Databases Reference
In-Depth Information
Figure 12.4
Viewing client
source information
(client IP and
source application)
in raw form and in
business terms.
12.3
Audit database usage outside normal
operating hours
Another topic that is related to the audit of database login is an audit of
activities being performed outside of normal business hours. This is an
intuitive requirement and one that is often required from a business and a
compliance standpoint.
The intuitive requirement of auditing database usage outside of normal
operating hours is needed because activities performed during off-hours are
often suspect and may be a result of an unauthorized user trying to access or
modify data. Of course, a good hacker will usually try to breach the data-
base during a “camouflaged” period. It is far better to try when there is a lot
of “noise” that serves as a diversion. However, less sophisticated misuse does
often occur at night or early in the morning, and many people do watch a
lot of movies that have people sneaking around the office at night doing
inappropriate things.
When you audit off-hours activity, it is usually not enough to track only
logins and logouts that occur off-hours. You will generally also want to cap-
ture what activities are performed—usually at a SQL level. If such logins are
suspect, then it is important to capture what they were used to do within
the database. Having a full audit trail of all activities that were performed
by any user outside of normal operating hours is therefore often a good cat-
egory to implement and will satisfy many regulatory and internal compli-
ance requirements.
Although intuitively an off-hours audit trail makes a lot of sense, at a
technical level you must be clear on the definition, because most database
environments work 24-by-7, and you don't want to start generating tons of
false alarms whenever an ETL script performs massive data uploads outside
normal operating hours. Therefore, the key to a good implementation of
Search WWH ::
Custom Search