AUDITRE is a product of Treehouse Software, Inc. Self-explanatory. You should mention the handouts at this time. AUDITRE A GENERALIZED ADABAS AUDITING FACILITY AUDITRE is a product of Treehouse Software, Inc. All rights reserved.

Introducing AUDITRE Data Processing Management Database Administrators Standardized ADABAS/NATURAL auditing facility Simple, powerful, valuable Parameter driven reporting features Aids: Data Processing Management Database Administrators Applications and Systems Analysts Application Programmers EDP Auditors End Users

ADABAS Auditing Concerns Do not dwell on the last point, the next slide covers it in detail. For the third point, this is called "compliance testing" by EDP Auditors. Who changed the data? From what value to what value? When? Updates made from many sources (Direct Calls, NATURAL, etc.) Impossible to know if proper updating procedures are followed in applications Cannot monitor changes to NATURAL programs Embedded auditing is costly, error-prone, and potentially weak

Embedded Audit Routines For the second point, any special Audit data written by the application and the PLOG will probably be the same, so that application will be creating “redundant” data, wasting DASD and CPU to generate it. For the third point, it means that incorporation of new audit techniques is more difficult. Embedded Audit Routines Only as reliable and as complete as programmer desires Inefficient use of DASD and CPU, especially if PLOG is in use Different for each application, file, or programmer Costly to code into applications Adds to maintenance costs

Why AUDITRE uses the PLOG The second point refers to the development of Audit programs and Audit-related logic. Since the audit routines for two applications or programs may be coded by two different persons, each person may use a different standard for the layout and content of the audit data, or they may use several different ADABAS files, etc. Thus, audit data is in several locations. The third point means you no longer have to code audit routines, nor reporting routines, if you use the PLOG and AUDITRE. In the fourth point, PLOG can not be bypassed by a user or easily deactivated by one, so the auditor can rely on PLOG data. For the sixth point, PLOG is compressed, so it takes up less space. If it is already on, no new space for PLOG storage will be required. The last point: save the old PLOGs, or extracts of them, for later use. Offers uniform auditing technique Gives one source for all potential audit data Eliminates programming difficulties Offers secure, complete, reliable audit data Adds little or no overhead Reduces data storage requirements Enables audit data to be maintained off-line, indefinitely

How Would You Catch This? An employee with access to the PAYROLL-MASTER file issues an ADABAS command to update a friend's HOURLY-WAGE field to double its value. The friend will now be paid twice the correct amount for every hour worked. Because the command was not issued by a legitimate payroll program, the update was not logged by the MASTER-UPDATE program's home-grown "audit trail". Natural Security didn't prevent the occurrence, because the program was not written in NATURAL. Protection Logging was turned on at the time of the illegal update. If you do not have a powerful auditing facility in place, one that can access the ADABAS Protection Log, chances are that this abuse will go unnoticed. Using AUDITRE, however, you could easily detect it with a report like this: How Would You Catch This? *** RECORD UPDATED *** * NM= JOE SMITH NAME * EN= 118273423 EMPLOYEE-NUMBER B: HR=8.75 HOURLY-RATE A: HR=17.50 HOURLY-RATE Of course SECURITRE might have prevented this in the first place.

AUDITRE Capabilities If asked, the output from the "selective PLOGing" is not in a form that is useable by SAG's PLOG manipulation utilities. However, the data is in a form that application programs could query to “re-generate” the updates if needed. AUDITRE was created as a tool for auditing, not for database recovery, etc. Compares Before and After Images to determine changed fields Prints selected changed fields, for selected files, users, times, dates, etc. Prints specified "key fields" to show "which record changed" Reports across updated files, fields Generates multiple reports in one execution Automatically handles Increased Field Sizes, such as DBID, FNR, ISN Values, etc.

AUDITRE Capabilities The summary by file and field will quickly expose certain problems. For example, three salary field updates were approved, but four records were updated. In the third point, selective PLOGing means running AUDITRE to peel off certain files from the PLOG, making one or more “mini-PLOGs” to process later (maybe with mini-PLOGs from other days). We’ll present more information about these capabilities on subsequent overheads. Shows summary of updates, adds, and deletes by file, field Can report on changes to NATURAL programs (FUSER LJ and LK fields) Allows "after-the-fact" selective Protection Logging Handles MU, PE, and MU within PE

PLOG Record Decompression Note that AUDITRE identifies each field by 2-character name and the long-name. SHOW statement sample display: AN = 293874628 CUST-ACCOUNT-NUMBER CL = 1500.00 CREDIT-LIMIT CS = SEWICKLEY, PA 15143 CUST-CITY-ST-ZIP CN = JOHN DOE CUSTOMER-NAME CD = 700 MAIN STREET CUSTOMER-ST-ADDRESS FY = 18.00 INT-RATE-YEARLY OCC = 3 OTHER-CARDS-COUNT OC 1 = DINERS CLUB OTHER-CARDS OC 2 = AMERICAN EXPRESS OTHER-CARDS OC 3 = VISA OTHER-CARDS OLC = 3 OTHER-LIMITS-COUNT OL 1 = 2000 OTHER-CARD-LIMIT OL 2 = 1500 OTHER-CARD-LIMIT OL 3 = 1800 OTHER-CARD-LIMIT CO = CLERK CURRENT-OCCUPATION YI = 19500 YEARLY-INCOME PH = 412-555-1677 HOME-PHONE BP = 412-555-3048 BUSINESS-PHONE YJ = 5 YEARS-AT-JOB ED = 10/19/99 CARD-EXPIRE-DATE DB = 01/15/66 DATE-OF-BIRTH MS = S MARITAL-STATUS NC = 0 NUMBER-CHILDREN DL = 288726439 DRIV-LIC-NUMBER DS = GA DRIV-LIC-STATE This is nice, readable, but could result in a big pile of paper!

BEFORE and AFTER Images Imagine having to sort through thousands of printed records this size, attempting to determine which fields have changed, and if the change is important. Here, the phone number (PH) was changed. This is probably not important. The credit limit (CL) also changed. This might be very important. You can tell AUDITRE that PH is unimportant, CL is important, and if CL changes, the person's name (CN) would be helpful to see. AUDITRE may be very helpful to view year 2000 related changes. Before After AN = 293874628 AN = 293874628 CL = 1500.00 <- - - - - - - - - - - -> CL = 9999.99 CS = SEWICKLEY, PA 15143 CS = SEWICKLEY, PA 15143 CN = JOHN DOE CN = JOHN DOE CD = 700 MAIN STREET <- - - - - - - - - -> CD = 172 SCAIFFE ROAD FY = 18.00 FY = 18.00 OCC = 3 OCC = 3 OC 1 = DINERS CLUB OC 1 = DINERS CLUB OC 2 = AMERICAN EXPRESS OC 2 = AMERICAN EXPRESS OC 3 = VISA OC 3 = VISA OLC = 3 OLC = 3 OL 1 = 2000 OL 1 = 2000 OL 2 = 1500 <- - - - - - - - - - - -> OL 2 = 1600 OL 3 = 1800 OL 3 = 1800 CO = CLERK CO = CLERK YI = 19500 YI = 19500 PH = 412-555-1677 <- - - - - - - - - -> PH = 412-555-2805 BP = 412-555-3048 BP = 412-555-3048 YJ = 5 <- - - - - - - - - - - -> YJ = 6 ED = 10/19/99 ED = 10/19/99 DB = 01/15/66 DB = 01/15/66 MS = S <- - - - - - - - - - - -> MS = M NC = 0 NC = 0 DL = 288726439 <- - - - - - - - - - - -> DL = 502378091 DS = GA <- - - - - - - - - - - -> DS = PA

Summary Report by Field What if 10 changes are authorized and 12 actually were made. Maybe they were just errors that had to be corrected, but maybe not! At a glance, a recap by file and field should identify that unauthorized updates have been occurring. This function could be an easy part of a daily interval audit to critical files. Summary Report by Field FILE: 12345 DELETES: 0 UPDATES: 26 ADDS: 0 FIELD LONG-NAME OCC FROM OCC TO UPDATES DELETES ADDS AN CUST-ACCOUNT-NO 0 0 0 CL CREDIT-LIMIT 12 0 0 CS CUST-CITY-ST-ZIP 0 0 0 CN CUSTOMER-NAME 0 0 0 CD CUSTOMER-ST-ADDRESS 2 0 0 FY INT-RATE-YEARLY 0 0 0 OCC OTHER-CARDS-COUNT 0 0 0 OC OTHER-CARDS 1 10 4 0 0 OLC OTHER-LIMITS-COUNT 0 0 0 OL OTHER-CARD-LIMIT 1 10 4 0 0 CO CURRENT-OCCUPATION 0 0 0 YI YEARLY-INCOME 0 0 0 PH HOME-PHONE 1 0 0 BP BUSINESS-PHONE 0 0 0 YJ YEARS-AT-JOB 2 0 0 ED CARD-EXPIRE-DATE 0 0 0 DB DATE-OF-BIRTH 0 0 0 MS MARITAL-STATUS 1 0 0 NC NUMBER-CHILDREN 0 0 0 DL DRIV-LIC-NUMBER 0 0 0

Summary Report by File AUDITRE's summary reports can make routine auditing simpler. For example, consider this summary report showing updates by file. Suppose only 95 updates were expected on file 9 (PAYROLL-MASTER). Since this report shows 102, we might want to investigate further. FNR COUNT % 1 3827 16.8 3 12103 53.0 9 102 0.5 12 6789 29.7 ** 22821 100.0

Summary Reports by Hour, User Measuring updates by user might be an effective way of measuring productivity of data entry staff. Updates by hour could measure the productivity of workers on the various shifts as a group. We might generate a summary of file 9 updates by user and hour, as shown here. We find that user "RECV" (an employee in the receiving department) is making updates to the PAYROLL-MASTER file after office hours. We might want to investigate further. HR USER-ID COUNT % 10 PYR3 5 4.9 10 PYR1 12 11.8 10 **** 17 16.7 11 PYR1 26 25.5 11 PYR2 17 16.7 11 PYR3 4 3.9 11 **** 47 46.1 • 20 RECV 7 6.9 20 **** 7 6.9 ** **** 102 100.0

Detail Reports To investigate further, we code a detail report of all changes to file 9, made by user "RECV", like we see at the top of the slide. The output would show us what fields RECV changed on file 9, and from what value to what value, along with the EMPLOYEE-NAME, as seen in the report shown. Apparently RECV is giving pay raises and bonuses to his friends after hours. We might want to use AUDITRE to examine any archived Protection Logs to see how long RECV has been doing this. This is an area where the storage of old PLOGs can be very useful. REPORT INCLUDE FNR=9,UID=RECV AUDIT EN*,HR,BO,FNR=9 * EN=MARY JONES EMPLOYEE-NAME B: HR=7.50 HOURLY-RATE A: HR=20.00 HOURLY-RATE * EN=DAN JOHNSON EMPLOYEE-NAME B: HR=4.75 HOURLY-RATE B: BO=0.00 BONUS-DUE A: BO=2500.00 BONUS-DUE

Changes to NATURAL Programs Note that AUDITRE does not provide specific facilities for monitoring or reporting on changes to NATURAL programs. It simply will report on changes to the fields in FUSER files containing NATURAL programs, thus showing the changes to the programs in the file(s). If this capability is a major concern of the client, be sure that they are aware of N2O. Its Program Compare facility will provide specific, detailed reports of the differences between two NATURAL programs. The best way to use AUDITRE for this function would probably be to generate “summary” reports of changes to FUSER files. This would give basic statistics on what has changed in the FUSER file and would signal, for example, that Production FUSER source code was changed when it should not have been changed (i.e., whoever changed it did not have authorization to do so). Again, SECURITRE may be used to prevent this from happening at all. Monitor maintenance activity on NATURAL applications Catch unauthorized modification of programs Generate report identifying library, program, and changed source lines Report the time and date modified, and which userid modified code

Multiple Reporting Capability Output can be in flat file form, readliy used by other software. Generate less overhead associated with audit reporting Create many useful reports on the same log in one run Produce multiple reports on the same files and fields if desired Generate reports in hardcopy or machine readable form

Protection Log "Subdivision" What we mean by this is that AUDITRE can be instructed to read a single Protection Log as input, separate the data on the PLOG (which contains updates to many files) into separate output datasets. Each output dataset can contain a subset of the original data. For example, a database contains files for three applications: Inventory, Personnel, and Shipping. The PLOG for this database contains updates to the files for all three applications. The site prefers to store all Inventory data together with Shipping data, but all Personnel data separately. They can use AUDITRE to process the PLOG for this one database, generating two output datasets. One will contain the changes made to the Personnel files, the other will contain the changes to both Inventory and Shipping data files. Subdivide PLOG into smaller logs by file, date, time, etc. Archive audit data for future needs Provide "after the fact" selective Protection Logging capability Produce compressed PLOG-like data, or decompressed "flat-file" data

PLOG Subdivision Example Thus, AUDITRE offers "after-the-fact" selective Protection Logging by "subdividing" a larger Protection Log into smaller units. What we mean by this is that ADABAS does not provide a facility for “dividing up” where Protection Log data should go. That is, you cannot tell ADABAS (for example) to store changes to file 123 in one PLOG dataset, changes to file 124 in another, etc. All you can have is one big PLOG containing all updates, or no PLOG at all. AUDITRE allows you to create several smaller datasets from the one. When we say “after-the-fact”, we mean that AUDITRE cannot do this while ADABAS is generating the PLOG, only after it has finished. PLOG Subdivision Example INCLUDE FNR=(7,789,21-24,45) OUTPUT or: INCLUDE FNR=7 INCLUDE FNR=789 INCLUDE FNR=21 • INCLUDE FNR=45

Conclusion Simple to use Powerful and efficient Self-contained When we say “self-contained”, we mean that AUDITRE requires only the PLOG dataset in order to operate. It does not need ADABAS or NATURAL. Thus, auditing can occur on a different CPU from the data processing, provided that the PLOG is there for AUDITRE to process. The other points are self-explanatory. Conclusion Simple to use Powerful and efficient Self-contained Quick and easy installation User-friendly reference manual Full time support staff Training and consulting available Free trial available

When we say “self-contained”, we mean that AUDITRE requires only the PLOG dataset in order to operate. It does not need ADABAS or NATURAL. Thus, auditing can occur on a different CPU from the data processing, provided that the PLOG is there for AUDITRE to process. The other points are self-explanatory.