Question
Alexey Maslov · Feb 6

How to disable an Audit event on the process level?

During some consulting activity, I found at the client's site CACHEAUDIT database of more than 100 GB size. The reason was simple: several processes produced a great amount of %System/%System/OSCommand audit records due to frequent external calls ($zf(-100,...)). As it is well-known, those events can be easily disabled systemwide, while this can be hardly considered secure enough. Reducing the number of days before audit cleanup from default 62 to some reasonable figure (e.g. 15) seems to be a better solution, but...

This case inspired a dream: we have a facility to switch off journaling on the process level. Why not have the same for auditing?

00
3 0 2 150
Log in or sign up to continue

Alexey,

I feel that this would be counter productive.  Let me explain why.  There is a fundamental difference in the purpose of journaling versus Auditing.  Journals protect against data loss.  The developers are in a position to determine whether or not a particular update to the database is important to the integrity of the system.  Auditing it to help protect the Security of the data.  Giving a developer the opportunity to turn off an auditing event deemed important to capture kind of defeats that purpose.

It might be worth looking into what this external program is.  Perhaps there is a native api that would accomplish this.  You could also take a look at our gateways to see if you could ingest this external functionality to use directly in Cache.

I'd also look at our IRIS product to see if a migration to that platform would provide the needed functionality or a better pathway to utilizing the external program.

Finally, look at why this external program is called so often.  Perhaps the calls can be optimized to reduce the audit events if this is a major issue.

Giving a developer the opportunity to turn off an auditing event deemed important to capture kind of defeats that purpose.

Agree with you that disabling audit events is basically a bad practice. 

The frequency and the purpose of those external calls were checked, and they are OK, while it's worth considering change $zu(-100) to something else, e.g. to command pipe, whether access to pipes is not logged to Audit.