[cvsnt] CVSNT Auditing....

Bo Berglund Bo.Berglund at system3r.se
Fri Nov 10 09:55:00 GMT 2006


I am migrating a CVSNT server to new hardware and in the process I am
now setting up the Audit too.
I am using Microsoft SQLServer 2000 as backend.
The CVSNT server is running build 2382 on Windows 2003 server installed
via the MSI installer from MarchHare.

While doing this I have observed a few issues that may or may not be by
design:

1. Relations missing
--------------------
The Sessionlog table is supposed to record all activity in the server
and it has a primary key on the column 'Id'.
The other tables have a 'SessionID' column that stores the Sessionlog.Id
value
In normal cases the SessionId should have a foreign key set to
Sessionlog.Id, but there is no relation at all here!
Is this by design or an oversight?

2. Access logging missing
-------------------------
I noted that cvs update is recorded in the Sessionlog table as expected,
but there is no indication at all on *what* was updated, so the auditing
can therefore not record when people are retrieving data from the
server.
The only information in the sessionlog table is the user and the
repository he accessed but no info concerning the module. Of course this
cannot fit in the sessionlog table because it is by design done such
that it holds the master record for the cvs command itself, whereas the
command will expand into separte accesses to different modules in the
repo. So another table is needed.
I would recommend a new table 'Readlog' or similar that can record
updates and checkouts as well.
Is this by design or an oversight?


Best regards,

Bo Berglund


More information about the cvsnt mailing list