Audit4j

Transcript

1. Audit4j By Franck Benault Presentation & my contributions

2. Audit4j links • Documentation – http://audit4j.org/ (not fully up to

   date) • Google group – https://groups.google.com/forum/#!forum/audit4j • Github – https://github.com/audit4j

3. What is Audit4j ? • From the FAQ : •

   Audit4j is comprehensive auditing framework which is designed to track any kind of audit event including server, application and database. Audit4j is entirely annotation driven, hence you can adopt to your application using minimum configurations. • Licence Apache2 / Writen in Java

4. Audit4j / logging tools (log4j) • Audit4j = Logging tool

   ? Why ?

5. Audit4j / logging tools (log4j) • Audit4j = Logging tool

   ? No... • FAQ • A log is often unpreserved whereas; an audit trace is secure and preservable. As a result, recording sensitive information, or data which will be required at a later time will not be handled by a log. Other issue is usually logs are not recording actor(Who did), action(What did) and origin(Comes from), but audit log should contains those information. However, an audit trace addresses these issues.

6. Audit4j and me, Why ? • My company EquensWorldline –

   Tools in java with PCI-DSS constraint – Current internal audit tool (Java) is no more maintained • PCI DSS rules mandatory for the card industry – Process payment card data • I was looking for a solution for auditing – I have tried Audit4j – I want to improve it

7. Audit4j Why ? PCI-DSS • Application in java which must

   follow PCI-DSS constraints • 10.2 Implement automated audit trails for all system components to reconstruct the following events: – 10.2.1 All individual user accesses to cardholder data – 10.2.4 Invalid logical access attempts – 10.2.6 Initialization, stopping, or pausing of the audit logs – …

8. Audit4j is a small project but ... • Audit4j exists

   since 2014 – Current version 2.5.0 – Used by one apache project (jUDDI) • 10 commiters – Main commiter Janith Bandara (Sri Lanka) – More than 350 commits • 9 subprojects (no all are finished)

9. Audit4j subprojects

10. Limitation of Audit4j • Audit4j is designed for entreprise application

    – A lot of dependencies • No « tiny » version (probably not usefull) • Not fully compliant with PCI-DSS... – No way to know if the audit traces have been changed • No kind of signature – No trace at the starting and shutdown – With the annotation we don't know if the method fails or not

11. My participation in Audit4j • Figures at 10/01/2018 • My

    commits 24 – in demo project • Also demo for Kotlin – in benchmarks project • Issues 3 • Google group : 9 new subjects • My Goal « PCI-DSS ready »

12. Demo ....

13. Conclusion • Audit4j : good points – Great experience for

    me to start in open source project – A small project but not so easy – Share with people from other countries • Audit4j : limitation – Small team – Not yet compliant for PCI-PA-DSS – Lack of avaibility of Janith Bandara

14. Audit4j : Questions ?