this activity is to configure the system to log certain types of activities. Then, you can monitor the logs to see whether anything of interest or concern occurs.

To configure security audit logs, use the ObjectServer properties or command-line options that are described in the following table. These properties are read only properties and cannot be altered after the ObjectServer starts.

Table 1. Auditing ObjectServer properties and command-line options 
Property Command-line option Description
Sec.AuditLog string -secauditlog string Specifies the file to which audit information is written. The audit information is the audit log information for all authentication and authorization of security objects. If you do not want to create an audit log file, then the value of the property that specifies the path to the file must be set to an empty string.

The default filepath is $NCHOME/omnibus/log/NCOMS_audit_file.log.

Sec.AuditSqlLog string -secsqlauditlog string Enables an audit trail of all SQL commands from prescribed user groups. The Sec.AuditLevel property must be equal to info or higher for SQL commands to be logged. If you do not want to create an SQL audit log file, then the value of the property that specifies the path to the file must be set to an empty string.

The default filepath is $NCHOME/omnibus/log/NCOMS_audit_sql.log.

Sec.AuditLevel string -secauditlevel string Controls the log level for Sec.AuditLog and Sec.AuditSqlLog. The default value of warn logs only security violations. To get a full trail of all SQL commands from privileged user groups that are specified in Sec.AuditGroups, set this value to info. Other possible values are debug and error. The debug and info levels generate messages for authentication successes and failures, while warn and error generate messages for authentication and authorization failures only.

The default value is warn.

Sec.AuditGroups string -secauditgroups string This property is a comma-delimited string that contains the user groups to be audited. For more information about permissions and access control, see the topic Implementing authorization by using groups and roles. To suppress all SQL audit logging, you must exclude all user groups from the string.

The default value is System, Administrator.

As part of your security process, check your logs frequently.

What to do next

Applications with System user configuration to connect to ObjectServer.

If SQL auditing is turned on, applications that are configured to connect as a System user to the ObjectServer can generate a large volume of log messages in the SQL audit log file. For the applications that are configured to connect with a user account, which belongs to the System user group, you can apply the following workarounds.

  • IBM Tivoli Netcool/Impact. Configure this application to connect to the ObjectServer as a Gateway user.
  • Web GUI. Create a user group that is a copy of the System user group, for example call the new user group ServerProcess. Assign all the same roles to the ServerProcess user group as are assigned to the System user group. Configure this application to connect to the ObjectServer as a ServerProcess user. If the ServerProcess user group is not included in the Sec.AuditGroups property, then commands from this application are not logged.
Command-line utilities that run with System privileges.
The following Tivoli Netcool/OMNIbus command-line utilities must be run as users with System privileges and the utilities generate many statements.
  • nco_config
  • nco_osreport
The expectation is for the utilities to be run infrequently. Therefore, the frequency of many statements that are written to the SQL audit log by the utilities might not be problematic. However, if the frequency is problematic, then use the same configuration solution that is detailed for the Web GUI application.
Log file rotation.
Log file rotation function is available in the product. To enable log file rotation, configure two environment variables. In the following example, the values specify log file rotation every midnight and append the current date to the name of the rolled log file.
Example
NDE_LOGFILE_ROTATION_FORMAT=%Y%m%d
NDE_LOGFILE_ROTATION_TIME=0000
For more information about log file rotation, see the Setting environment variables topic within the IBM Tivoli Netcool/OMNIbus Installation and Deployment Guide.