Shulou(Shulou.com)06/01 Report--

Database security audit

Industry requirements:

Whether the audit content at least includes: user addition and deletion, audit function startup and shutdown, audit policy adjustment, authority change, abnormal use of system resources, important system operations (such as user login, logout) and so on.

Database opening:

It is necessary to turn on the database audit function of related content in order to meet the demand.

Audit content

SQL Server

Oracle

one

Addition and deletion of users

Satisfiable

Satisfiable

two

Startup and shutdown of audit function

Satisfiable

Partially satisfied (turn off auditable)

three

Adjustment of audit strategy

Satisfiable

Satisfiable

four

Permission change

Can be partially satisfied

(meet the permission change at the Login level. If you want to refine it to the table level, you need to create an audit for each database. Do not enable fine-grained audit for the time being)

Satisfiable

five

Abnormal use of system resources

(do not understand the definition, no way to open)

(do not understand the definition, no way to open)

six

Important system operations (such as user login, logout), etc.

Satisfiable

Satisfiable

SQL Server

SQL Server only turns on the audit of login successes and failures and writes to the application log.

The following audit behavior sets can basically meet the requirements of the industry audit guide. in view of the fact that there is no bypass audit system at present, the opening of the audit function will occupy system resources and consume part of the performance. You can consider going to production observation first, and stop in time if there is a problem. The audit created can be written to the application log and queried from ELK.

SQL Server introduced SQL Server auditing (Audit) in 2008 to meet fine-grained audit requirements. You can refine to a single table level for specific behaviors, principals, and objects. From user login and logout events to the creation, insertion and deletion of tables. You can select a collection of behaviors to be audited that you are interested in. SQL Server auditing (Audit) is based on extended events. When an event is triggered, it is distributed to the extended event engine in near real time, which notifies the scheduler thread pool and is responsible for writing user-created event sessions from the memory cache to targets such as files. By default, audit events are written asynchronously to the audit target with little performance impact.

Audit operation type

Description

one

AUDIT_CHNAGE_GROUP

This event is raised when any audits are created, modified, or deleted. This event is raised when any audit specification is created, modified, or deleted. Any changes to an audit will be reviewed in that audit.

two

FAILED_LOGIN_GROUP

Indicates that the principal attempted to log in to SQL Server but failed. Events in this class are raised by new connections or by reused connections in the connection pool.

three

SUCCESSFUL_LOGIN_GROUP

Indicates that the principal successfully logged in to the SQL Server. Events in this class are raised by new connections or by reused connections in the connection pool.

four

LOGOUT_GROUP

Indicates that the principal has logged out of SQL Server. Events in this class are raised by new connections or by reused connections in the connection pool.

five

SERVER_PRINCIPAL_CHANGE_GROUP

This event is raised when a server principal is created, changed, or deleted.

This event is raised when the principal issues a sp_defaultdb or sp_defaultlanguage stored procedure or ALTER LOGIN statement.

This event is raised for sp_addlogin and sp_droplogin stored procedures.

This event is raised by a sp_grantlogin, sp_revokelogin, or sp_denylogin stored procedure.

six

SERVER_PERMISSION_CHANGE_GROUP

This event is raised when a GRANT, REVOKE, or DENY statement is issued to gain server-wide permissions, such as creating a login.

seven

LOGIN_CHANGE_PASSWORD_GROUP

This event is raised when the login password is changed through an ALTER LOGIN statement or a sp_password stored procedure.

Oracle

Oracle provides internal audit function and standard database activity audit function. Audit entries can be written into the pre-configured syslog through the parameter audit_syslog_level, and then captured by ELK, which can basically meet the requirements of industry associations. However, some functions are missing, as shown in the table below:

Audit strategy

Can it be audited?

Operation statement

Addition and deletion of users

Can

Audit create user;audit drop user or audit user (all operations on user, including create,drop,alter

Start-up of audit function and

Close

Part of it can.

The audit function is turned on and off through the audit of alter system statements: audit alter system

You can audit the shutdown of the audit function when the audit function is on.

Adjustment of audit strategy

Part of it can.

Audit policy adjustment is audited by statement system audit or permission audit system. When system audit is audited, all changes to audit policy can be audited. When the above statements or permissions are not audited, audit policy adjustment cannot be performed, including audit audit system itself.

Permission change

Sure

Permission changes are performed by auditing statements system grant and grant any object privilege

Impact on performance: oracle audit takes place during the statement execution phase. According to oracle's white paper "Oracle Database Auditing: Performance Guidelines", in a tcp-c equivalent test, the test results are as follows

It can be seen that audit has little impact on performance, according to the specific system needs to test the impact of audit on system performance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.