All about auditing in the Informix Server. Mark Jamison IBM Session F08

All about auditing in the Informix Server Mark Jamison IBM Session F08 1

Agenda Audit Overview Who to Audit What to Audit What to do with Audit Log Files Other Ways to Audit What NOT to do and Why 2

Audit Overview IDS Audit is based on EVENTS and USERS. Configurat ion file $INFORMIXDIR/aaodir/adt cfg[.nn] AD TM O D E 1 # Auditing m ode AD TPATH /auditlog # D irectory w here audit trails w illbe w ritten AD TSIZE 100000 # M axim um size of any single audit trailfile AD TERR 0 # Error m ode onaudit Change/view audit configurat ion Creat e/modify audit masks onshowaudit Show audit log dat a 3

Audit Tasks and Roles Audit is based on events Detailed in Appendix A Security Guide There are lots of events masks help manage them DBSSO - Database System Security Officer Defines/maint ains audit masks onaudit group of dbssodir defines role default informix AAO Audit Analysis Officer turns auditing on and off sets up and maintains the audit configuration reads and analyzes audit-trail data onshowaudit group of aaodir defines role default informix 4

Audit Configurat ion INFORMIXDIR/aaodir/adt cfg file AD TM O D E 1 # Auditing m ode AD TPATH /auditlog # D irectory w here audit logs w illbe w ritten AD TSIZE 100000 # M axim um size of any single audit trailfile AD TERR 0 AD TRO W S 0 # Row levelaudit m ode If you make a change using onaudit, new file will be adt cfg.nn where nn is t he SERVERNUM from ONCONFIG On server startup, server will look for adtcfg.nn first. Changes you make will persist. Multiple IDS instances running from same INFORMIXDIR will have their own audit configurat ion. Make sure t hat ADTPATH is secure no world access Show current audit configurat ion onaudit -c 5

ADTMODE 0 = auditing disabled 1 = auditing on 3 = auditing on; audits all DBSSO actions 5 = auditing on; audits all DBSA actions 7 = auditing on; audits all DBSSO and DBSA actions 11.x OS Audit ing (ADTMODE 2,4,6,8) no longer support ed When DBSSO and/or DBSA actions are being audited, ALL their event s are audit ed, masks do NOT apply i.e. event s in _exclude mask are st ill audit ed If <user> is DBSA, <user> mask is ignored 6

Audit Log Files Audit log files are named DBSERVERNAME.nn DBSERVERNAME from ONCONFIG When t he file reaches ADTSIZE, t he next log file is creat ed (nn+1) IF that file already exists, the number is skipped. This process is repeat ed unt il an unused name is found. Audit will NOT write on top of existing files. When the server is restarted, it will always try to start with file.0 If you have existing audit log files, they will all be skipped and you will be back where you left off. HOWEVER If you remove old audit log files IDS will start at 0. It doesn t do any good to leave the last file when you cleanup. Audit log files should be backed up. They compress easily 7

Who to Audit All DBSA actions should probably be audited. This means that the DBSA should be not be accessing the data ADTMODE 5 or 7 All DBSSO actions should probably be audited. ADTMODE 3 or 7 Users with special access. _default audit mask _rolename audit mask 8

Audit Masks Only the DBSSO can make audit masks Template mask names start with _ (underscore) character. Up to 8 characters. onaudit a u _dbuser e CRTB,ALTB,DRTB There are 3 defined global masks _default _require _exclude They must be created to have values, by default they are empty Display exist ing audit masks onaudit -o 9

Audit USER masks After you make template masks you can use these to make individual user masks. A user uses their named audit mask. if it doesn t exist, use _default onaudit a u user r basemask e [+-]CRTB,ALTB,DRTB Fevent = only FAILED event Sevent = only SUCCESSFUL event event = Fevent + Sevent [+]event adds event -event removes event The audit mask used for a session is calculated at the beginning of the session. (user or _default) + _require - _exclude 10

What to Audit Which events are audited is controlled by audit masks. If you were to enable ALL the audit events: In normal operation 98%+ of events are going to be: RDRW, INRW, UPRW, DLRW row level mnemonics Overhead for the vast amount of events is small. You should audit the events you consider important. 11

ADTROW S configuration parameter to cont rol select ive row-level audit ing of t ables 0 for auditing row-level events on all tables 1 to allow control of which tables are audited. Row-level events DLRW, INRW, RDRW, and UPRW are audited only on tables for which the AUDIT flag is set 2 to turn on selective row-level auditing and also include t he primary key in audit records 12

For row-level audit control AUDIT must be enabled on the table. CREATE TABLE WITH AUDIT ALTER TABLE ADD AUDIT ALTER TABLE DROP AUDIT 13

What to do with the Audit Log Files Audit log files should be written to a secure directory only DBAAO need access Audit log files should be backed up prompt ly An excellent candidat e for compression Audit subsystem creates an event when a new log file is used This allows immediat e act ion on t he previous file Details about the Audit Trail Switch Event Alarm: Class ID: 72 Severit y: 3 Class Message: Audit trail is switched to a new file Message: This message displays when the database server switches to a new audit trail file. See t he event alarms document at ion in IBM Informix Dynamic Server Administ rat or s Reference 14

Audit Analysis - onshowaudit Only t he AAO can run onshowaudit The onshowaudit utility lets you extract information from an audit trail. You can direct this utility to extract information for a particular user or database server or both. This information enables you to isolate a particular subset of data from a pot ent ially large audit t rail. The records are formatted for output. By default, onshowaudit displays the extracted information on stdout You can redirect the formatted output to a file or pipe You can specify that onshowaudit reformat the output so you can load it into an Informix database table. onshowaudit - l 15

Audit Analysis - onshowaudit By default, onshowaudit looks in INFORMIXDIR/aaodir/adtcfg to find t he locat ion (ADTPATH) of t he audit log files. Caution: If you have made changes to the audit configuration using onaudit or if you have multiple server instances in the same INFORMIXDIR t his is probably NOT what you want. If you want the ADTPATH from adtcfg.<nn> onshowaudit n <nn> It also expects that ONCONFIG is set so it can find DBSERVERNAME, i.e. the audit log file base name. If you have audit log files from mult iple servers in t he same direct ory onshowaudit s <servername> 16

onshowaudit cont. You can use onshowaudit to see all the audit records for a part icular user. onshowaudit u username If you have more than one server with audit files in t he same direct ory. onshowaudit s server To look at the contents of a particular file onshowaudit f filename 17

Audit ing in Clust ers IDS 11 introduced the concept of Shared Disk Servers (SDS) Audit was enabled in t his configurat ion in 11.50.xC6 Some differences: Audit Masks need only be created at the primary (or writable SDS) Audit configurat ion is independent for each node onaudit p l e n affects only 1 server. separat e servernum adt cfg.nn files. a single adtcfg can be used. Act ions are audit ed on t he server where t hey act ually occur. e.g. if a writable secondary executes insert into this is actually executed by a proxy thread on the primary. INRW audit record is in t he primary server s audit log file. Username and host name show t he act ual client informat ion. 18

St rat egies for Audit Analysis Event Failure The audit record could indicate that a user is attempting access sensitive data to which they do not have the correct privileges to access the data. Particular Events Creating and dropping databases could be an effort to copy sensitive data to an unprotected location. Database creator as DBA can grant access to anyone. Insider Attack Careful auditing might point out an attack in progress or provide evidence that a specific individual accessed t he disclosed informat ion. Browsing Users who search through stored data to locate or acquire information without a legit imat e need are browsing. 19

Other ways to Audit - Guardium Guardium provides the most widely-used solution for ensuring the integrity of corporate information and preventing information leaks from the data center. The enterprise security platform prevents unauthorized or suspicious activities by privileged insiders, potential hackers, and end-users of enterprise applications such as PeopleSoft, SAP, Business Intelligence, and in-house syst ems. At the same time, the Guardium solution optimizes operational efficiency with a scalable, multi-tier architecture that automates and centralizes compliance controls across your entire application and database infrastructure. 20

Guardium Guardium creates a continuous, fine-grained audit trail of all database activities, including the who, what, when, where, and how of each transaction. The Guardium solution contextually analyzes and filters this audit stream in real-time to provide proactive controls and deliver the specific information required by auditors. www.guardium.com 21

Some alternatives to Audit that don t work St ored procedures wit h recording Easy to bypass especially on read. Select Triggers Easy t o evade Select Triggers. 22

IDS Securit y Guide Read and follow the IDS Security Guide ht t p://www-01.ibm.com/support/knowledgec 23

Questions? 24