Automated Daily Audit of Queries

This document will explain how to set up a daily log of queries. By leveraging the sdm audit functionality, we’ll retrieve a list of queries and write them to a daily log file.

Initial Setup

We recommend creating a new Linux system user with restricted permissions to run the daily audit. In this example we’ll use sdm. Download and install the Linux SDM client.

Note: You do not need to log into the SDM client. The admin token will serve as authentication.

Create an Admin Token

To create an admin token, sign into the strongDM web interface and go to Settings > Admin Tokens. From there you can create an admin token with the specific rights you require – in this case, only the Audit > Queries permission.

Create an Admin Token

A dialog will pop up with the admin token.

Save Token Value

Save it for later use in /etc/sdm-admin.token in the form:

SDM_ADMIN_TOKEN=<paste token here>

This file must be owned by your user.

chown sdm:sdm /etc/sdm-admin.token

Example Log Archiver Script

Here is an example log archiver script that in the next step we’ll set up to run nightly. We’ll store this script in /opt/strongdm/bin/.

sudo mkdir -p /opt/strongdm/bin/
sudo mkdir -p /var/log/sdm/
sudo tee "/opt/strongdm/bin/log-archiver.sh" > /dev/null <<'EOT'
#!/bin/bash

START=$(date -d "yesterday 00:00" '+%Y-%m-%d 00:00:00')
FN=$(date -d "yesterday 00:00" '+%Y-%m-%d')
END=$(date -d "today 00:00" '+%Y-%m-%d 00:00:00')
TARGET=/var/log/sdm

/opt/strongdm/bin/sdm audit queries --from "$START" --to "$END" >> "$TARGET/queries.$FN"
EOT
sudo chown sdm:sdm /var/log/sdm /opt/strongdm/ /opt/strongdm/bin/ /opt/strongdm/bin/log-archiver.sh
sudo chmod +x /opt/strongdm/bin/log-archiver.sh

Set up a systemd Service and Timer

This systemd service definition will run our script daily, at the time systemctl is configured to run daily services.

sudo tee "/etc/systemd/system/log-archiver.service" > /dev/null <<'EOT'
[Unit]
Description=SDM log archiver

[Service]
Type=oneshot
EnvironmentFile=/etc/sdm-admin.token
ExecStart=/opt/strongdm/bin/log-archiver.sh
User=sdm
EOT

sudo tee "/etc/systemd/system/log-archiver.timer" > /dev/null <<'EOT'
[Unit]
Description=Run log archiver daily
Requires=log-archiver.service

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

Activate the timer:

sudo systemctl daemon-reload
sudo systemctl enable log-archiver.timer
sudo systemctl start log-archiver.timer