Presentation on theme: "AUDITRE is a product of Treehouse Software, Inc."— Presentation transcript:
1 AUDITRE is a product of Treehouse Software, Inc. Self-explanatory.You should mention the handouts at this time.AUDITREA GENERALIZED ADABASAUDITING FACILITYAUDITRE is a product of Treehouse Software, Inc.All rights reserved.
2 Introducing AUDITRE Data Processing Management Database Administrators Standardized ADABAS/NATURAL auditing facilitySimple, powerful, valuableParameter driven reporting featuresAids:Data Processing ManagementDatabase AdministratorsApplications and Systems AnalystsApplication ProgrammersEDP AuditorsEnd Users
3 ADABAS Auditing Concerns Do not dwell on the last point, the next slide covers it in detail.For the third point, this is called "compliance testing" by EDP Auditors.Who changed the data? From what value to what value? When?Updates made from many sources (Direct Calls, NATURAL, etc.)Impossible to know if proper updating procedures are followed in applicationsCannot monitor changes to NATURAL programsEmbedded auditing is costly, error-prone, and potentially weak
4 Embedded Audit Routines For the second point, any special Audit data written by the application and the PLOG will probably be the same, so that application will be creating “redundant” data, wasting DASD and CPU to generate it.For the third point, it means that incorporation of new audit techniques is more difficult.Embedded Audit RoutinesOnly as reliable and as complete as programmer desiresInefficient use of DASD and CPU, especially if PLOG is in useDifferent for each application, file, or programmerCostly to code into applicationsAdds to maintenance costs
5 Why AUDITRE uses the PLOG The second point refers to the development of Audit programs and Audit-related logic. Since the audit routines for two applications or programs may be coded by two different persons, each person may use a different standard for the layout and content of the audit data, or they may use several different ADABAS files, etc. Thus, audit data is in several locations.The third point means you no longer have to code audit routines, nor reporting routines, if you use the PLOG and AUDITRE.In the fourth point, PLOG can not be bypassed by a user or easily deactivated by one, so the auditor can rely on PLOG data.For the sixth point, PLOG is compressed, so it takes up less space. If it is already on, no new space for PLOG storage will be required.The last point: save the old PLOGs, or extracts of them, for later use.Offers uniform auditing techniqueGives one source for all potential audit dataEliminates programming difficultiesOffers secure, complete, reliable audit dataAdds little or no overheadReduces data storage requirementsEnables audit data to be maintained off-line, indefinitely
6 How Would You Catch This? An employee with access to the PAYROLL-MASTER file issues an ADABAS command to update a friend's HOURLY-WAGE field to double its value. The friend will now be paid twice the correct amount for every hour worked. Because the command was not issued by a legitimate payroll program, the update was not logged by the MASTER-UPDATE program's home-grown "audit trail". Natural Security didn't prevent the occurrence, because the program was not written in NATURAL. Protection Logging was turned on at the time of the illegal update.If you do not have a powerful auditing facility in place, one that can access the ADABAS Protection Log, chances are that this abuse will go unnoticed. Using AUDITRE, however, you could easily detect it with a report like this:How Would You Catch This?*** RECORD UPDATED *** * NM= JOE SMITH NAME * EN= EMPLOYEE-NUMBER B: HR=8.75 HOURLY-RATE A: HR=17.50 HOURLY-RATEOf course SECURITRE might have prevented this in the first place.
7 AUDITRE CapabilitiesIf asked, the output from the "selective PLOGing" is not in a form that is useable by SAG's PLOG manipulation utilities. However, the data is in a form that application programs could query to “re-generate” the updates if needed.AUDITRE was created as a tool for auditing, not for database recovery, etc.Compares Before and After Images to determine changed fieldsPrints selected changed fields, for selected files, users, times, dates, etc.Prints specified "key fields" to show "which record changed"Reports across updated files, fieldsGenerates multiple reports in one executionAutomatically handles Increased Field Sizes, such as DBID, FNR, ISN Values, etc.
8 AUDITRE CapabilitiesThe summary by file and field will quickly expose certain problems. For example, three salary field updates were approved, but four records were updated.In the third point, selective PLOGing means running AUDITRE to peel off certain files from the PLOG, making one or more “mini-PLOGs” to process later (maybe with mini-PLOGs from other days).We’ll present more information about these capabilities on subsequent overheads.Shows summary of updates, adds, and deletes by file, fieldCan report on changes to NATURAL programs (FUSER LJ and LK fields)Allows "after-the-fact" selective Protection LoggingHandles MU, PE, and MU within PE
9 PLOG Record Decompression Note that AUDITRE identifies each field by 2-character name and the long-name.SHOW statement sample display:AN = CUST-ACCOUNT-NUMBERCL = CREDIT-LIMITCS = SEWICKLEY, PA CUST-CITY-ST-ZIPCN = JOHN DOE CUSTOMER-NAMECD = 700 MAIN STREET CUSTOMER-ST-ADDRESSFY = INT-RATE-YEARLYOCC = 3 OTHER-CARDS-COUNTOC 1 = DINERS CLUB OTHER-CARDSOC 2 = AMERICAN EXPRESS OTHER-CARDSOC 3 = VISA OTHER-CARDSOLC = 3 OTHER-LIMITS-COUNTOL 1 = 2000 OTHER-CARD-LIMITOL 2 = 1500 OTHER-CARD-LIMITOL 3 = 1800 OTHER-CARD-LIMITCO = CLERK CURRENT-OCCUPATIONYI = YEARLY-INCOMEPH = HOME-PHONEBP = BUSINESS-PHONEYJ = 5 YEARS-AT-JOBED = 10/19/99 CARD-EXPIRE-DATEDB = 01/15/66 DATE-OF-BIRTHMS = S MARITAL-STATUSNC = 0 NUMBER-CHILDRENDL = DRIV-LIC-NUMBERDS = GA DRIV-LIC-STATEThis is nice, readable, but could result in a big pile of paper!
10 BEFORE and AFTER Images Imagine having to sort through thousands of printed records this size, attempting to determine which fields have changed, and if the change is important.Here, the phone number (PH) was changed. This is probably not important. The credit limit (CL) also changed. This might be very important. You can tell AUDITRE that PH is unimportant, CL is important, and if CL changes, the person's name (CN) would be helpful to see.AUDITRE may be very helpful to view year 2000 related changes.Before After AN = AN = CL = < > CL = CS = SEWICKLEY, PA CS = SEWICKLEY, PA CN = JOHN DOE CN = JOHN DOE CD = 700 MAIN STREET < > CD = 172 SCAIFFE ROAD FY = FY = OCC = 3 OCC = 3 OC 1 = DINERS CLUB OC 1 = DINERS CLUB OC 2 = AMERICAN EXPRESS OC 2 = AMERICAN EXPRESS OC 3 = VISA OC 3 = VISA OLC = 3 OLC = 3 OL 1 = 2000 OL 1 = 2000 OL 2 = 1500 < > OL 2 = 1600 OL 3 = 1800 OL 3 = 1800 CO = CLERK CO = CLERK YI = YI = PH = < > PH = BP = BP = YJ = 5 < > YJ = 6 ED = 10/19/99 ED = 10/19/99 DB = 01/15/66 DB = 01/15/66 MS = S < > MS = M NC = 0 NC = 0 DL = < > DL = DS = GA < > DS = PA
11 Summary Report by Field What if 10 changes are authorized and 12 actually were made. Maybe they were just errors that had to be corrected, but maybe not!At a glance, a recap by file and field should identify that unauthorized updates have been occurring.This function could be an easy part of a daily interval audit to critical files.Summary Report by FieldFILE: DELETES: 0 UPDATES: 26 ADDS: 0 FIELD LONG-NAME OCC FROM OCC TO UPDATES DELETES ADDS AN CUST-ACCOUNT-NO CL CREDIT-LIMIT CS CUST-CITY-ST-ZIP CN CUSTOMER-NAME CD CUSTOMER-ST-ADDRESS FY INT-RATE-YEARLY OCC OTHER-CARDS-COUNT OC OTHER-CARDS OLC OTHER-LIMITS-COUNT OL OTHER-CARD-LIMIT CO CURRENT-OCCUPATION YI YEARLY-INCOME PH HOME-PHONE BP BUSINESS-PHONE YJ YEARS-AT-JOB ED CARD-EXPIRE-DATE DB DATE-OF-BIRTH MS MARITAL-STATUS NC NUMBER-CHILDREN DL DRIV-LIC-NUMBER 0 0 0
12 Summary Report by FileAUDITRE's summary reports can make routine auditing simpler. For example, consider this summary report showing updates by file.Suppose only 95 updates were expected on file 9 (PAYROLL-MASTER). Since this report shows 102, we might want to investigate further.FNR COUNT %**
13 Summary Reports by Hour, User Measuring updates by user might be an effective way of measuring productivity of data entry staff.Updates by hour could measure the productivity of workers on the various shifts as a group.We might generate a summary of file 9 updates by user and hour, as shown here.We find that user "RECV" (an employee in the receiving department) is making updates to the PAYROLL-MASTER file after office hours. We might want to investigate further.HR USER-ID COUNT % 10 PYR PYR **** PYR PYR PYR **** • 20 RECV **** ** ****
14 Detail ReportsTo investigate further, we code a detail report of all changes to file 9, made by user "RECV", like we see at the top of the slide.The output would show us what fields RECV changed on file 9, and from what value to what value, along with the EMPLOYEE-NAME, as seen in the report shown.Apparently RECV is giving pay raises and bonuses to his friends after hours. We might want to use AUDITRE to examine any archived Protection Logs to see how long RECV has been doing this.This is an area where the storage of old PLOGs can be very useful.REPORT INCLUDE FNR=9,UID=RECV AUDIT EN*,HR,BO,FNR=9 * EN=MARY JONES EMPLOYEE-NAME B: HR=7.50 HOURLY-RATE A: HR=20.00 HOURLY-RATE * EN=DAN JOHNSON EMPLOYEE-NAME B: HR=4.75 HOURLY-RATE B: BO=0.00 BONUS-DUE A: BO= BONUS-DUE
15 Changes to NATURAL Programs Note that AUDITRE does not provide specific facilities for monitoring or reporting on changes to NATURAL programs. It simply will report on changes to the fields in FUSER files containing NATURAL programs, thus showing the changes to the programs in the file(s).If this capability is a major concern of the client, be sure that they are aware of N2O. Its Program Compare facility will provide specific, detailed reports of the differences between two NATURAL programs.The best way to use AUDITRE for this function would probably be to generate “summary” reports of changes to FUSER files. This would give basic statistics on what has changed in the FUSER file and would signal, for example, that Production FUSER source code was changed when it should not have been changed (i.e., whoever changed it did not have authorization to do so).Again, SECURITRE may be used to prevent this from happening at all.Monitor maintenance activity on NATURAL applicationsCatch unauthorized modification of programsGenerate report identifying library, program, and changed source linesReport the time and date modified, and which userid modified code
16 Multiple Reporting Capability Output can be in flat file form, readliy used by other software.Generate less overhead associated with audit reportingCreate many useful reports on the same log in one runProduce multiple reports on the same files and fields if desiredGenerate reports in hardcopy or machine readable form
17 Protection Log "Subdivision" What we mean by this is that AUDITRE can be instructed to read a single Protection Log as input, separate the data on the PLOG (which contains updates to many files) into separate output datasets. Each output dataset can contain a subset of the original data.For example, a database contains files for three applications: Inventory, Personnel, and Shipping. The PLOG for this database contains updates to the files for all three applications. The site prefers to store all Inventory data together with Shipping data, but all Personnel data separately.They can use AUDITRE to process the PLOG for this one database, generating two output datasets. One will contain the changes made to the Personnel files, the other will contain the changes to both Inventory and Shipping data files.Subdivide PLOG into smaller logs by file, date, time, etc.Archive audit data for future needsProvide "after the fact" selective Protection Logging capabilityProduce compressed PLOG-like data, or decompressed "flat-file" data
18 PLOG Subdivision Example Thus, AUDITRE offers "after-the-fact" selective Protection Logging by "subdividing" a larger Protection Log into smaller units.What we mean by this is that ADABAS does not provide a facility for “dividing up” where Protection Log data should go. That is, you cannot tell ADABAS (for example) to store changes to file 123 in one PLOG dataset, changes to file 124 in another, etc. All you can have is one big PLOG containing all updates, or no PLOG at all.AUDITRE allows you to create several smaller datasets from the one.When we say “after-the-fact”, we mean that AUDITRE cannot do this while ADABAS is generating the PLOG, only after it has finished.PLOG Subdivision ExampleINCLUDE FNR=(7,789,21-24,45) OUTPUT or: INCLUDE FNR=7 INCLUDE FNR=789 INCLUDE FNR=21 • INCLUDE FNR=45
19 Conclusion Simple to use Powerful and efficient Self-contained When we say “self-contained”, we mean that AUDITRE requires only the PLOG dataset in order to operate. It does not need ADABAS or NATURAL. Thus, auditing can occur on a different CPU from the data processing, provided that the PLOG is there for AUDITRE to process.The other points are self-explanatory.ConclusionSimple to usePowerful and efficientSelf-containedQuick and easy installationUser-friendly reference manualFull time support staffTraining and consulting availableFree trial available
20 When we say “self-contained”, we mean that AUDITRE requires only the PLOG dataset in order to operate. It does not need ADABAS or NATURAL. Thus, auditing can occur on a different CPU from the data processing, provided that the PLOG is there for AUDITRE to process.The other points are self-explanatory.