Archive the Audit Data
It is recommended to keep at least one month of audit data in FTRESSAUDITLOG table available online, and to extract and store records or partition in a flat CSV file on a daily basis.
When the ActivID AS database is created using ActivID AS database scripts, a set of procedures is created to automatically archive the FTRESSAUDITLOG data (Oracle Databases Only) into CSV files every day.
A script designed to drop records older than one month is also created. For further information, refer to the ActivID Authentication Server Oracle Database Configuration Guide available from the ActivID Customer Portal.
When a security domain is created (using the oracle-create-4tress.sql script), a new user is created for each domain – <myDomain>_ARCH_USER. This user is designed to generate the data extraction and purge script.
A scheduler task, assigned to the <myDomain>_ARCH_USER, runs every day and performs the archive of partitions (if the FTRESSAUDITLOG is partitioned) or the archive of records (if the FTRESSAUDITLOG is NOT partitioned) generated the day before:
- Extract and purge (where the generated scripts are run by the database administrator (DBA), by default, at 0300/3 AM).
- Two scheduler tasks are also responsible for purging the expired challenges and expired sessions:
- Purge of expired challenge records (by default, at 0400/4 AM).
- Purge of expired session records (by default, at 0400/4 AM).
As a result:
- A CSV file with corresponding records is created every day.
- The scheduler task also generates a script to drop the partitions or records older than one month (the scripts should be run by the database administrator (DBA)).
- The CSV files and drop script are generated in the folder defined by the FILEDIREXTRACT parameter.
- Two tables, AASFILEEXPORT and AASLOG, (attached to <myDomain>_ARCH_ USER) are used to trace scheduler task actions.
For example, on July 19 at 3 AM, the scheduler task generates the following files in the FILEDIREXTRACT folder (by default, in /home/oracle/archive-and-drop-scripts) of the database system for the ONLINEBANK domain:
- ARCHIVE_ONLINEBANK_OBF_DAY_20190718.csv – Records generated the day before.
- DropAuditRecords_ONLINEBANK_Until_20190619.sql – Script that can be used by the DBA to delete the records older that a month.
The archive and purge of audit data consists of the following tasks to be performed by the DBA:
- Storing the generated CSV files in a secure repository (so that they can be used later for forensics investigation or reporting).
- After the backup of the CSV files, the DBA must run the drop scripts to free the corresponding database space.
- The DBA must finally remove the CSV files from database system folder (/home/oracle/archive-and-drop-scripts).
The behavior of the archive and purge mechanism can be customized in the oracle-config-4tress.sql script during the creation of the database/security domains using the following parameters.
Parameter | Description |
---|---|
FILEDIREXTRACT |
The folder used for archives. The default value is /home/oracle/archive-and-drop-scripts Note:
|
PURGE_LONGEVITY NUM_LONGEVITY |
Definition the interval unit for online audit records sliding window.
Example with the default values: PURGE_LONGEVITY= DAY NUM_LONGEVITY =30 This means that audit records generated during the last month will not be dropped. Records older than one month can be deleted using the generated scripts. |
Once extracted, the data older than one month should be purged to save storage space.
-
The retention period should be adjusted according to the number of events that are generated on a daily basis.
It is the responsibility of DBA to run the drop scripts.
-
Drop scripts are generated only a month after the initial ActivID AS installation, as before this date there is nothing to drop due to the recommendation that you keep at least one month of online audit.
-
If no record or partition has been created, a CSV file will not be generated. There will only be a trace in the AASFILEEXPORT table.
- You can modify the hour of the audit/purge schedule.
-
The first partition (P_20150415) contains all records with TIMESTAMP older than 1429142400000, and an automatic system generated partition (SYS_P442) contains records with TIMESTAMP values from 1429142400001 to 1429228800000.
-
After several days, the FTRESSAUDITLOG is partitioned as follows:
-
The data extraction and purge task is scheduled to start the first day of the month following the partitioning scripts execution:
-
After multiple days, the following result shows the CSV files created for each day and two “drop” partition scripts:
In this use case, the DropPartitions scripts must executed by the DBA to drop the corresponding partitions.
Modify the Archive/Purge Schedule (Oracle Databases Only)
You can modify the hour at which the daily archive and purge tasks should be performed using the updateScheduler.sh script in the <ACTIVID_HOME>/ActivID_AS/bin folder.
By default, the daily tasks are scheduled as follows:
-
Extract and purge of audit records – at 0300/3 AM.
-
Purge of expired challenge records – at 0400/4 AM.
-
Purge of expired session records – at 0400/4 AM.
As ftadmin, run the script as follows:
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d <domain name> -a <n> -c <n> –s <n>"
Where:
Parameter | Description |
---|---|
-d |
The name of the domain to update. This is mandatory. If you do not specify a domain, or the domain does not exist, an error is displayed. |
-a |
The numeric value for the hour at which the extract and purge of audit records should be performed. This is optional. If you do not specify an hour, the default value (3 AM), is applied. |
-c |
The numeric value for the hour at which the purge of expired challenge records should be performed. This is optional. If you do not specify an hour, the default value (-a plus one hour) is applied. |
-s |
The numeric value for the hour at which the purge of expired session records should be performed. This is optional. If you do not specify an hour:
|
-v |
Verbose mode. |
The following examples illustrate possible schedule definitions:
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d ONLINEBANK"
- Extract and purge of audit records is scheduled for 3 AM (freq=daily;byhour=3;byminute=0;bysecond=0)
- Purge of expired challenge records is scheduled for 4 AM (freq=daily;byhour=4;byminute=0;bysecond=0)
- Purge of expired session records is scheduled for 4 AM (freq=daily;byhour=4;byminute=0;bysecond=0)
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d ONLINEBANK -a 5 -c 7 –s 8"
- Extract and purge of audit records is scheduled for 5 AM (freq=daily;byhour=5;byminute=0;bysecond=0)
- Purge of expired challenge records is scheduled for 7 AM (freq=daily;byhour=7;byminute=0;bysecond=0)
- Purge of expired session records is scheduled for 8 AM (freq=daily;byhour=8;byminute=0;bysecond=0)
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d ONLINEBANK -a 5 -c 7"
- Extract and purge of audit records is scheduled for 5 AM (freq=daily;byhour=5;byminute=0;bysecond=0)
- Purge of expired challenge records is scheduled for 7 AM (freq=daily;byhour=7;byminute=0;bysecond=0)
- Purge of expired session records is scheduled for 7 AM (freq=daily;byhour=7;byminute=0;bysecond=0)
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d ONLINEBANK -a 5"
- Extract and purge of audit records is scheduled for 5 AM (freq=daily;byhour=5;byminute=0;bysecond=0)
- Purge of expired challenge records is scheduled for 6 AM (freq=daily;byhour=6;byminute=0;bysecond=0)
- Purge of expired session records is scheduled for 6 AM (freq=daily;byhour=6;byminute=0;bysecond=0)
su - ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/updateScheduler.sh -d ONLINEBANK -s 9"
- Extract and purge of audit records is scheduled for 3 AM (freq=daily;byhour=3;byminute=0;bysecond=0)
- Purge of expired challenge records is scheduled for 4 AM (freq=daily;byhour=4;byminute=0;bysecond=0)
- Purge of expired session records is scheduled for 9 AM (freq=daily;byhour=9;byminute=0;bysecond=0)