Database Security Audit

With the rapid development of the Internet, all business and public safety data generated in the database by enterprises through various applications have become the most valuable assets of enterprises and institutions. Usually, in order to prevent these sensitive data from being illegally obtained by competitors or hackers for illegitimate interests, companies will strictly protect this information in various ways.

However, according to the statistics of Star Regal Software, most of the important and sensitive data of enterprises are stored in the database, and more than 90% of the sensitive information leakage comes from the database. The leaked sensitive information is mainly personal information leakage, including: user name, user password, email, phone number, bank account number, personal property information, etc. The methods of data leakage mainly include: abuse by outsourcers, theft by former employees, abuse by managers, misuse by users, theft by insiders, smart contract audit services and theft by hackers. This also shows that the database protection of enterprises is not as perfect as imagined, but is faced with the challenges of various security risks.

The database security audit system can make a complete record of the data access operation, so as to effectively trace the responsibilities and analyze the reasons after the occurrence of security violations, and can also provide necessary evidence for punishing malicious attacks if necessary. . This puts forward a basic requirement for database security audit products: complete records.

Regulatory controls play a key role in areas such as business changes, business process validation, system failures, and human violations. Because the database is the core of each asset or business, database auditing is very important in various standards and regulations.

The Sarbanes-Oxley Act emphasizes strengthening the internal control of IT systems related to financial statements. Among them, the internal control of IT systems is closely related to the core of information security audit.

The new Basel II capital agreement (Basel II) requires global banks to do a good job in risk management, and the prevention of this “financial operation risk” is based on business information security audits.

The “Specific Specifications for Enterprise Internal Control” clearly requires that the computer information system should take audit measures such as the distribution of power and responsibility, the division of responsibilities, and the establishment of access security policies to strengthen the reliability, stability, security, and data integrity and accuracy of the information system. .

“Database Management Technical Requirements for Graded Protection”, Chapter 4 “Database Management System Security Technical Requirements”, section 4 “Database Security Audit” clearly states that the security audit of database management system should: establish an independent security audit system; define and database security related audit events; set up special security auditors; set up security audit libraries specially used to store audit data of database systems; provide tools for security audit setting, analysis and review of database systems.

“ISO15408–2 Security Functional Requirements” clearly requires that database security audits should include: identification, recording, storage and analysis of information related to security-related activities (that is, activities controlled by the TSP); inspection of audit record results can be used to determine what happened Security-related activities and which user is responsible for these activities.

Main features

1. Comprehensive database audit

The database audit system can make detailed and real-time records for various operations of the current mainstream databases (ORACLE, MSSQL, MYSQL, POSTGRESQL, Caché, ….), and present them to customers in the form of reports and database lists!

Content that can be audited includes:

Audit user login and logout to the database

Audit users’ queries, insertions, modifications, deletions, creations to database tables…

Ability to monitor the operations of connected clients of various databases

Supported database types include: ORACEL, DB2, INFORMIX, SYBASE, MSSQL Server, MYSQL, POSTGRESQL, Caché

2. Remote server operation audit

The database audit system supports mainstream remote server access operations, including auditing of operations such as Telnet, FTP, Rlogin, and X11, and can record various operations of remote access users throughout the process.

3. Rich alarm settings

Users can customize various alarm events and set the category of alarm events. When the database encounters an attack and is triggered by a customized alarm strategy, the system will automatically issue an alarm! Currently, the alarms are divided into four levels: high, high, medium, and low.

4. Flexible audit strategy

The database auditing system uses the auditing engine to conduct real-time and dynamic auditing of all database activities and remote operations of the database server. (return value, response time…) information, customize policies, bsc smart contract audit realize audit visualization and manageability.

5. System management

The management console of the database audit system centrally manages the application audit system, and auditors can monitor various states of the application audit equipment in real time through the control platform, including:

System running status, CPU, memory, hard disk consumption, etc.

Various log information about the operation of the system itself.

Advantage

The database audit system collects audit data completely independently through the network, which makes the work of the database maintenance or development team and the security audit team properly separated. Moreover, the audit work does not affect the performance, stability or day-to-day management processes of the database. The audit results are independently stored in the storage space of the Ankki database security audit system, which avoids database privileged users or malicious intrusion of database server users and interferes with the fairness of audit information.

1. Full follow-up and fine-grained audit

Comprehensiveness: Track and locate operations at various levels such as the business layer, application layer, and database, including database SQL execution, database return values, etc.;

Fine-grained: fine-grained audit strategy accurate to table, object, and record content to achieve fine-grained monitoring of sensitive information;

Independence: Based on the working mode of independent monitoring and auditing, the separation of database management and auditing is realized, and the authenticity, integrity and fairness of auditing results are guaranteed.

2. Separation of permissions

The database audit system is set up with separation of rights and roles. For example, the system administrator is responsible for the operation settings of the device; the auditor is responsible for viewing relevant audit records and rule violations; the log operator is responsible for viewing the operation log of the overall device and the modification of the rules.

3. Accurate location of events

Traditional database audit positioning is often limited to IP addresses and MAC addresses, which are often unreliable. Ankki database audit system can perform correlation analysis on IP, MAC, user name, server, etc., so as to track down specific people.

4. Unique report function

(1) Compliance report

The database audit system report will output different types of reports according to compliance requirements. For example, according to the third-level requirements of the level protection, smart contract security a report that complies with the degree of satisfaction of the related items of the level protection can be output.

(2) Strategy customized report

According to the main problems of the auditor’s relationship, customize the policy rule output report that meets the requirements, so that the auditor can quickly obtain the audit information they need.

(3) Complete self-security

The database audit system comprehensively ensures the high availability of the device itself, mainly including: hardware-level security redundancy, system-level anti-attack strategies, and alarm measures.

User management, manage the permissions of various users, and the operation status of users to audit equipment.

Deployment method

In order not to affect the performance and operation of the database system at all, the database audit system supports the use of bypass monitoring or mode, which can be divided into core switch network monitoring mode, network bridge mode and monitoring mode implemented on the database system host.

1. Switch network monitoring mode

By setting the port mirroring mode on the core switch or adopting the TAP distribution monitoring mode, the security audit engine can monitor all the operations of all users communicating with the database through the switch.

2. Database system host network monitoring mode

By deploying a network monitoring audit access module on the database system host, the audit access module can monitor all communications between all users and the database system, obtain all access operations to the database system, and send the audit access module to the audit system. Recorded in the audit system.

The biggest advantage of the network monitoring mode is that it has nothing to do with the existing database system. The deployment process will not bring performance burdens to the database system. Even if the database audit system fails, it will not affect the normal operation of the database system. It is easy to deploy and has no risks. specialty. However, the implementation principle of its deployment determines that the network monitoring technology can only achieve session-level auditing (that is, it can audit information such as time, source IP, source port, destination IP, destination port, etc.) when it is aimed at encryption protocols. Audit the content.