Updated: Jul 5
With the frequent occurrence of information leakage incidents, database security products are gradually known to the public. Among database security products, database auditing is probably the most familiar product for users. Without affecting the normal operation of the business system, database audit products can track and audit the operation access behavior of the database, which is also an important reason why most users use it as a standard purchase of database security. This article mainly focuses on what is database audit, the role and principle of database audit and the main characteristics of database audit.
Database auditing refers to reviewing audit logs and transaction logs to track changes in data and database structure. The database can be set up to capture changes in data and metadata, as well as modifications made by the database that stores the information. A typical audit report should include the following: completed database operation, changed data value, person performing the operation, and several other attributes. These audit functions are embedded in all relational database platforms and ensure that the generated record files have high accuracy and completeness, just like the data stored in the database. In addition, the audit trail can also transform a series of statements into reasonable transactions and provide the business environment required for business process forensic analysis.
However, there are some limitations of audit, such as the inability to audit data access statements (often called SELECT statements). In addition, local database audits can hardly capture the original queries and variables recognized by users, and can only record events from a comprehensive perspective, while logs can capture data values before and after changes. This also makes the audit trail more effective in detecting changed content than in detecting accessed content.
When conducting forensic inspections on database activities and status, audits can accurately grasp the nature of events. When checking SELECT statements (which users will use when viewing data), because the local platform lacks the ability to collect these statements, even if this operation is implemented with advanced options, it will cause a great loss in performance. Since there are simple ways to efficiently catalog the SELECT statement (for example, login failure, trying to view the credit information), why do companies choose to add other data collection resources to the local database audit function. In any case, the built-in database audit function can generate core information for transaction authentication and regulatory control.
The role of database audit
Through the bypass deployment, database audit can record the database activities on the network in real time, manage the compliance of database operation with fine-grained audit, and alarm the risk behavior of database. By recording, analyzing and reporting the user's behavior of accessing the database, it is used to help users generate compliance search reports afterwards and trace the source afterwards. At the same time, it strengthens the internal and external database network behavior records and improves the security of data assets.
Principle of database audit
The database audit system comprehensively audit the access behavior of the application system client and DBA to the database, not only audit SQL statements, but also remote access such as FTP, Telnet, etc. The system records the query, delete, add, repair, change and other behaviors and operation results in detail. It can also give real-time early warning and stop the dangerous operation in time, so as to achieve the good and good effect of protecting the database.
Database audit system
The database audit system is a set of system which takes the security incident as the center, takes the comprehensive audit and the accurate audit as the foundation, through the comprehensive management which runs through the security incident processing life cycle as the means, can comprehensively reduce the security risk, comprehensively and accurately record the security event in the audit system.
Main features of database audit
1. Comprehensive database audit
The database audit system can record all kinds of operations of current mainstream databases (Oracle, MSSQL, mysql, PostgreSQL, cache, etc.) in detail and in real time, and present them to customers in the form of reports and database lists.
The contents that can be audited include:
Audit user’ s login and logout of the database
Audit user’ s query, insertion, modification, deletion and creation of database tables.
Monitor the operation of various databases to connect customers
2. Remote server operation audit
The database audit system supports mainstream remote server access operations, including auditing of Telnet, FTP, Rlogin, X11 and other operations, and can record all operations of remote access users throughout the process.
3.Various alarm settings
Users can customize various alarm events and set the categories of alarm events. When the database encounters an attack and the customized alarm strategy is triggered, the system will automatically alarm. At present, the alarm are four levels: high level, high level, medium level and low level.
4. Flexible audit strategy
The database audit system uses audit engine to audit all database activities and remote operations of database server in real-time and dynamic way. According to the information from client (IP, MAC, user name), middle-ware (operation statement) and server (return value and response time) information, the audit system can realize visualization and management of audit.
5. System management
The management console of the database audit system centrally manages the application audit system. Through the management and control platform, the auditors can monitor the various states of the application audit equipment in real time, including the system running status, the consumption of CPU, memory and hard disk.