Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/5/2009
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Auditing Essentials

Auditing database activity is a core component to any data security program. Databases capture data access and alterations during transaction processing, along with modifications to the database system. These actions are captured and written into an audit log that is managed by the database internally. The audit log is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity.

Auditing database activity is a core component to any data security program. Databases capture data access and alterations during transaction processing, along with modifications to the database system. These actions are captured and written into an audit log that is managed by the database internally. The audit log is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity.Databases auditing is not specifically listed as a requirement in most compliance initiatives, but in practice it fills that role by providing an accurate, concise history of business processes, data usage and administrative tasks -- all necessary elements for policy enforcement.

A common question from security practitioners, IT and even database administrators is "What sort of activity should I look for? What sort of things can a database audit file tell me?" Despite the incredible amount of information available, most are only interested in a handful of events:

Failed Logins. Failed logins are an indication that someone is trying to break into the database or a system failure. It may seem counter-intuitive and most people think that a mis-typed password is not a big deal, but most users do not log directly into a database. Databases are accessed through applications, which in turn are automatically connected under a generic service account. Failed logins are an indicator of a problem, and audits files should be closely scanned for suspicious activity.

Failed queries. Attacks on databases are commonly scripted, targeting as many repositories as possible, looking for known defects or common configuration mistakes. The attacker who authors the script makes assumption that specific user accounts, database features, or structures will be present. Patched or properly configured databases will return an error rather than fall victim to the exploit. An error can also be indicative of flaws in application logic, parameters not being properly validated, or some other problem requiring immediate attention.

System Grants. User privileges are added or removed through 'grant' statements. Deviations from established security baselines are detected by monitoring for grant statements, especially those that involve administrative privileges or access to database internal functions. Reporting these changes is a common regulatory requirement.

Metadata Changes. Changes to database structure alter system function and offer new access to database contents. New views and added columns often lead to data leakage and should be monitored.

Audit logs contain a lot of useful information helpful to auditors, security professionals and DBA's alike, but they impact performance. Any conversation about the wonderful things that database auditing can provide needs to be tempered by understanding the added burden. Auditing incurs a performance penalty, and depending upon how you implement it, that penalty can be severe. In my next post I will cover audit settings, filtering, and data cleansing, which directly impact performance.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.