Databases Reference
In-Depth Information
auditing in the first place), and better supports concepts learned in previous
chapters such as segregation of duties. As an example, a database-based
audit trail that stores the auditing information within the database under
the auspices of the DBA is worthless from a segregation of duties perspec-
tive. An independent audit trail is also more likely to be usable by non-
DBA personnel, thus allowing work to be offloaded from the DBA and
helping those responsible for information security as a whole to do their
jobs. Finally, an independent audit trail can be used in tandem with a data-
base audit trail to support environments with stringent security and com-
pliance requirements. In this case the two audit trails can be continuously
compared to ensure completeness and that one of the audit trails has not
been compromised.
13.3
Architectures for external audit systems
Let's look at three methods for creating an external audit trail. The methods
are applicable to all database environments, because the three categories are
architectural and because all databases use networked communications,
interprocess communication, transaction (redo) logs, and so on. The three
architectural categories are the following:
1.
Inspection of internal database data structures
2.
Inspection of all communications with the database
3.
Inspection of elements created by the database in the process of
normal operation
Databases have internal data structures that are used to process com-
mands, store results, and so forth. For example, Oracle has a set of inter-
nal tables called the X tables that are used for storing SQL and processing
it. Backing these tables are a set of memory structures that can be reverse-
engineered (and actually have been reverse-engineered by more than one
vendor). One method to audit what the database is doing involves
inspecting these in-memory data structures. For doing this, the auditing
system needs to share the same address space as the database, and auditing
is based on polling these data structures. This is shown in Figure 13.1 as
Auditing System 1.
A permutation of this method is shown as Auditing System 2 in Figure
13.1. In some databases, some of these internal data structures are
Search WWH ::
Custom Search