alescaramanzia Valued Contributor.
Valued Contributor.
39 views

Operations content input auditing - sql command example

We have here a large discussion with InfoSec office because of the following: in the automation process several things are going to change like the DB scripts execution (today is entirely manual, they assure if a given script contains security issues or simply it just needs some elevated credentials to be executed then they do it instead of DBA or operations) but with the scripts inside the flows and using flow variables in them it doesn't seems very straightforward to them to audit and be aware of what we are will be executing during the flow development.

Any ideas? With powershell and other kind of scripts we solve it because we have it versioned outside the flow and we just invoke them with parameters but we can't do it because we lost so much flex using tools like sqlcmd for example, reading the out file, parsing the response (besides the engine error that could happen).

We tried to do an xml parsing using xpath for extract the input's value before the deploy but it's very inaccurate and when you reference other cp flows it's a big issue.

Thanks in advice 😄

3 Replies
Adel_HPOO_1020 Super Contributor.
Super Contributor.

Operations content input auditing - sql command example

Hi,

Just an idea: 

If i have well understand 💡, Because any operation variables are available in the flow context (script, server, port, commands, users...) , why not constructing a predefined log format which will be used by OO to insert each info in it's predefined place and give it to the audit team.

Regrards

0 Likes
alescaramanzia Valued Contributor.
Valued Contributor.

Re: Operations content input auditing - sql command example

Hi, thankns for answering! The problem is that we need to audit the script before the deploy, the OO logging once executed it's perfect I think but think in a staging environment for example where we haven't got any permissions of deploying or modifying nothing, how could the security team view the scripts that we are sending inside a SQL Command operation before deploying, before executing?

Maybe the real problem is that they don't perform a SAST over the OO flow code but todat that's our scenario =(

0 Likes
Outstanding Contributor.. JarodMB Outstanding Contributor..
Outstanding Contributor..

Re: Operations content input auditing - sql command example

Is the content created in "Generate Documentation" not sufficient for their review? 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.