DirX Audit Overview

DirX Audit provides for centralized storage, analysis, correlation and review of identity-related audit trails and historical identity data in a package that is extensible, platform-independent and built on a variety of industry standards.

DirX Audit Key Features

DirX Audit provides the functional building blocks for a centralized, secure identity audit solution, as shown in the following figure.

Key Features of DirX Audit
Figure 1. Key Features of DirX Audit

Key features include:

  • Convenient correlation of events and activities from different IAM sources in a single web-based user interface with Dashboard, Audit analysis and History views for different levels of analysis.

  • Risk assessment for identities based on a configurable set of risk factors produced in DirX Identity.

  • Standard identity audit KPIs that provide statistical information about audit events and historical identity data over a period of time, structured into online analytical processing (OLAP) tables for fast, interactive analysis and insight into IAM operations.

  • Dashboard view for analysis of KPI data, with drill-down to more detailed event or history entry information as necessary.

  • Audit analysis of audit events retrieved from the central database according to a given search filter and summarized for ease of use, providing auditors and security compliance officers with the answers to the "when, where, who, what and why" of user access and entitlements.

  • History view for tracking changes to DirX Identity entries and entry-related data over time, comparing their state at different points in time and checking the state of related entries.

  • Reports view for configuring and scheduling the generation and e-mailing of reports for Dashboard, Audit analysis and History view analyses.

  • Configurable report templates for Dashboard charts, audit events and history entries for exporting selected audit and historical data to files according to ad hoc filters.

  • Automated consolidation of identity-related audit trails with transformation to a standard format and business language, giving DirX Audit users a unified presentation and analysis of audit events from a variety of sources.

  • Authentication and authorization against any Lightweight Directory Access Protocol (LDAP) directory.

  • Persistent storage of audit trails in both their original and normalized format in a central database.

  • Persistent storage of historical identity data in a central database.

  • Support for multiple tenants, where each tenant typically represents a DirX Identity domain or a DirX Access installation. All of the tenant-specific data are completely separated from the data of other tenants; in particular, the events and history entries are stored in separate databases.

  • Limited access to a tenant’s events and history entries for “restricted auditors” (fine-grained access control).

DirX Audit Components

DirX Audit components provide the basic machinery for analyzing, correlating and storing audit data. These components include:

  • DirX Audit Server, a central server that hosts several types of services:

    • Collectors, which collect the audit trails generated from different audit trail producers, transform into normalized format and store them in the DirX Audit Database.

    • Data enrichment services, which translate the audit trails to business-friendly format and attach tags to the audit trails that can be used for KPIs.

    • History Synchronization jobs, which regularly export snapshots of important DirX Identity entries together with time validity and then import them into the central DirX Audit History Database.

    • Post-processing jobs, which aggregate the data from the OLTP tables and their tags into OLAP (KPI) tables. They build the basis for charts and reports.

    • Jobs for running scheduled reports.

    • RESTful API services, which allow the DirX Audit Manager to retrieve data from the DirX Audit Database.

  • DirX Audit Database, which provides central, secure, persistent storage for audit trails from different audit trail producers, derived OLAP data and DirX Identity history entries.

  • DirX Audit Message Broker, which receives audit trails from their producers and forwards them to the Java Message Service (JMS) collectors.

  • DirX Audit Manager and DirX Audit Manager Classic, a web-based user interface to the DirX Audit Database for audit administrators, auditors and security and compliance officers.

  • Command-line archive tools, which allow audit administrators to archive and restore audit trails in the DirX Audit Database and maintain DirX Audit Database data.

The following figure illustrates these components.

Key Components of DirX Audit
Figure 2. Key Components of DirX Audit

DirX Audit Trail Producers

Both DirX and third-party components can produce audit trails for consumption by DirX Audit:

  • Plug-ins in the DirX suite produce audit trails and then pass them to a JMS message queue or an LDAP server or write them to files.

  • Third-party applications can provide audit trails that conform to an XML schema defined by DirX Audit and either store them in files or send them to a JMS message queue. These applications are responsible for transforming their native format to DirX Audit’s generic XML format.

DirX Audit Server

DirX Audit Server hosts a number of components and services: audit trail collectors and transformers and services for enriching audit messages and history entries and for calculating aggregated data as a basis for charts as well as RESTful API services. These components and services store their data usually in the DirX Audit Database.

Collectors retrieve the audit trails from their respective sources and then pass them to services in the DirX Audit Server for transformation, enrichment and storage. DirX Audit collectors can be distinguished according to their technology and the format of the audit trails they are able to consume. They can retrieve audit trails from JMS queues in the DirX Audit Message Broker, from files or from an LDAP directory server.

The collectors forward their audit trails to transformers, which convert the audit trail producer’s native format (if necessary) to the generic format used by DirX Audit. A transformer is available for audit trails produced by DirX Identity. If the audit trail is already in the DirX Audit native format, no transformation is necessary.

The transformers forward the transformed audit trails to the persistence service, which stores them in the DirX Audit Database.

The data enrichment services:

  • Generate a business-friendly summary from each raw audit message. These summaries are displayed in the DirX Audit Manager’s Audit analysis and in event reports.

  • Extract tags from each audit event and history entry and then store them in specific tag tables in the DirX Audit Database. A tag labels the data in some way; for example, whether the event was about a password change and whether it was assisted or self-service, or whether the event was about accepting or rejecting an approval. A tag can also, for example, identify the department to which an acting user or an affected user belongs. Tags serve as an additional basis for producing aggregated OLAP (KPI) data; for example, how many assisted password changes or failed logins occur per day or month, or how many orphaned accounts or imported memberships exist at the end of the day or month.

The DirX Audit Server also controls several scheduled jobs:

  • The Scheduled reports job produces scheduled reports that an auditor has created in DirX Audit Manager Classic.

  • The Context records calculation finds and links all the events that belong to the same operation’s context. All (DirX Identity) events in a context were caused by the same root event. For example, a role assignment causes the creation of an account-group membership in the DirX Identity domain and the synchronization to the target system.

  • The History DB update creates and stores derived attributes that allow for creating and generating richer reports easier and faster. For the most part, these attributes refer to request workflows; for example, whether they were escalated or rejected.

  • The Fact population (KPI generator) creates and populates the OLAP fact tables. These tables are the basis for the graphical charts presented in the DirX Audit Manager’s Dashboard view. Dimension tables define attributes of the KPIs, while fact tables contain the aggregated statistical information for a set of dimensions (slices). The KPI generator creates and populates the dimension and fact tables based on a customizable configuration that describes a filter for the audit events or history entries to be aggregated in a fact table, the dimensions and the requested facts.

  • The Purge jobs regularly remove history entries data, audit messages data or original audit messages data that is no more required in the DirX Audit Database.

  • The History Synchronization jobs create snapshots of DirX Identity domain entries by importing them regularly into the DirX Audit History Database together with their time validity. Entries are processed during the import. The LDAP History Synchronization jobs also synchronize the LDAP schema to the DirX Audit History Database.

The DirX Audit Server provides a RESTful API that allows the DirX Audit Manager to retrieve data from the DirX Audit Database. The API is used by DirX Audit Manager.

DirX Audit Database

The DirX Audit Database is a relational database that works with popular relational database servers such as Microsoft SQL Server and Oracle Database.

The DirX Audit Database provides persistent storage for original and transformed audit trails along with their summary, the history entries imported from DirX Identity, the OLAP tables and the configuration for dashboards, event filters views, and reports. Audit messages, history entries and configuration data are logically partitioned and can be stored in separate databases if necessary.

To maximize the availability of aggregated audit data, DirX Audit supports different lifetimes for audit messages, audit events and OLAP fact tables: fact tables and their associated dimension tables have the longest lifetime, while the complete audit message with all the details has the shortest. As a result, you can delete the details of audit messages and the original messages after a few months, but you can still view the charts on the aggregated data and drill down to the audit event summaries. If disk space subsequently becomes an issue, you can delete the event summaries and still be able to view the charts on the aggregated data.

DirX Audit provides command-line tools that help administrators manage the content of the DirX Audit Database according to audit trail lifetime. For example, audit messages older than six months are automatically exported and/or deleted. All of these messages (or a subset) can be imported back into the DirX Audit Events Database (Data DB) later on if necessary.

DirX Audit Manager and DirX Audit Manager Classic

DirX Audit Manager and DirX Audit Manager Classic provide a single, central web-based interface that offers different views of the audit trails and historical identity data stored in the DirX Audit Database.

The Dashboard view presents identity audit data that the DirX Audit Server has aggregated according to the various identity audit KPIs in graphical charts. DirX Audit provides a standard set of KPIs modeled as OLAP tables to allow for fast display of important aggregated data. Using the Dashboard, auditors can perform analysis, especially time-based trend analysis of selected KPI data – for example, the total number of users created from day to day over a given period of time – and then drill down to details about audit events as necessary.

Audit analysis works directly with audit events stored in the DirX Audit Database rather than with aggregated, OLAP-structured KPI data. The Audit analysis view displays page-through tables of audit events retrieved from the DirX Audit Database according to a given search filter. The difference between an audit message and an audit event is as follows: an audit message includes the operation, the "where from", "who" and "what" information extracted from the message and the original message in the native format as obtained from the audit producer (for example, DirX Identity). An audit event extends an audit message with one or more informational summaries of the operation recorded by the message and the objects on which it operated. For example, an audit message could cover a couple of group membership changes of one group or one account or it could be associated with a self-registration request workflow that includes the creation of a user along with several role assignments. In these cases, each account-group membership and each role assignment are associated with an extra audit event. As a result, you can have several audit events attached to the same audit message. The operation of an audit event normally contains higher-level, business-friendly information, for example: add assignment, accept add assignment, set password. Additional fields of the event show the object type (user, role, user to role, account to group) and detail information specific to the operation and the object type. For example, for a role assignment, the details contain the user name, the role name, start and end date of the role assignment as well as role parameters and the name of the approval workflow or the name of the approve activity. For a new account-group membership, it contains the names of the account, the group and the target system.

The History view allows an auditor to examine the status (snapshots) of identities and identity-related data at points in time in the past. The auditor can query for entries with their names and for a desired date. Alternatively, the auditor can select a "who" or "what" in the Audit analysis and then request its display in the History view. The History view then displays the entry’s attributes and relationships. In particular, it shows users with their privilege assignments, their accounts, and their risk score. By following the reference links, an auditor can view related entries – for example, the details of an associated role or account. The integrated timeline allows an auditor to compare the state of a selected entry at different points in time. Another tab shows – for a selected time interval – the related audit events on the actions the selected user has performed or the changes that have been applied to the selected entry. The auditor can also ask why the user has a selected privilege assignment. DirX Audit Manager then searches for and shows the root event for this assignment – regardless of whether it has been assigned manually, automatically or by inheritance.

The Reports view allows auditors to set up scheduled reports that can then be sent automatically via e-mail to selected recipients at regular intervals. The auditor defines one or more reports of several types – for example, Dashboard chart, Audit analysis audit events list, snapshot of history entries – associates them with a schedule and enters the mail recipients and text. The DirX Audit Server then manages the regular production of these reports and their delivery to the intended recipients.

Ad hoc reports can be created from all the DirX Audit Manager views based on the current query results and on pre-configured report templates. Reports can be saved to the file system for further distribution and processing. Supported output formats include HTML and PDF. Reports can also be generated in the background to avoid user idle time.

With its intuitive user interface and its access to normalized, centralized audit and history data, DirX Audit Manager simplifies and expedites the laborious, expensive and time-consuming process of sifting through obscurely formatted audit trails generated by many different applications.

Access to DirX Audit Manager or DirX Audit Manager Classic is only allowed for auditors using role-based access control. The role is assigned using either an LDAP group membership or OIDC role claim mapping (based on configured authentication method). DirX Audit distinguishes between audit administrators, normal and restricted auditors. Restricted auditors can only run and schedule reports tagged as restricted.

Multi-tenancy

One DirX Audit installation can serve multiple tenants. The tenant-specific data – audit events, history entries, and configuration – are completely separated. DirX Audit requires a different database for each tenant. These databases can even be hosted by different database servers. The multi-tenant approach allows access control to be managed using the standard database administration tools.

One DirX Audit Manager application can serve many different tenants, but the auditors of one tenant cannot view the data of another tenant. Auditors of different tenants can reside in the same or in different LDAP servers or OIDC providers. They need to use a tenant-specific URL to authenticate.

A separate instance of DirX Audit Server is used for each tenant.

Customizing and Extending DirX Audit

DirX Audit provides several features for customizing and extension:

  • You can connect the audit data from any application to DirX Audit by transforming the native audit trail format to DirX Audit’s generic XML format and using the DirX Audit generic file or JMS collector to collect the audit trails.

  • You can customize the Dashboard layout and select KPI data from existing OLAP fact tables and then control how it displays this data.

  • You can add your own OLAP tables for use in the Dashboard view.

  • You can add your own OLAP dimension producer components and then use these dimensions in the OLAP tables.

  • You can create your own database tables and then integrate them into OLAP data production and into reports.

  • You can customize the default reports or create your own reports.

Standards Support in DirX Audit

DirX Audit components support several standards for connectivity, authentication and authorization, storage and data formatting:

  • The DirX Audit Server is implemented as a set of Apache Camel components, endpoints and routes running as a Spring Boot application.

  • The DirX Audit Server uses Java Message Service (JMS) for the collection of audit trails.

  • The DirX Audit Server uses Lightweight Directory Access Protocol (LDAP) for the collection of audit trails.

  • The DirX Audit Server uses Lightweight Directory Access Protocol (LDAP) for the collection of history entries.

  • The DirX Audit Server uses Java Database Connectivity (JDBC) for the interacting with the DirX Audit Database.

  • The DirX Audit Server provides RESTful APIs for the DirX Audit Manager to retrieve data.

  • The DirX Audit Server uses the public domain components of the Java Management Extension (JMX) technology for DirX Audit Server monitoring.

  • The DirX Audit Database uses Structured Query Language (SQL) for internal audit data management and retrieval.

  • The DirX Audit Manager uses Lightweight Directory Access Protocol (LDAP) for user authentication.

  • The DirX Audit Manager uses OpenID Connect (OIDC) for user authentication.

  • The DirX Audit Manager is an Angular-based web application.

  • The DirX Audit Manager Classic uses Lightweight Directory Access Protocol (LDAP) for user authentication.

  • The DirX Audit Manager Classic uses Extensible Access Control Markup Language (XACML) for user authorization to the DirX Audit Database.

  • The DirX Audit Manager Classic is a Java Server Faces (JSF)-based web application.