473,287 Members | 1,663 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes and contribute your articles to a community of 473,287 developers and data experts.

High security of openGauss - database audit

19
database audit

⚫ The audit log records the user's operations on the database, such as start and stop, connection, DDL, DML, DCL, etc. The audit log mechanism mainly enhances the ability of the database system to trace back and provide evidence for illegal operations.

⚫ Users can configure which statements or operations are recorded in the audit log through parameters.

⚫ The audit log records the time, type, execution result, user name, database, connection information, database object, database instance name and port number, and details of the event. Supports querying of audit logs by start and end time periods, and filtering based on recorded fields.

⚫ Database security administrators can use these log information to reproduce a series of events that lead to the status quo of the database, and find out the user, time and content of illegal operations.



Unified Audit Mechanism

⚫ In addition to the above data audit functions, it also supports a unified audit mechanism. The unified audit mechanism is a technology that realizes efficient security audit management by customizing audit policies. After the administrator defines the audit object and audit behavior, if the task performed by the user is associated with the corresponding audit policy, the corresponding audit behavior is generated and the audit log is recorded. Customized audit policies can cover common user management activities, DDL and DML behaviors to meet daily audit requirements.

⚫ Unified Auditing uses policies and conditions to selectively audit within the database. Administrators can uniformly configure audit policies for database resources or resource tags, thereby simplifying management, generating audit logs in a targeted manner, and reducing audit logs. Redundancy and improving management efficiency.

⚫ Administrators can customize audit policies for operation behaviors or database resources, which are audited for specific user scenarios, user behaviors, or database resources. After the unified audit function is enabled, when the user accesses the database, the system will match the corresponding unified audit policy according to the user identity information such as access IP, client tool, and user name, and then according to the policy information, the user behavior will be determined according to the access resources ( LABEL) and user operation type (DML|DDL) for unified auditing.

⚫ The purpose of unified auditing is to transform existing traditional auditing behaviors into targeted tracking auditing behaviors, and exclude behaviors beyond the target from auditing, thereby simplifying management and improving the security of audit data generated by the database.



Create a unified audit policy

⚫ Only with poladmin, sysadmin or initial user can create a unified audit policy. At the same time, the security policy switch needs to be turned on, that is, the GUC parameter enable_security_policy=on is set, and the policy will take effect.

CREATE AUDIT POLICY [ IF NOT EXISTS ] policy_name { { privilege_audit_clause | access_audit_clause } [ filter_group_clause ] [ ENABLE | DISABLE ] };

• privilege_audit_clause: PRIVILEGES { DDL | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]

• access_audit_clause: ACCESS { DML | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]

• filter_group_clause: FILTER ON { ( FILTER_TYPE ( filter_value [, ... ] ) ) [, ... ] }



Create Unified Audit Policy Example

⚫ Step 1: Create dev_audit and bob_audit users.

CREATE USER dev_audit PASSWORD 'dev@1234';

CREATE USER bob_audit password 'bob@1234';

⚫ Step 2: Create table tb_for_audit.

CREATE TABLE tb_for_audit(col1 text, col2 text, col3 text);

⚫ Step 3: Create resource tags.

CREATE RESOURCE LABEL adt_lb0 add TABLE(tb_for_audit);

⚫ Step 4: Perform the create operation on the database to create an audit policy.

CREATE AUDIT POLICY adt2 ACCESS SELECT;

⚫ Step 5: Only audit records that users dev_audit and bob_audit create an audit policy in the database that performs the create operation on the adt_lb0 resource.

CREATE AUDIT POLICY adt3 PRIVILEGES CREATE ON LABEL(adt_lb0) FILTER ON ROLES(dev_audit, bob_audit);

⚫ Only the users dev_audit and bob_audit are audited, the client tools are psql and gsql, the IP addresses are '10.20.30.40', '127.0.0.0/24', and the audit database is created when the select, insert, and delete operations on the adt_lb0 resource are executed. Strategy.

CREATE AUDIT POLICY adt4 ACCESS SELECT ON LABEL(adt_lb0), INSERT ON LABEL(adt_lb0), DELETE FILTER ON ROLES(dev_audit, bob_audit), APP(psql, gsql), IP('10.20.30.40', '127.0.0.0/24 ');



Modify and delete unified audit policies

⚫ Only users with poladmin, sysadmin or initial users can modify and delete the unified audit policy.

ALTER AUDIT POLICY [ IF EXISTS ] policy_name { ADD | REMOVE } { [ privilege_audit_clause ] [ access_audit_clause ] };

ALTER AUDIT POLICY [ IF EXISTS ] policy_name MODIFY ( filter_group_clause );

ALTER AUDIT POLICY [ IF EXISTS ] policy_name DROP FILTER;

ALTER AUDIT POLICY [ IF EXISTS ] policy_name COMMENTS policy_comments;

ALTER AUDIT POLICY [ IF EXISTS ] policy_name { ENABLE | DISABLE };

DROP AUDIT POLICY [IF EXISTS] policy_name;



Unified audit related system table

⚫ GS_AUDITING_POLICY: The GS_AUDITING_POLICY system table records the main information of the unified audit, and each record corresponds to a design policy.

⚫ GS_AUDITING_POLICY_ACCESS: The GS_AUDITING_POLICY_ACCESS system table records unified audit information for operations related to the DML database.

⚫ GS_AUDITING_POLICY_FILTERS: The GS_AUDITING_POLICY_FILTERS system table records the filtering policy related information related to unified auditing, and each record corresponds to a design policy.

⚫ GS_AUDITING_POLICY_PRIVILEGES: The GS_AUDITING_POLICY_PRIVILEGES system table records the operation information related to the unified audit DDL database, and each record corresponds to a design strategy.
Sep 27 '22 #1
0 4920

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: valexena | last post by:
In which table is Oracle database audit information stored? -- Posted via http://dbforums.com
4
by: Smriti Dev | last post by:
Hi There, I'm creating a MS ACCESS database using Ms Access 2000 to store Interpretation requests by different departments in a hospital and Interpreter availability. All internal departments...
5
by: Suresh | last post by:
Hi All I am designing DB2 database. I have some entities each has nearly 40-60 attributes. Each of these entity (table) have password, some other information as high security attribute. So...
1
by: aarijk | last post by:
Is there a good 3rd party cross platform database audit solution. Real- world experiences appreciated. Thanks!
0
by: narayan2586 | last post by:
Hi all, Currently, if someone has access to the database, they will be able to view all the tables in the database. We want to be able to set additional security for some other tables....
2
by: buddyr | last post by:
Hello, When you place an access database on a local network with user level security. Do you have to create a shortcut on each node to access the database. I used the wizard and I see its created...
6
by: Bunty | last post by:
I want to insert values in the database.If i insert values one by one then it works till 4 or 5 fields then after it gives error.In my database there are more than 20 field.Pls help me.
0
by: sunny258 | last post by:
What are the main core technologies of the openGauss database?For example, availability (RPO / RTO), performance (TPS / QPS), DB4AI / AI4DB, etc.In addition, under the development trend of cloud...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.