Auditing Categories - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

Figure 12.3

Viewing database information (IP and application type) in raw form and

in business terms.

this information at a SQL call level. In addition to knowing that a user con-

nected using Excel rather than the SAP system, you may also need to know

whether a certain update was performed from an Excel spreadsheet as

opposed to the SAP system. Therefore, the source program is often data

that you should collect per query and per database operation that you want

to keep in the audit trail, especially if the IP address uniquely identifies a

user. If your architecture is based on client/server, then the source IP

address often identifies a unique user (a person). In this case, tracking and

reporting on the IP address per SQL call is as good as reporting on which

end user did what operation and looked at what data—a valuable audit

trail. If, on the other hand, you use an application server architecture, then

the IP address will not help you identify and report on the end user and you

will have to resort to techniques learned in Chapter 6.

Another decision that you may need to make when auditing and pre-

senting audit information has to do with whether you present raw data or

whether you present it as data that is easier to consume. For example, the

left side of Figure 12.3 shows which source programs are used to access the

SQL Server running on 155.212.221.84. This information is useful to peo-

ple who know the environment intimately. The report on the right side of

Figure 12.3 is meaningful to more people, who don't care about the IP

address but know what the HR database is, and people who don't know

what Aqua Data Studio is but understand the risks associated with a devel-

oper tool logged into the production HR database.

The issue of data abstraction is not only related to auditing the client

source of database usage. It is a general topic relevant to all audits that are

discussed in this chapter. However, as Figure 12.4 shows, it is especially

important in source identification, where IP addresses may not be meaning-

ful but where hostnames or even labels attached to nodes are informative.

Search WWH ::

Custom Search

Home