RE: Auditing user session activity

["Michael Silk" <michaels () phg com au>]

Hi Jeff,

        Depending on your language you could always consider batching up
the writing-to-the-database functions by storing activity inside the
'Application' state of the website and then periodically writing that to
the database.

        And if you are concerned about size perhaps you could map each
URL, or set or URL's and posts, etc, to "Activities", and number them,
hence having a log of something like:

            user      | time                         | activityid
            _____________________________
        joe     | 7-Oct-2004 12:00 AM | 1

        And to help cleanup perhaps activities could have some form of
'importance' and lower importanceactivities are cleaned up earlier then
high-importance ones.

-- Michael

-----Original Message-----
From: Koniszewski, Jeffrey [mailto:JKoniszewski () Kronos com] 
Sent: Wednesday, 6 October 2004 6:10 AM
To: webappsec () securityfocus com
Subject: Auditing user session activity

We are being asked by our customers to audit session activity so that
customers can answer the question, "Who is doing what?". Our current
implementation for this is to write audit records to the database.
However, I am having some second thoughts about this. This requires a
database hit for every non static URL access to the system. I'm not sure
of the overall runtime performance impact. Further, for enterprise class
customers the audit records are likely to exceed 2G per month. This
creates a lot of data cleanup to manage. In addition, reporting on this
data may require a lot of overhead from the system. Any thoughts on
likely retention policies for such audit data?
 
Users must log in to our application and we maintain session state. We
do integrate with Single Sign On products like Netegrity.
 
I am rolling around a couple of ideas:
 
One is that session audit is not a primary application problem and not
application data. Can this capability (session audit) be delivered by an
external application (IDS?, SSO product?) that is dedicated to do this
type of work. Then the customers that want the capability install it,
probably get a more professional implementation, and use it for other
applications as well. What security applications can provide this type
of audit? Web server logs can provide URL access information but don't
know users. It seems that whatever writes the audit would need to manage
user logon as well to be able to associate the user with the activity.
 
The second idea is,  would I be better off using a file for the audit
information? This introduces a bunch of file management headaches in a
multiserver system but takes a load off the database, which is already
our bottleneck.





This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.