Defining and following an audit trail
When you secure applications, it is important to monitor, or audit, the effectiveness of your security. One way to do this activity is to configure the system to log certain types of activities. Then, you can monitor the logs to see whether anything of interest or concern occurs.
To configure security audit logs, use the ObjectServer properties or command-line options that are described in the following table. These properties are read only properties and cannot be altered after the ObjectServer starts.
Property | Command-line option | Description |
---|---|---|
Sec.AuditLog string | -secauditlog string | Specifies the file to which audit information is written. The audit information
is the audit log information for all authentication and authorization of security objects. If you do
not want to create an audit log file, then the value of the property that specifies the path to the
file must be set to an empty string. The default filepath is $NCHOME/omnibus/log/NCOMS_audit_file.log. |
Sec.AuditSqlLog string | -secsqlauditlog string | Enables an audit trail of all SQL commands from prescribed user groups. The
Sec.AuditLevel property must be equal to info or higher for SQL
commands to be logged. If you do not want to create an SQL audit log file, then the value of the
property that specifies the path to the file must be set to an empty string. The default filepath is $NCHOME/omnibus/log/NCOMS_audit_sql.log. |
Sec.AuditLevel string | -secauditlevel string | Controls the log level for Sec.AuditLog and
Sec.AuditSqlLog . The default value of warn logs only security
violations. To get a full trail of all SQL commands from privileged user groups that are specified
in Sec.AuditGroups , set this value to info . Other possible values
are debug and error. The debug and
info levels generate messages for authentication successes and failures, while
warn and error generate messages for authentication and
authorization failures only. The default value is |
Sec.AuditGroups string | -secauditgroups string | This property is a comma-delimited string that contains the user groups to be
audited. For more information about permissions and access control, see the topic Implementing
authorization by using groups and roles. To suppress all SQL audit logging, you must exclude
all user groups from the string. The default value is
|
As part of your security process, check your logs frequently.
What to do next
System
user configuration to connect to
ObjectServer.If SQL auditing is turned on, applications that are configured to connect as a System user to the ObjectServer can generate a large volume of log messages in the SQL audit log file. For the applications that are configured to connect with a user account, which belongs to the System user group, you can apply the following workarounds.
- IBM Tivoli Netcool/Impact. Configure
this application to connect to the ObjectServer as a
Gateway
user. - Web GUI.
Create a user group that is a copy of the
System
user group, for example call the new user groupServerProcess
. Assign all the same roles to theServerProcess
user group as are assigned to theSystem
user group. Configure this application to connect to the ObjectServer as aServerProcess
user. If theServerProcess
user group is not included in the Sec.AuditGroups property, then commands from this application are not logged.
System
privileges.System
privileges and the
utilities generate many statements. nco_config
nco_osreport
rolled
log file.
Example
NDE_LOGFILE_ROTATION_FORMAT=%Y%m%d
NDE_LOGFILE_ROTATION_TIME=0000
For
more information about log file rotation, see the Setting environment variables topic
within the IBM Tivoli Netcool/OMNIbus Installation and Deployment Guide.