Forum OpenACS Development: Re: ways to insert and update db

Collapse
6: Re: ways to insert and update db (response to 1)
Posted by Torben Brosten on 09/26/07 06:45 AM
I don't want to modify the acs-core and effect everyone's systems arbitrarily by modifying any existing procs.

My intentions are really 2 fold:

1. Create a procedure that can be run periodically to alert admins to code, db content, or user input that may be dubious or otherwise weaken a systems integrity. This is not meant to be bullet proof. it is just another way to help manage security. Daveb reminded me on irc yesterday that a filter such as might be used in templating, should limit procs to only those that are authorized (similar to AllowedAttribute AllowedProtocol AllowedTag kernel parameters) instead of trying to identify only known vulnerabilities. This proc is more an extension of the automated testing, for regular auditing of code and db.

2. Create parallel db commands that log inserts and updates for all packages that choose to use the logging versions instead of db_dml etc. This method could also provide an example for anyone who might want to extend the logging into db_dml etc. to meet certain additional deployment requirements.

Collapse
7: Re: ways to insert and update db (response to 6)
Posted by Tom Jackson on 09/26/07 05:18 PM
I hate sounding like a broken record, but this is exactly what the built in logging for database drivers does for you. The only thing missing is the intelligence of what to look for, which by the way is the most difficult part. Right now, you can turn on logging and periodically review the logs. What would you look for? If you can't do it by hand, you will never be able to program it into code. But even if you can do it by hand, that doesn't mean you can create a program to do it. Programs can't be smarter than their author, although they can be faster.

Logging has a completely different focus than normal operations. If everything worked perfectly, you wouldn't need logging. So one requirement of a logging facility is that it is somewhat out of the hands of the normal user. First they may not know to use it, and second, they may want to disable it so they can go undetected while they do bad things. Admins usually have to hunt through log files looking for clues to bad behavior and often is isn't known beforehand what to look for. If you create a selective logging facility, you limit your ability to apply any intelligence to the analysis.

But beyond this, I can't think of many package which allow users to choose what sql or procs/scripts to run. Actually the only one I can think of is my cronjob package. It specifically runs only with admin privileges, but the original goal was to allow regular users to submit code which could run after approval was obtained. The data model is in place where each cronjob can be disabled/enabled or approved/not approved, just no regular user pages to manage it. But this package places the review prior to execution and review/approval must be done by an admin. This is also a good place to put in regularly/sometimes run auditing/reporting code, since you can also select any cronjob and run it instantly.

On the database side it is more difficult to be generic. Each database is different and logging data must require a separate set of tables, which eventually slow down the system. Triggers work well, but there are also log files for the database. They can probably be more selective than the ns_db logging, but also they contain less context. The database doesn't know anything about users or packages.