Auditing database interactions provides the ability to see who did what and when they did it in the database. This is useful in scenarios where the data stored is sensitive (eg. salary information, proprietary recipes) and you need to track who has accessed the data over a specific period of time. It can also be useful when trying to mitigate a breach or to determine what happened in the case of data that is changed/deleted improperly. SQL Anywhere auditing (when enabled) tracks all activity performed on a database, including:
What exactly is audited can be managed using the sa_enable_auditing_type(…) system procedure. Auditing can be enabled and disabled at login time by setting the “conn_auditing” option. All of the auditing information is stored in the transaction log in version 16.
Version 17 introduces a new option, AUDIT_LOG, which allows you to specify one or more different targets for the auditing information. Potential targets include:
You may choose to use a different target for many reasons. For example, if you do not wish to use a transaction log for the database, if you have existing tools for the examination of the operating system logs, or if you simply wish to separate the auditing information about database operations from the actual recording of the execution of the operations.
Setting the audit_log option requires the SET ANY SECURITY OPTION privilege. If there are any problems with auditing targets, the server does its best to continue auditing, reverting to using the transaction log if other targets are unavailable.
Here is an example of how one might use the audit_log option and what the resulting logs would look like.
First we connect as a user with appropriate security administration privileges and turn on auditing and set the audit_log option to log audit details to a file:
SET OPTION PUBLIC.audit_log='FILE(filename_prefix=C:\work\issues\v17testing\auditing\)';
SET OPTION PUBLIC.auditing = 'On';
We can log a custom message to the audit log at any time, using the sa_audit_string() stored procedure:
CALL sa_audit_string( 'Auditing has begun.' );
GRANT CONNECT TO testuser identified by testuser;
Next, we connect as the newly created testuser, and execute the following statement, which will fail with a permissions error:
SELECT * FROM groupo.Employees;
Switching back to our original connection, we will turn off auditing, and log a corresponding message to the audit log.
CALL sa_audit_string( 'Auditing is ending.' );
SET OPTION PUBLIC.auditing = 'Off';
After completing the above, we have an audit file generated in the specified directory, called “_0.etd” by default
We can run:
dbmanageetd –o auditlog.out _0.etd
This creates a file “auditlog.out” that will contain a section that looks similar to the following:
First we see our custom audit string, which we can use to bookmark our test:
[2015-09-08T10:28:10.254-04:00] SYS_Audit_String text=[Auditing has begun.] connid=25 username=[DBA] recnum=17
Next we see various permissions checks related to calls made by DBISQL:
[2015-09-08T10:28:10.301-04:00] SYS_Audit_PermCheck success=1 perm_type=[Execute] detail1=[dbo.sa_locks] detail2=[NULL] connid=25 username=[DBA] recnum=18
[2015-09-08T10:28:10.301-04:00] SYS_Audit_PermCheck success=1 perm_type=[Execute] detail1=[dbo.sa_locks] detail2=[NULL] connid=25 username=[DBA] recnum=19
[2015-09-08T10:28:10.301-04:00] SYS_Audit_PermCheck success=1 perm_type=[MONITOR] detail1=[NULL] detail2=[NULL] connid=25 username=[DBA] recnum=20
Next we see various permissions checks related to calls made by DBISQL from the testuser connection:
[2015-09-08T10:28:12.064-04:00] SYS_Audit_PermCheck success=1 perm_type=[Execute] detail1=[dbo.sa_locks] detail2=[NULL] connid=8 username=[testuser] recnum=21
[2015-09-08T10:28:12.064-04:00] SYS_Audit_PermCheck success=0 perm_type=[MONITOR] detail1=[NULL] detail2=[NULL] connid=8 username=[testuser] recnum=22
[2015-09-08T10:28:12.064-04:00] SYS_Audit_PermCheck success=1 perm_type=[Execute] detail1=[dbo.sa_locks] detail2=[NULL] connid=8 username=[testuser] recnum=23
[2015-09-08T10:28:12.064-04:00] SYS_Audit_PermCheck success=0 perm_type=[MONITOR] detail1=[NULL] detail2=[NULL] connid=8 username=[testuser] recnum=24
Now we have the permissions failure for the select statement (signified by “success=0” in the audit record)
[2015-09-08T10:28:13.094-04:00] SYS_Audit_PermCheck success=0 perm_type=[Select] detail1=[GROUPO.Employees] detail2=[NULL] connid=8 username=[testuser] recnum=25
[2015-09-08T10:28:13.094-04:00] SYS_Audit_PermCheck success=0 perm_type=[Select] detail1=[GROUPO.Employees] detail2=[***] connid=8 username=[testuser] recnum=26
Finally, we see the custom message for the end of our audit:
[2015-09-08T10:28:19.256-04:00] SYS_Audit_PermCheck success=1 perm_type=[Execute] detail1=[dbo.sa_audit_string] detail2=[NULL] connid=25 username=[DBA] recnum=35
[2015-09-08T10:28:19.256-04:00] SYS_Audit_PermCheck success=1 perm_type=[MANAGE AUDITING] detail1=[NULL] detail2=[NULL] connid=25 username=[DBA] recnum=36
[2015-09-08T10:28:19.256-04:00] SYS_Audit_String text=[Auditing is ending.] connid=25 username=[DBA] recnum=37
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
35 | |
25 | |
14 | |
13 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |