SHAREPOINT AUDIT IN ACTION Inside the Audit Facilities for the SharePoint Platform
By : George Gergues
May 2014
INTRODUCTION
George Gergues : Software Developer , SharePoint architect.
Focus : SharePoint platform, Knowledge management, Business Process Enhancement.
yet another SharePointer .
You can reach me via email at georgeDOTgerguesATgmailDOTcom
LinkedIn (semi active).
AGENDA
The need for audit log. [Business]
Why not use Versioning only. [Business]
Standard Audit Log settings. (DEMO) [IT]
Standard Audit Log functions. (DEMO) [IT]
Reading standard log through OM. [DEV]
Writing custom log entries through OM. [DEV]
Client Site Object Model Integration. [NOT POSSIBLE]
Knowing what we know - architecture points.[ARCH]
21 CFR 11 SUBPART B (CODE OF FEDERAL REGULATION )
SOX – 404 MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
THE NEED FOR AUDIT TRAIL Any respectable platform should have an audit facility (the SharePoint
implementation) to show data integrity at a record level, and system level.
Regulatory compliance (main reason).
Building any validated system, that will host records.
Code for Federal Regulation (used by FDA) 21CFR part 11 subpart B , section 2-e is the FDA version. (show audit trail for records).
Sarbanes-Oxley act of 2002, (SOX) Section 404 (Microsoft link)
HIPPA , GCP, GxP . All regulations revolve around the same concept [Tracking changes in a
controlled environment].
For SharePoint : Augment the item version history as a first level of record integrity check (see more later).
Augments the OS and database level audit if needed, the record level audit data should be visible to system users. (personal opinion).
Note: Social tags, are not part of the record (Like , Notes, Tags etc.)
VERSIONS
2001 Audit !!! , who needs audit.
2003 NO AUDIT trails, Some tracking (Events) .
2007 First version with audit
2010 Minor changes ,but essentially 2007 .Added Trimming to Admin.
2013 Same as 2010
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ??
Alice the User (Member)
Bob the Admin (Owner)
George SC Admin
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ??
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ??
Before
After
If you don’t have the modified by and modified date , on the views, you will not notice the changes.
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ??
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ?? -> LOOK AT AUDIT TRAIL FOR SCHEMA CHANGES.
At the Item level ,there were no changes. (version history information again)
But at the List level the schema changes are visible.
WE HAVE VERSION CONTROL, WHY NEED AUDIT TRAIL. ?? -> LOOK AT AUDIT TRAIL FOR SCHEMA CHANGES.
DEMO TIME (VERSION VS AUDIT)
SHAREPOINT AUDIT FACILITIES
In this session we will discuss the core facilities (SPAudit) that come within SharePoint for Audit Trail (2.e) and show best practices and code samples. Will also discuss some architecture concerns if you are planning to use existing farms or build new ones.
CONFIGURE SITE AUDIT (SITE COLLECTION LEVEL)
CONFIGURE SITE AUDIT (SITE COLLECTION LEVEL)
To view the audit logs you need to activate this feature at the site collection. If this feature is not activated, you will get a message to activate it.
EXTRACTING AUDIT LOG DATA.
RUN A CUSTOM REPORT
REPORT (XLSX) OUTPUT SAMPLE
DEMO TIME (CONFIGURE AUDIT AT SITE COLLECTION LEVEL)
COST OF AUDIT (ARCHITECTURE POINTS I)
The main pain point is the [AuditData] Table growing constantly.
No formula to predict growth rate.
The only way to measure (guesstimate) a rate, is by getting trending data over time (size of table etc.) and periodic communication with business users to see business usage trends. (that will be manifested in the number of list items.)
COST OF AUDIT (ARCHITECTURE POINTS II)
Never (think it over) allow Audit on the home site collection (where you have a landing page).
Never (think it over) enable Audit on a public site with
Isolate the systems that require audit in own site collection
Isolate the systems that require audit in own Content Database.
DEMO TIME (COST OF AUDIT)
Number of rows added to the AuditData Table without the view options configured, with only one transaction (one row)
use WSS_Content_AUDIT_DEMOSELECT COUNT(SiteId) from AuditData
Number of rows added to the AuditData Table with all audit actions options selected. We are counting the entries after one visit. (8 rows)
use WSS_Content_AUDIT_PUB
SELECT COUNT(SiteId) from AuditData
THE SAMPLE APPLICATION
The Core functionality
The SPAudit query scopes [Item , List , Site(collection)]
(Web) is not available as a scope.
Event Types 2007 – 15
SPAuditQuery
SPAuditMaskType
Event Type DescriptionCheckOut Check-out of the object.CheckIn Check-in of the object. View Viewing of the object by a user.Delete Deletion of the object.Update Changing the properties of an object or
creating an object.ProfileChange Change in a profile that is associated with
the object.ChildDelete Deletion of one of the child objects of the
object.SchemaChange Change in the schema of the object.
Undelete Restoration of an object from the Recycle Bin.
Workflow Access of the object as part of a workflow.
Copy Copying of the object.Move Move of the object.AuditMaskChange A change in the types of events that are
audited for the object. Search Search on the object.ChildMove Move of one of the child objects of the
object.FileFragmentWrite A File Fragment has been written for the
file. SecGroupCreate Creation of a user group for a SharePoint
site collection. SecGroupDelete Deletion of a group that is associated with a
SharePoint site collection. SecGroupMemberAdd Addition of a new member to a group that is
associated with a SharePoint site collection.
SecGroupMemberDel Deletion of a member from a group that is associated with a SharePoint site collection.
SecRoleDefCreate Creation of a new role (that is, permission level) definition associated with the object.
SecRoleDefDelete Removal of a role (that is, permission level) definition associated with the object.
SecRoleDefModify Changing a role (that is, permission level) definition associated with an object.
SecRoleDefBreakInherit Turning off inheritance of role (that is, permission level) definitions from the parent of the object.
SecRoleBindUpdate Changing the permissions of a user or group for the object.
SecRoleBindInherit Turning on inheritance of security settings from the parent of the object.
SecRoleBindBreakInherit Turning off inheritance of security settings from the parent of the object.
EventsDeleted Deletion of audited events that are connected with the object from the SharePoint database.
Custom Custom action or event.
HTTP://MSDN.MICROSOFT.COM/EN-US/LIBRARY/MICROSOFT.SHAREPOINT.SPAUDITMASKTYPE(V=OFFICE.15).ASPX
public enum SPAuditMaskType
Member name Description
None No events or actions.
CheckOut Check out of the object.
CheckIn Check in of the object.
View Viewing of the object by a user.
Delete Deletion of the object.
Update Update of the object.
ProfileChange Change of a profile.
ChildDelete Deletion of one of the object's child objects.
SchemaChange Change of the object's schema.
SecurityChange Change in a security configuration for the object.
Undelete Reversal of the deletion of the object.
Workflow Use of the object in a workflow task.
Copy Copying the object.
Move Move of the object.
Search Search of the object.
All All types of events and actions.
CONSIDERATIONS
Need to include in the same section, to write a custom Event Log Entry with the impersonated User information , this way you don’t drop the initial identity.
Client Side Object Model (CSOM) not possible ,as this data cannot be exposed via CSOM.
If you don’t want to write against the server OM, you can create a WCF and can perform the same functions , and use JavaScript , or any client side code to consume it . Just to accommodate the JSON friendly folks .
CONSIDERATIONS
SPSite site = SPContext.Current.Site;
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite eSite = new SPSite(site.ID))
{
// run elevated code here
// Add audit log entry here too .
}
});
When performing any action using elevated privileges (elevated rights code) the user will always be the SharePoint SYSTEM account.
DEMO TIME (SPAUDITDEMO – CODEPLEX )
A FULL APPLICATION WITH CUSTOM ACTIONS .(DEMO ONLY)
This system was designed with the concepts from MSDN and the article by Ted Pattison.
Extended the option to allow non admins right on item level, and List / library level
Extending the option to allow non site admins access to collection audit data (with group membership).
Data visualization (using the Telerik™, RAD CONTROLS data grid, as it has many features out of the box with little scripting / configuration) , but you can use any grid view or any data visualization control you’re comfortable with .
Packaged as a solution with features scoped at collection level for admins to operate in a single place.
ENHANCEMENTS
Adding a dictionary for translating the events to local language (still in English).
Remove the 3rd Party dependency and use only native components.
Create a Web Only level audit by filtering the Audit level to the SPWeb ID , by Url instead of Id.
Better UI. AutoSave the report to a site library , with
periodic subscription. (daily, weekly etc.)
DEMO TIME (FULL APPLICATION.)
REFERENCES AND LINKS , ETC.
SPAudit Demo Code for this presentation. https://spauditdemo.codeplex.com
[Ted Pattison – Writing Custom Audit Log Entries ] http://msdn.microsoft.com/en-us/library/bb466221%28v=office.12%29.aspx
[Ted Pattison – Item Level Audit ] http://msdn.microsoft.com/en-us/library/bb397403%28v=office.12%29.aspx
The Audit Scope problem – 2013 http://msdn.microsoft.com/en-us/library/ms458658%28v=office.15%29.aspx
QUIZZ/(TIONS) COMMENTS
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Top Related