Who Did What, When and Where: Integra Auditing Tips

  • Posted on: 9 March 2015
  • By: David La Motta
Audits are often thought of as wild goose chases: you start going down a rabbit hole just to find out that you've gone nowhere relevant to your search.  As such, the most important part of an easy and successful audit is having access to the pieces that make up the puzzle.  We need those pieces so we can reconstruct the image of what took place.  If we forego that analogy for a moment and concentrate on our IT automation space, being able to connect and identify the steps in an Integra workflow can mean the difference between looking for a new job or being hailed as a hero.  Regardless, Integra gives you several mechanisms to uniquely track what happened, when it happened, and who made it happen.  In this blog post we are going to learn how to make sense of the pieces that will make your Integra audits not only easier, but successful.



Users

What's a user?  Integra users are those that login to Integra to either configure actions, execute actions, or both.  Integra has support for many different types of authentication:

  • HTTP BASIC authentication headers (an IETF RFC-based standard)

  • HTTP Digest authentication headers (an IETF RFC-based standard)

  • HTTP X.509 client certificate exchange (an IETF RFC-based standard)

  • LDAP (a very common approach to cross-platform authentication needs, especially in large environments)

  • Form-based authentication (for simple user interface needs)

  • OpenID authentication

  • Authentication based on pre-established request headers (such as Computer Associates Siteminder)

  • JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)

  • Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)

  • Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)

  • Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)

  • Run-as authentication (which is useful if one call should proceed with a different security identity)

  • Java Authentication and Authorization Service (JAAS)

  • JEE container authentication (so you can still use Container Managed Authentication if desired)

  • Kerberos

  • SAML 2.0

  • Java Open Source Single Sign On (JOSSO) *

  • OpenNMS Network Management Platform *

  • AppFuse *

  • AndroMDA *

  • Mule ESB *

  • Direct Web Request (DWR) *

  • Grails *

  • Tapestry *

  • JTrac *

  • Jasypt *

  • Roller *

  • Elastic Path *

  • Atlassian Crowd *

(* Provided by a 3rd party)

As you see, chances are Integra's got your authentication scheme covered, but we are happy to work with you if you have something custom that is not listed above.  Just reach out, it is as easy as that!

In any case, when an Integra user is executing a workflow on demand, Integra logs the username associated with that execution set.  If a workflow executes as part of a scheduled task (i.e., the system is executing the workflow), then 'integra-reactor' is logged as the user that executed the workflow.  That is only distinction to make as far as users go.

It is always good to know who executed an action, and this is how Integra keeps track of that key piece of information.

Transactions

As you may have gathered by now, Integra feels most at home in large, heterogenous environments.  You may have applications, Electronic Health Records systems such as Athena or Greenway, hypervisors, configuration management tools, storage arrays, ticketing systems, etc., all swimming in the big sea you call your IT environment.  As disparate as these systems may be, when an Integra action executes--be it as part of a workflow or not--it is tagged with a unique transaction ID.  So, for example, sending a ticket in Zendesk and carving a new volume from storage and putting Oracle in hot backup mode will all share the same transaction ID.  

Transaction IDs are logged just like users are, so this is the second piece of information that will help you in your auditing and compliance adventures.  Integra allows you to associate a user with a set of actions, end to end.

Logging

We talked about logging the user and logging the transaction IDs, but we didn't really specify where that logging takes place.  Integra can be configured to run in a wildly distributed fashion, with certain providers running on-prem, with the Reactor running on the cloud, and maybe other providers running on a datacenter of  your own across the other side of the planet.  Naturally, Integra providers and the Reactor log actions and operations locally to log files.  But in a full blown audit, getting files from 10 different timezones away, pulling files down from the cloud, and then cohesively joining those logs files into a single unit can be a daunting challenge.  So how does Integra solve this problem?

In addition to logging locally, everything in Integra can be logged so a syslog daemon.  You only need to specify the host and port, and you are set as you will now start pumping data to a syslog daemon of your choice.  Everything that gets logged, either locally or to syslog has an associated timestamp.  With a tool such as Splunk, Logstash or any other syslog reporting tool, you have a mechanism to mine Integra logs from a centralized location.  And not only can you mine that data, you can set alerts in case errors take place, run reports, and have your fill with those syslog tools until your heart is content. 

Logging to a centralized location with unique timestamps is yet another mechanism to help you in your auditing endeavors.  You know who ran an action, what actions ran, when they ran them, and thanks to the data associated with syslog you also know where things were ran from.

Conclusion

Integra equips you with all the necessary information so that you can trace an action to the machine where it ran from, who ran it, when it was ran and what other operations ran as part of that execution set.  These tidbits of information are extremely useful from an auditing perspective, but they are also very important from a compliance perspective--can anybody say HIPAA?  This type of traceability and compliance is vital for IT shops in the financial and health care sectors, just to name a couple.  Even in the smallest of IT shops it is always good to be able to pinpoint and correlate any operation that takes place.

With Integra, now you can.

Happy auditing!

--