Application auditing

This section describes common application auditing options that are used across various applications, application servers, libraries etc.

Auditing feature of zorka agent allows for generating audit trails of arbitrary functionalities of arbitrary applications. Monitored applications do not need to be changed in any way in order to generate audit trails as zorka agent instruments audited methods on the fly as it does for usual monitoring activities. Currently auditing provides the following functionalities:

  • collecting audit logs in local files;

  • submitting audit logs to remote syslog server (via standard syslog protocol);

  • submitting audit logs to zabbix server;

  • aggregating statistics about users being authenticated;

  • ready to use zabbix template for statistics and logs collection: Template_Zorka_Audit.xml;

The following applications / application servers are currently supported out of the box:

  • JBoss 7.x;

  • Jasig CAS (non-standard configuration, to be fixed);

This can be changed/extended at any time as auditing rules for specific application are defined in configuration scripts rather than agent itself. Depending on application type, various aspects of application audit trail are logged.

Configuring application auditing

Audit logging comes disabled by default. In order to enable it, add audit = yes property to file. By default agent will store logs in local file ${zorka.log.dir}/audit.log.YYYY-MM-DD. Audit files are rotated daily and are never removed. Administrator can manage log files (compress, archive remove) using logrotate or similiar tool.

Security-related statistics aggregation is also enabled by default. Statistics are exposed via JMX and can be accessed using conventional monitoring system (eg. Zabbix).

Audit logging with syslog

Audit log can be transmitted to remote syslog server in real time. In order to enable audit logging via syslog, the following properties need to be set in

audit.syslog = yes
audit.syslog.server.addr = <address-of-syslog-server>

Audit trails will be logged as F_AUDIT - in order to change syslog facility, use audit.syslog.facility property.

Audit logging with zabbix

Audit logs can also be stored in zabbix database. In order to enable submitting audit logs to zabbix, the following properties in file need to be set:

audit.zabbix = yes = <host-name-in-zabbix>
audit.zabbix.server.addr = <address-of-zabbix-server>

In zabbix: create host named as in setting, import and attach Template_Zorka_Audit.xml template to it.

Securing audit logs

Plaintext tokens appearing in audit logs can pose security risk and generally should not be used in production. By adding = yes to file administrator can obfuscate this information: agent will calculate checksums and log them instead. Configuration scripts can be easily modified to achieve stronger obfuscation than that as zorka agent has MD5 and SHA1 calculation functionalities.

Note that if HTTP are also traced, potentially insecure parameters are also dropped, for example:

http.params.exclude = password
http.cookies.exclude = CASTGC, JSESSIONID
http.headers.exclude = cookie, Set-Cookie

Choosing audited information types

Auditing logs several types of information, all of which are enabled by default but can be disabled when need arises. The following options can be used to control amount of logged information: audit.log.logins, audit.log.authorizations and audit.log.other. See options reference for more details.

Configuration options reference

  • audit = no - enables/disables auditing fuctionality;

  • audit.log.logins - enables auditing of login attempts;

  • audit.log.authorizations - enables auditing of authorizations;

  • audit.log.other - enables auditing of unclassified security related events;

  • audit.file = ${audit} - enables logging audit information to local file;

  • audit.file.path = ${zorka.log.dir}/audit.log - path to log file;

  • audit.syslog = no - enables sending audit information to syslog server;

  • audit.syslog.server.addr = ${zorka.syslog.server} - syslog server address;

  • audit.zabbix = no - enables sending audit information to zabbix server;

  • audit.zabbix.server.addr = ${zabbix.server.addr} - zabbix host;

  • = no - replaces all tickets in audit log and trace with CRC32 sums;

  • audit.tag = zorka.audit - zabbix item or syslog tag audit records will be marked with;

  • audit.stats = yes - enables/disables audit statistics aggregation;

  • audit.stats.mbean = zorka:name=Audit,type=ZorkaStats - object name of mbean that will hold aggregated statistics;