Who Did What, When and Where: Integra Auditing Tips
Audits are often thought of as wild goose chases: you start going down a rabbit hole just to find out that you've gone nowhere relevant to your search. As such, the most important part of an easy and successful audit is having access to the pieces that make up the puzzle. We need those pieces so we can reconstruct the image of what took place. If we forego that analogy for a moment and concentrate on our IT automation space, being able to connect and identify the steps in an Integra workflow can mean the difference between looking for a new job or being hailed as a hero. Regardless, Integra gives you several mechanisms to uniquely track what happened, when it happened, and who made it happen. In this blog post we are going to learn how to make sense of the pieces that will make your Integra audits not only easier, but successful.
What's a user? Integra users are those that login to Integra to either configure actions, execute actions, or both. Integra has support for many different types of authentication:
(* Provided by a 3rd party)
As you see, chances are Integra's got your authentication scheme covered, but we are happy to work with you if you have something custom that is not listed above. Just reach out, it is as easy as that!
In any case, when an Integra user is executing a workflow on demand, Integra logs the username associated with that execution set. If a workflow executes as part of a scheduled task (i.e., the system is executing the workflow), then 'integra-reactor' is logged as the user that executed the workflow. That is only distinction to make as far as users go.
It is always good to know who executed an action, and this is how Integra keeps track of that key piece of information.
As you may have gathered by now, Integra feels most at home in large, heterogenous environments. You may have applications, Electronic Health Records systems such as Athena or Greenway, hypervisors, configuration management tools, storage arrays, ticketing systems, etc., all swimming in the big sea you call your IT environment. As disparate as these systems may be, when an Integra action executes--be it as part of a workflow or not--it is tagged with a unique transaction ID. So, for example, sending a ticket in Zendesk and carving a new volume from storage and putting Oracle in hot backup mode will all share the same transaction ID.
Transaction IDs are logged just like users are, so this is the second piece of information that will help you in your auditing and compliance adventures. Integra allows you to associate a user with a set of actions, end to end.
We talked about logging the user and logging the transaction IDs, but we didn't really specify where that logging takes place. Integra can be configured to run in a wildly distributed fashion, with certain providers running on-prem, with the Reactor running on the cloud, and maybe other providers running on a datacenter of your own across the other side of the planet. Naturally, Integra providers and the Reactor log actions and operations locally to log files. But in a full blown audit, getting files from 10 different timezones away, pulling files down from the cloud, and then cohesively joining those logs files into a single unit can be a daunting challenge. So how does Integra solve this problem?
In addition to logging locally, everything in Integra can be logged so a syslog daemon. You only need to specify the host and port, and you are set as you will now start pumping data to a syslog daemon of your choice. Everything that gets logged, either locally or to syslog has an associated timestamp. With a tool such as Splunk, Logstash or any other syslog reporting tool, you have a mechanism to mine Integra logs from a centralized location. And not only can you mine that data, you can set alerts in case errors take place, run reports, and have your fill with those syslog tools until your heart is content.
Logging to a centralized location with unique timestamps is yet another mechanism to help you in your auditing endeavors. You know who ran an action, what actions ran, when they ran them, and thanks to the data associated with syslog you also know where things were ran from.
Integra equips you with all the necessary information so that you can trace an action to the machine where it ran from, who ran it, when it was ran and what other operations ran as part of that execution set. These tidbits of information are extremely useful from an auditing perspective, but they are also very important from a compliance perspective--can anybody say HIPAA? This type of traceability and compliance is vital for IT shops in the financial and health care sectors, just to name a couple. Even in the smallest of IT shops it is always good to be able to pinpoint and correlate any operation that takes place.
With Integra, now you can.