Need on Audit event functionality

Question

Question

Anna Golitsyna · Feb 5, 2021

Hi everybody,

Is there any functionality I could use that triggers real time user-defined code on certain audit events? Right now I am interested in triggering such code on a routine modification event, like the one below. I do know how to access this record programmatically, via %SYS.Audit.

Thanks in advance,
Anna

Product version: Caché 2017.1

Discussion (8)2

Log in or sign up to continue

Robert Cemper · Feb 8, 2021

If you edit .INT routines from the terminal in the old MUMPS style using
ZLOAD, ZSAVE, edit by X ^%
you operate at a lower level than Studio, VScode, Atelier,...
and deeper than any Source Control Hooks.
Neither belt nor suspenders are available anymore.

It's like heart surgery: Either you fix it or your patient is gone.

0 0

Robert Cemper · Feb 8, 2021

All %R* routines are hidden in IRIS for good reasons.
And they just survived for backward compatibility not for common use.
And they use ZS ZI, ... and $Compile() function. ... and a bunch of $ZU(..)
Manipulating routines from Terminal is not covered. VScode or Studio is expected and supported

0 0

score 0 · Answer 1 · 2021-02-06T04:12:58-05:00

What do you want to achieve?

All audit changes are valid by themselves. For example if I have access to the codebase I can modify it however I want and it would be a valid action. If I delete the code it would be a valid action still, just malicious.

If, on the other hand, the codebase has some classes which I'm allowed to modify and some I'm not (so modifying them would be an invalid action), that should be resolved on the roles stage (by separating the code into two different databases and giving me write access only to the one db I should be able to modify).

Essentially, user should be allowed to perform only valid actions and audit exists to check for malicious actions.

Using audit for additional validity checks is not recommended because audit does not serve this purpose.

score 0 · Answer 2 · 2021-02-08T09:49:45-05:00

I don't want to close access but to run custom code when the same routines are modified via a terminal. Cache, and looks like Iris, do not trigger source control hooks when terminal is used, say, for ^%RI. Yes, I can close terminal access via the same Roles, but I'd rather not to do that if other solutions exist.

score 0 · Answer 3 · 2021-02-08T11:47:44-05:00

Robert, that's what I initially thought too and it's indeed mostly so but not 100%: the old style %RI is actually calling the new style ROUTINE^%R, with Audit classes and all. Just no source control class suspenders . I see no technical reason not to have them in ^%R but they are not there. The ZSAVE implementation is not available.

So this is why I am trying to tackle this problem from the Audit side. Any ideas? I am thinking of a process monitoring the audit trail records but I don't quite like this solution. In any event, is there anything beyond monitoring?

score 0 · Answer 4 · 2021-02-08T14:43:01-05:00

Anna Golitsyna · Feb 8, 2021

So I discovered and this is why I wrote this post . Oh well...

0 0

score 0 · Answer 5 · 2021-02-06T09:36:51-05:00

It doesn't use audit events specifically, but maybe creating custom source control hooks would work? You can set actions for certain events such as compiles.

score 0 · Answer 6 · 2021-02-08T09:42:59-05:00

I already have custom source control hooks related to this issue but unless IRIS to which you link changed something in this respect source control hooks are bypassed when terminal is used for uploading routines. The cursory glance at the link hints that nothing has changed.