Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/5/2009
10:22 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Database Auditing Essentials

Auditing database activity is a core component to any data security program. Databases capture data access and alterations during transaction processing, along with modifications to the database system. These actions are captured and written into an audit log that is managed by the database internally. The audit log is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity.

Auditing database activity is a core component to any data security program. Databases capture data access and alterations during transaction processing, along with modifications to the database system. These actions are captured and written into an audit log that is managed by the database internally. The audit log is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity.Databases auditing is not specifically listed as a requirement in most compliance initiatives, but in practice it fills that role by providing an accurate, concise history of business processes, data usage and administrative tasks -- all necessary elements for policy enforcement.

A common question from security practitioners, IT and even database administrators is "What sort of activity should I look for? What sort of things can a database audit file tell me?" Despite the incredible amount of information available, most are only interested in a handful of events:

Failed Logins. Failed logins are an indication that someone is trying to break into the database or a system failure. It may seem counter-intuitive and most people think that a mis-typed password is not a big deal, but most users do not log directly into a database. Databases are accessed through applications, which in turn are automatically connected under a generic service account. Failed logins are an indicator of a problem, and audits files should be closely scanned for suspicious activity.

Failed queries. Attacks on databases are commonly scripted, targeting as many repositories as possible, looking for known defects or common configuration mistakes. The attacker who authors the script makes assumption that specific user accounts, database features, or structures will be present. Patched or properly configured databases will return an error rather than fall victim to the exploit. An error can also be indicative of flaws in application logic, parameters not being properly validated, or some other problem requiring immediate attention.

System Grants. User privileges are added or removed through 'grant' statements. Deviations from established security baselines are detected by monitoring for grant statements, especially those that involve administrative privileges or access to database internal functions. Reporting these changes is a common regulatory requirement.

Metadata Changes. Changes to database structure alter system function and offer new access to database contents. New views and added columns often lead to data leakage and should be monitored.

Audit logs contain a lot of useful information helpful to auditors, security professionals and DBA's alike, but they impact performance. Any conversation about the wonderful things that database auditing can provide needs to be tempered by understanding the added burden. Auditing incurs a performance penalty, and depending upon how you implement it, that penalty can be severe. In my next post I will cover audit settings, filtering, and data cleansing, which directly impact performance.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.