auditing with context?

Discussion in 'Java' started by Elhanan, Mar 12, 2009.

  1. Elhanan

    Elhanan Guest

    hi..

    it would seem that generic auditng (for us anyway) always have a
    problem, of not knowing the 'context' , meaning it's all nice to know
    which fields where changed and when, but to have more data, like what
    logic operation was perfromed in regards to which active parent
    objects, now there lies the rub.

    the user when getting reports would like to know more then just a list
    of fields , so it would seem that a generic method which jumps up on
    each buisness method being called, only get the current context (via
    interfface which would implemented differently each time) is a
    condradiction in terms.
     
    Elhanan, Mar 12, 2009
    #1
    1. Advertising

  2. On Thu, 12 Mar 2009 04:30:34 -0700, Elhanan wrote:

    >
    > the user when getting reports would like to know more then just a list
    > of fields , so it would seem that a generic method which jumps up on
    > each buisness method being called, only get the current context (via
    > interfface which would implemented differently each time) is a
    > condradiction in terms.
    >

    This is a system design issue rather than anything that's Java specific.

    Its probably best implemented by doing all database updates through
    stored procedures that generate the audit log while doing any auditable
    database operation. If you want to record context then this must must be
    passed as a parameter to every stored procedure that generates audit
    trail entries. Context can be quite bulky: the user name, a timestamp,
    description of the operation and the name of the implementing class are
    all relevant and may be merely a subset of the context required if the
    system contains sensitive data. I haven't mentioned tracking field-level
    changes to the database - that's a given of you're doing anything like
    this.

    However, doing this will carry costs during design and implementation as
    well as imposing disk storage and and processing overheads. Storage
    overheads need to be properly sized as they may be larger than anybody
    can guess. Indeed, the audit trail is probably a multi-table section of
    the database.

    I'd say that management buy-in is essential if auditing is to be properly
    costed and those costs approved. Its also essential if the audit trail is
    actually used to track down bugs and user access violations.


    --
    martin@ | Martin Gregorie
    gregorie. | Essex, UK
    org |
     
    Martin Gregorie, Mar 12, 2009
    #2
    1. Advertising

  3. Elhanan

    Lew Guest

    Martin Gregorie wrote:
    > On Thu, 12 Mar 2009 04:30:34 -0700, Elhanan wrote:
    >
    >> the user when getting reports would like to know more then just a list
    >> of fields , so it would seem that a generic method which jumps up on
    >> each buisness method being called, only get the current context (via
    >> interfface which would implemented differently each time) is a
    >> condradiction in terms.
    >>

    > This is a system design issue rather than anything that's Java specific.
    >
    > Its probably best implemented by doing all database updates through
    > stored procedures that generate the audit log while doing any auditable
    > database operation. If you want to record context then this must must be
    > passed as a parameter to every stored procedure that generates audit
    > trail entries. Context can be quite bulky: the user name, a timestamp,
    > description of the operation and the name of the implementing class are
    > all relevant and may be merely a subset of the context required if the
    > system contains sensitive data. I haven't mentioned tracking field-level
    > changes to the database - that's a given of you're doing anything like
    > this.
    >
    > However, doing this will carry costs during design and implementation as
    > well as imposing disk storage and and processing overheads. Storage
    > overheads need to be properly sized as they may be larger than anybody
    > can guess. Indeed, the audit trail is probably a multi-table section of
    > the database.
    >
    > I'd say that management buy-in is essential if auditing is to be properly
    > costed and those costs approved. Its also essential if the audit trail is
    > actually used to track down bugs and user access violations.


    Is this even a database question?

    The OP discussed "fields", not a relational database concept, business
    methods, logic operations and parent objects. This sounds like a
    code-coverage question.

    What confuses me is the mention of what "the user ... would like to know".
    This kind of auditing is rarely user-space but maintenance-space, for the
    benefit of operations personnel and maintenance programmers.

    If this is about code coverage, it sounds like
    a) rather too much work for too little benefit, and
    b) a job for a logging aspect to the code.

    --
    Lew
     
    Lew, Mar 12, 2009
    #3
  4. On Thu, 12 Mar 2009 09:20:42 -0400, Lew wrote:

    > Is this even a database question?
    >

    I think it has to be. Asking about auditing changes to a list of fields
    doesn't make much sense otherwise.

    > The OP discussed "fields", not a relational database concept, business
    > methods, logic operations and parent objects. This sounds like a
    > code-coverage question.
    >

    I've heard the terms 'fields' and 'columns' used interchangeably in
    discussions about databases, but I was probably too specific in the terms
    I used. For 'database' assume a data collection, not necessarily
    controlled by an RDBMS. For 'stored procedure' read some sort of auditing
    module built into the system between business logic and the data store.
    Auditing belongs in the application infrastructure, not in the business
    logic.

    > What confuses me is the mention of what "the user ... would like to
    > know". This kind of auditing is rarely user-space but maintenance-space,
    > for the benefit of operations personnel and maintenance programmers.
    >

    I took 'the user' to mean the project sponsor, who might well specify
    fairly heavy duty data access audit trails for sensitive data. Granted,
    the project sponsor requiring adequate audit trails would be a first in
    many organizations but it shouldn't be like that.

    > If this is about code coverage, it sounds like a) rather too much work
    > for too little benefit, and b) a job for a logging aspect to the code.
    >

    Agreed, but I don't think that's what was meant, since there are
    typically no users of any type involved in code coverage considerations.


    --
    martin@ | Martin Gregorie
    gregorie. | Essex, UK
    org |
     
    Martin Gregorie, Mar 12, 2009
    #4
  5. "Lew" <> wrote in message
    news:gpb27e$rve$...
    [ SNIP ]
    > What confuses me is the mention of what "the user ... would like to know".
    > This kind of auditing is rarely user-space but maintenance-space, for the
    > benefit of operations personnel and maintenance programmers.

    [ SNIP ]

    Some of the production applications I work on right now audit changes to JPA
    entities (updates, inserts, deletes) using entity lifecycle methods, audit
    access to services (session EJBs) using interceptors, and audit page access
    using JSF phase listeners. So, yes, the users here are operations personnel
    and maintenance programmers.

    AHS
     
    Arved Sandstrom, Mar 13, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robey Holderith

    Python Code Auditing Tool

    Robey Holderith, Feb 2, 2005, in forum: Python
    Replies:
    9
    Views:
    458
    Skip Montanaro
    Feb 2, 2005
  2. JimLad
    Replies:
    0
    Views:
    345
    JimLad
    Sep 12, 2006
  3. CptDondo

    Auditing C code

    CptDondo, Sep 19, 2006, in forum: C Programming
    Replies:
    9
    Views:
    487
    Chris Torek
    Sep 24, 2006
  4. RM

    Auditing .net generated files

    RM, Oct 6, 2009, in forum: ASP .Net
    Replies:
    0
    Views:
    302
  5. Elhanan

    code auditing tools for dot.net?

    Elhanan, Oct 27, 2009, in forum: ASP .Net
    Replies:
    0
    Views:
    341
    Elhanan
    Oct 27, 2009
Loading...

Share This Page