Introduction to database audit
As a kind of hardware and software product, Ankki database audit system has pioneered two-way audit mechanism, covering application, middleware and database to achieve vertical defense effect of “beforehand precaution + concurrent prevention + ex post evidence obtaining”. By using parsing technology DPI and streaming media analysis technology DFI for deep datagram protocol of database, users can parse and restore various database access and operations to database-level operating sentences for real-time threat warning, conducting statistics, analysis and record on incidents, performing multiple identities positioning and effectively supporting e-discovery through presetting security rules including intelligent analysis and monitoring visitors.
Regulatory requirements on database audit
Sarbanes-Oxley Act stresses that internal control of IT system associated with financial statement should be strengthened to closely surround the core of security audit.
According to the Basel New Capital Accord (Basel II) , global banks must enhance risk management work, but the precautions for the financial operation risk depend on security audit on business information.
Concrete Norms for Internal Control of Enterprises explicitly requires that computer information system should take rights and liabilities distribution, functional assignment and secure access measures for audit to enhance the liability, stability and security of information system, as well as integrity and accuracy of data.
The fourth section “Database Security Audit” of the fourth chapter “Safety Technical Requirements” of Technical Requirements for Classified Protection Database Management clearly puts forward that the safety audit for database management system should establish independent safety audit system, define audit incidents involved with database security, arrange special security auditors and audit library for storing the data of database system, and provide tools for security audit setting, analysis and access of database system.
ISO15408-2 Security Functional Requirements explicitly requires database security audit should include identification, record, storage and analysis of information related with security activities (controlled by TSP), and check of audit record results for judging what security-related activities appear and who are responsible for them.
Thorough audit of database
Ankki database audit system can realize detailed and real-time records for all kinds of operations of current mainstream databases (ORACLE, MSSQL, MYSQL, POSTGRESQL and Caché….) and present to users in the form of statements and database lists. Auditing contents encompass:
Database log-in and log-off of auditing users;
Inquiry, insertion, revision, deletion and creation of database list made by auditing users;
Operations of dedicated users for monitoring various databases;
Types of database supported include:
Audit for remote server operations
Ankki database audit system supports access operations for mainstream remote servers including Telnet, FTP, Rlogin and X11 and record.
Rich alarm setting
Users can customize various alarm events and set the level of them. When the database is attacked triggering out alarm strategies, the system will automatically give an alarm. Currently the alarms are divided into four levels such as advanced, high, middle and low.
Flexible audit strategy
Ankki database audit system can perform real-time and dynamic audit on all activities of database and remote operation of database server by using audit engine and customize strategies depending on user (ip, mac, user name…) and middleware (operating sentences) and server (returned value, response time…) information to realize the visualization and management of audit.
Ankki database audit system can realize centralized management on application audit system through its management control platform and auditors may monitor the status of audited equipment in real time with the platform, which are:
System running state, CPU, memory and hard disk consumption.
Various log information involved with self-operation of the system.
User administration, authority for user management and user's operations on audited equipment.
Ankki database audit system can independently collect audit data via network, which separates database maintenance from the work of development team and security audit group properly. Besides this, audit work doesn't affect the performance, stability or daily management flow of database. Audit results are stored in build-in space of Ankki database security audit system independently, which can avoid malicious invasion of privileged users into common users, disturbing the equality of information.
Whole course tracing audit for fine grain
Comprehensiveness: track and position for operations of business, application and database layers, including database SQL implementation and returned value of database.
Fine grain: carry out fine grain audit strategy accurate to table, object and record content to realize fine audit for sensitive information.
Independence: rely on working mode of independent monitoring and audit to realize the separation of database management and audit, ensuring the authenticity, integrity and equality of audit results.
Ankki database audit system sets privilege separation, for example, the system administrator is responsible for equipment operation setting, the auditor is responsible for checking related audit records and irregularities and the log inspector takes charge of operation logs and rule revision of overall equipment.
Accurate positioning of event
Traditional database audit positioning is usually limited to IP and MAC addresses and has not enough credibility. Ankki database audit system can perform correlation analysis on IP, MAC, user name and serve side to trace specific persons.
Independent statement function
Ankki database audit system can output different types of statements according to compliance requirement, for example, outputting the statement in compliance with grade protection project satisfaction degree based on level 3 requirement.
Strategy for statement customization
Specific to main problems that auditors care about, customize strategy rule output report meeting requirement and make auditors find out the required audit information rapidly.
Ankki database audit system can thoroughly ensure high availability of equipment itself, including hardware-level security redundancy, system-level anti-attacking strategy and warning measures.
In order not to affect database system operation and its performance completely, the database audit system should support the mode of monitor bypass, which can be divided into core switch network monitoring mode, network bridge mode and database system host machine monitoring mode.。
Network monitoring mode of switch
Through setting port mirroring mode or adopting TAP bypass monitoring mode on core switch, security audit engineer can monitor all operations of users via communications between switch and database. The specific chart of deployment structure is below:
Deployment Chart of Switch Network Monitoring Mode Auditing System
Network monitoring mode of host machine of database system
The deployment of audit access module on host machine of database system for network monitoring can be able to monitor all communications between users and database system and acquire all operations of access to database system to transmit to and record in the auditing system.
The best advantage of network monitoring mode is that it is irrelevant with existing database system and will not bring a burden to database system in performance. Even if the database system breaks down, its normal operation can not be affected. Easy deployment and no risk are its characteristics; however, its deployment principle decides network monitoring technology can only realize session level audit (namely auditing time, source IP, source port, destination IP and destination port) when targeting encryption protocol, but fail to audit the contents.