High security of openGauss - database audit

database audit

⚫ The audit log records the user's operations on the database, such as start and stop, connection, DDL, DML, DCL, etc. The audit log mechanism mainly enhances the ability of the database system to trace back and provide evidence for illegal operations.

⚫ Users can configure which statements or operations are recorded in the audit log through parameters.

⚫ The audit log records the time, type, execution result, user name, database, connection information, database object, database instance name and port number, and details of the event. Supports querying of audit logs by start and end time periods, and filtering based on recorded fields.

⚫ Database security administrators can use these log information to reproduce a series of events that lead to the status quo of the database, and find out the user, time and content of illegal operations.



Unified Audit Mechanism

⚫ In addition to the above data audit functions, it also supports a unified audit mechanism. The unified audit mechanism is a technology that realizes efficient security audit management by customizing audit policies. After the administrator defines the audit object and audit behavior, if the task performed by the user is associated with the corresponding audit policy, the corresponding audit behavior is generated and the audit log is recorded. Customized audit policies can cover common user management activities, DDL and DML behaviors to meet daily audit requirements.

⚫ Unified Auditing uses policies and conditions to selectively audit within the database. Administrators can uniformly configure audit policies for database resources or resource tags, thereby simplifying management, generating audit logs in a targeted manner, and reducing audit logs. Redundancy and improving management efficiency.

⚫ Administrators can customize audit policies for operation behaviors or database resources, which are audited for specific user scenarios, user behaviors, or database resources. After the unified audit function is enabled, when the user accesses the database, the system will match the corresponding unified audit policy according to the user identity information such as access IP, client tool, and user name, and then according to the policy information, the user behavior will be determined according to the access resources ( LABEL) and user operation type (DML|DDL) for unified auditing.

⚫ The purpose of unified auditing is to transform existing traditional auditing behaviors into targeted tracking auditing behaviors, and exclude behaviors beyond the target from auditing, thereby simplifying management and improving the security of audit data generated by the database.



Create a unified audit policy

⚫ Only with poladmin, sysadmin or initial user can create a unified audit policy. At the same time, the security policy switch needs to be turned on, that is, the GUC parameter enable_security_policy=on is set, and the policy will take effect.

CREATE AUDIT POLICY [ IF NOT EXISTS ] policy_name { { privilege_audit_clause | access_audit_clause } [ filter_group_clause ] [ ENABLE | DISABLE ] };

• privilege_audit_clause: PRIVILEGES { DDL | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]

• access_audit_clause: ACCESS { DML | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]

• filter_group_clause: FILTER ON { ( FILTER_TYPE ( filter_value [, ... ] ) ) [, ... ] }



Create Unified Audit Policy Example

⚫ Step 1: Create dev_audit and bob_audit users.

CREATE USER dev_audit PASSWORD 'dev@1234';

CREATE USER bob_audit password 'bob@1234';

⚫ Step 2: Create table tb_for_audit.

CREATE TABLE tb_for_audit(col1 text, col2 text, col3 text);

⚫ Step 3: Create resource tags.

CREATE RESOURCE LABEL adt_lb0 add TABLE(tb_for_audit);

⚫ Step 4: Perform the create operation on the database to create an audit policy.

CREATE AUDIT POLICY adt2 ACCESS SELECT;

⚫ Step 5: Only audit records that users dev_audit and bob_audit create an audit policy in the database that performs the create operation on the adt_lb0 resource.

CREATE AUDIT POLICY adt3 PRIVILEGES CREATE ON LABEL(adt_lb0) FILTER ON ROLES(dev_audit, bob_audit);

⚫ Only the users dev_audit and bob_audit are audited, the client tools are psql and gsql, the IP addresses are '10.20.30.40', '127.0.0.0/24', and the audit database is created when the select, insert, and delete operations on the adt_lb0 resource are executed. Strategy.

CREATE AUDIT POLICY adt4 ACCESS SELECT ON LABEL(adt_lb0), INSERT ON LABEL(adt_lb0), DELETE FILTER ON ROLES(dev_audit, bob_audit), APP(psql, gsql), IP('10.20.30.40', '127.0.0.0/24 ');



Modify and delete unified audit policies

⚫ Only users with poladmin, sysadmin or initial users can modify and delete the unified audit policy.

ALTER AUDIT POLICY [ IF EXISTS ] policy_name { ADD | REMOVE } { [ privilege_audit_clause ] [ access_audit_clause ] };

ALTER AUDIT POLICY [ IF EXISTS ] policy_name MODIFY ( filter_group_clause );

ALTER AUDIT POLICY [ IF EXISTS ] policy_name DROP FILTER;

ALTER AUDIT POLICY [ IF EXISTS ] policy_name COMMENTS policy_comments;

ALTER AUDIT POLICY [ IF EXISTS ] policy_name { ENABLE | DISABLE };

DROP AUDIT POLICY [IF EXISTS] policy_name;



Unified audit related system table

⚫ GS_AUDITING_POLICY: The GS_AUDITING_POLICY system table records the main information of the unified audit, and each record corresponds to a design policy.

⚫ GS_AUDITING_POLICY_ACCESS: The GS_AUDITING_POLICY_ACCESS system table records unified audit information for operations related to the DML database.

⚫ GS_AUDITING_POLICY_FILTERS: The GS_AUDITING_POLICY_FILTERS system table records the filtering policy related information related to unified auditing, and each record corresponds to a design policy.

⚫ GS_AUDITING_POLICY_PRIVILEGES: The GS_AUDITING_POLICY_PRIVILEGES system table records the operation information related to the unified audit DDL database, and each record corresponds to a design strategy.