Databases Reference
In-Depth Information
1.
The main repository where the audit information resides while it
is being collected and used
2.
Archive files within the auditing server
3.
Archive files in transit
4.
Archived files at the storage location
An auditing system will usually store the collected audit information in
a database. This database must be secured from external access, needs to be
hardened, and needs to be viewed as a single-user database used by the
auditing system only. If it is not, then it creates another point of vulnerabil-
ity, and you will need to address the issue of security and auditing for the
audit database. In order to not get into this infinite loop scenario, ready-
made audit systems have been designed to make this internal data store
inherently secure. This is usually done by blocking access to the database
from anything apart from the auditing system and by enforcing strict secu-
rity policies on this internal database.
Archiving of audit trail data is normally a two-step process. First, data is
extracted to a set of files on the local disk and purged from the auditing
database. This data is then encrypted and digitally signed (see Chapter
Appendix 13.A for a brief overview on PGP and GPG, both of which are
often used in such scenarios). You need to encrypt the data, because when it
is offloaded to an external storage area, you will often lose control over who
has access to these files. Encrypt these files to make them useless to any sys-
tem other than the auditing system (that can restore the files, decrypt them,
and make the information available for the auditing system). You should
also ensure that the files are digitally signed by the auditing system, allow-
ing you to prove that the files were created by the auditing system, prove
when they were created, and for which database environment. This is all
important in case of an investigation and other scenarios where you need to
prove the correctness of your data and results.
Because your archive files are encrypted and signed on the auditing
server, security of the files in transit and security of the files in storage
should not be a concern in terms of someone intercepting the files and
using them. However, because regulations and your internal policies may
require you to ensure that the data is available for a certain period of time,
you do have to ensure that your solution addresses making sure that the
archived files get to the right storage location and that they will be there
when you need them, many years from the time they were created. This
involves a secure copy that gets an acknowledgment when the files are in
Search WWH ::
Custom Search