Financial Industry Database Security Audit

Database Security Audits

Industry requirements:

Audit content includes: User's addition and deletion, audit function start and close, Audit policy adjustment, permission change, system resources abnormal use, important system operation (such as user login, exit) and so on.

Database open:

Need to open the relevant content of the database audit function, to meet the needs.

	Audit content	SQL Server	Oracle
1	User additions and deletions	To meet	To meet
2	Startup and shutdown of audit functions	To meet	Partial satisfaction (off auditable)
3	Adjustment of audit strategy	To meet	To meet
4	Permission changes	Can partially meet (To meet Login-level permission changes, if you want to refine to the table level, you need to create an audit for each database, and temporarily do not turn on fine-grained auditing)	To meet
5	Abnormal use of system resources	(does not understand the definition, does not open)	(does not understand the definition, does not open)
6	Important system operations (such as user login, exit), etc.	To meet	To meet

• ? SQL Server

SQL Server only the audit of successful and failed logins is turned on and written to the application log.

The following audit behavior collection is basically able to meet the requirements of industry audit guidelines, since there is no bypass audit system, the audit function will occupy the system resources, consume some performance. Can consider first production observation, if there is a problem in time to stop. You can satisfy the created audit write application log and query from Elk to.

SQL Server introduced SQL Server audit (Audit) starting from 2008 to meet fine-grained audit requirements. You can refine to a single table level for specific behaviors, principals, and objects. From user login, log out events, to table creation, insert, and delete. You can select the collection of behaviors you want to audit. SQL Server Auditing (Audit) is based on extended events. When an event is triggered, it is distributed near real-time to the extended event engine, which notifies the scheduler thread pool that it is responsible for writing user-created event sessions from memory cache to files. By default, audit events are written asynchronously to the audit target with minimal performance impact.

	Audit action Type	Describe
1	Audit_chnage_group	This event is raised when any audit is created, modified, or deleted. This event is raised when any audit specification is created, modified, or deleted. Any changes that are made to an audit will be audited in that audit.
2	Failed_login_group	Indicates that the principal attempted to log on to SQL Server but failed. Events in this class are raised by a new connection or by a connection that is reused in the connection pool.
3	Successful_login_group	Indicates that the principal has successfully logged on to SQL Server. Events in this class are raised by a new connection or by a connection that is reused in the connection pool.
4	Logout_group	Indicates that the principal has logged off SQL Server. Events in this class are raised by a new connection or by a connection that is reused in the connection pool.
5	Server_principal_change_group	This event is raised when a server principal is created, changed, or deleted. This event is raised when the principal issues a sp_defaultdb or sp_defaultlanguage stored procedure or ALTER LOGIN statement. This event is raised for sp_addlogin and sp_droplogin stored procedures. This event is raised by sp_grantlogin, sp_revokelogin, or sp_denylogin stored procedures.
6	Server_permission_change_group	This event is raised when a GRANT, REVOKE, or DENY statement is issued in order to obtain server-wide permissions, such as creating a login.
7	Login_change_password_group	This event is raised when a login password is changed by using the ALTER LOGIN statement or the sp_password stored procedure.

• Oracle

Oracle provides an internal audit function that provides standard database activity auditing capabilities, which can be written to pre-configured syslog by parameter audit_syslog_level, which can be crawled by elk to meet industry association requirements, but some functions are missing, Specifically, the following table:

Audit strategy	Can audit	Action Statement
User additions and deletions	Yes	Audit Create user;audit drop user or audit user (all operations on user, including Create,drop,alter
The audit function starts and Shut down	Section can	The opening and closing of the audit function is implemented by an audit of the ALTER SYSTEM statement: Audit alter system; Audit function can be audited when the auditing function is turned on.
Adjustment of audit strategy	Section can	Audit policy tuning is audited by the statement system audit or Permissions audit system, and when system audit is audited, all modifications to the audit policy can be audited, and the policy adjustment cannot be audited when the above statement or permission is not audited, including Audit Audit system itself.
Permission changes	OK	Permission changes are audited by the statement system grant and grant any object privilege

Impact on performance: Oracle audits occur during the statement execution phase, according to Oracle's white paper, Oracle Database auditing:performance guidelines, in a tcp-c equivalent test, the test results are as follows

Visible audit has little effect on performance, and the impact of audit on system performance is required for specific system.

Financial Industry Database Security Audit