Audit Mechanism Description

Detecting Unauthorized Actions

To detect unauthorized actions in the system, use the event logging tool. The default location of the Security Event Log file (security.log) is:

• On Windows: C:\ProgramData\Operavix\logs (the local drive letter may vary)
• On Linux: in the /var/log/operavix container

To detect unauthorized actions, use the security log and the process description for identifying such actions.

Unauthorized Actions with Descriptions

Login Attempts with Different User IDs from the Same Workstation in Short Time Intervals (with Interval Length Defined by Experts)

1. Login 1 (action 1):
   • Event type: logon
   • Additional event parameter: success
   • Object: id
   • Workstation address: remote_address
   • Field: Event Time
2. Login 2 (action 2):
   • Event type: logon
   • Additional event parameter: success
   • Object: id
   • Workstation address: remote_address
   • Field: Event Time

If the id values differ but the remote_address values are the same, then Event Time 2 - Event Time 1 = login interval from the same workstation (this interval is compared against the configured threshold).

Logging In with the Same User ID from Different Workstations in Short Time Intervals (with Interval Length Defined by Experts)

1. Login 1 (action 1):
   • Event type: logon
   • Additional event parameter: success
   • Object: id
   • Workstation address: remote_address
   • Field: Event Time
2. Login 2 (action 2):
   • Event type: logon
   • Additional event parameter: success
   • Object: id
   • Workstation address: remote_address
   • Field: Event Time

If the id values are the same but the remote_address values differ, then Event Time 2 - Event Time 1 = login interval from different workstations (this interval is compared against the configured threshold).

Multiple Failed Login Attempts with Different IDs from the Same Terminal

• Event type: logon
• Additional event parameter: invalid_logon
• Object: id
• Workstation address: remote_address

Or:

• Event type: logon
• Additional event parameter: invalid_logon_and_max_logon_attempts_exceed
• Object: id
• Workstation address: remote_address

The remote_address value is the same for all attempts.

Login Attempt with a Disabled Account

• Event type: logon
• Additional event parameter: disabled_logon
• Object: id

Disabling Logging

The logback.xml file is used to configure logging. It is located at:

• On Windows: C:\ProgramData\Operavix\
• On Linux: in the /var/lib/operavix container

An alternative method is configuration substitution through the system logging initialization mechanism.

The detailed configuration loading process is described at: https://logback.qos.ch/manual/configuration.html.

Advice for Monitoring of Changes

Monitor for changes in the following directories:

• On Windows: C:\ProgramData\Operavix and C:\Program Files\Operavix
• On Linux: /var/lib/operavix and /usr/sbin/operavix

Monitor changes to the service.

Log Deletion or Clearing

Logs cannot be deleted or cleared through the web interface. This unauthorized action is not logged.

Access to log deletion or clearing is controlled at the file system level, governed by Windows policy.

Creating a New User ID and Its Immediate Deletion (Blocking) Within a Short Time Interval (with Interval Length Defined by Experts)

Subject (the user performing the action):

• Object: id
• Workstation address: remote_address
• Employee: employee_id
• Action 1 (event type): create (user creation)
• Action 2 (event type): remove (user deletion)
• Action 3 (event type): change_enabled_logon
• Additional parameter for action 3: false (disabling authorization permission, blocking)
• Field: Event Time (for each action)

Object (the entity the action is performed on):

• Object: id
• Object: employee

If the object ID (of the created employee) remains the same across all actions, then Event Time of removing - Event Time of creating = interval between user creation and deletion or Event Time of change_enabled_logon (additional parameter: false) - Event Time of create = interval between user creation and blocking.

Granting New Access Rights (or Group Membership) and Their Immediate Revocation Within a Short Time Interval (with Interval Length Defined by Experts)

Subject (the user performing the action):

• Object: id
• Workstation address: remote_address
• Employee: employee_id
• Action 1 (object type): adding_access_role (granting access role)
• Action 2 (object type): removing_access_role (revoking access role from the "Administrative" group)
• Additional parameters for all object types (all actions):
  • access_role_id (access role ID)
  • access_role_name (access role name)
• Field: Event Time (for each action)

Object (the entity the action is performed on):

• Object: id, employee, login

If the ID and Login of the object remain the same across all actions, and the assigned and revoked access role has the same access_role_id, then Event Time of removing_access_role - Event Time of adding_access_role = interval between granting new rights and their subsequent revocation.

Changing the System Password Policy

Any of the following six event types constitutes a change to the system password policy for an object:

1. Action 1 (Object type): change_complex_password
   Enabling or disabling password complexity control.
2. Action 2 (Object type): change_min_password_length
   Changing the minimum password length.
3. Action 3 (Object type): password_expiration_date
   Enabling or disabling password expiration.
4. Action 4 (Object type): change_password_expiration_time
   Changing the password expiration period.
5. Action 5 (Object type): limit_login_attempts
   Enabling or disabling login attempt limits.
6. Action 6 (Object type): change_max_invalid_logon_count
   Changing the limit on failed login attempts.

Tracked object parameters:

• Object: id
• Workstation address: remote_address
• Employee: employee_id, login