1 / 49

Informix User Forum 2006 Auditing With IDS

Informix User Forum 2006 Auditing With IDS. Jonathan Leffler STSM, IDS Security Architect jleffler@us.ibm.com. Agenda. Overview of External Requirements Payment Card Industry (PCI) standards Sarbanes-Oxley (SOX) Access Control Encryption – Where and Why Auditing

danyl
Download Presentation

Informix User Forum 2006 Auditing With IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Informix User Forum 2006Auditing With IDS Jonathan Leffler STSM, IDS Security Architect jleffler@us.ibm.com

  2. Agenda • Overview of External Requirements • Payment Card Industry (PCI) standards • Sarbanes-Oxley (SOX) • Access Control • Encryption – Where and Why • Auditing • Features in IDS Meeting External Requirements • Auditing • Encrypted communications • Column-level Encryption • Non-IDS tools Informix User Forum 2006 | Auditing With IDS

  3. PCI – Payment Card Industry • CISP – Cardholder Information Security Program • PCI Data Security Standard • Version 1.1 (September 2006) • https://www.pcisecuritystandards.org/ • Version 1.0 (January 2005) • Not valid after 31st December 2006 for new validations Informix User Forum 2006 | Auditing With IDS

  4. PCI – Payment Card Industry • 12 requirements in 6 groups • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy Informix User Forum 2006 | Auditing With IDS

  5. PCI Data Security Standard – Requirements • Build and Maintain a Secure Network • 1: Install and maintain a firewall configuration to protect data • 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • 3: Protect stored data • 4: Encrypt transmission of cardholder data and sensitive information across public networks • Maintain a Vulnerability Management Program • 5: Use and regularly update anti-virus software • 6: Develop and maintain secure systems and applications Informix User Forum 2006 | Auditing With IDS

  6. PCI Data Security Standard – Requirements • Implement Strong Access Control Measures • 7: Restrict access to data by business need-to-know • 8: Assign a unique ID to each person with computer access • 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks • 10: Track and monitor all access to network resources and cardholder data • 11: Regularly test security systems and processes. • Maintain an Information Security Policy • 12: Maintain a policy that addresses information security Informix User Forum 2006 | Auditing With IDS

  7. PCI Data Security Standard • Many more details for each of these 12 requirements • 17 page PDF document (with 2 appendices) • For example, requirement 3 has 6 sub-sections • And 16 sub-sub-sections • §3.1 Minimal information storage and retention • §3.2 Do not store sensitive information after authentication • §3.3 Mask account numbers when displayed • §3.4 Render sensitive data unreadable when stored • §3.5 Protect encryption keys against disclosure and misuse • §3.6 Fully document and implement key management procedures Informix User Forum 2006 | Auditing With IDS

  8. PCI – Payment Card Industry • Is your DBA a Spy? • http://tinyurl.com/y8bahy • User tricks, Security ‘Treats’ • http://tinyurl.com/sfdj5 Informix User Forum 2006 | Auditing With IDS

  9. Sarbanes-Oxley • Public Company Accounting Reform and Investor Protection Act of 2002 • Also known as Sarbanes-Oxley Act of 2002 • Commonly called SOX or SarBox • See (amongst many others) http://www.sarbanes-oxley.com/ • NB: I am not a lawyer! • The most critical sections for IT are: • 302: Control (internal controls) • 404: Evaluation (governance, measurement, records) • 409: Disclosure (reporting, certification) • Plus the corresponding SEC rules and regulations Informix User Forum 2006 | Auditing With IDS

  10. Sarbanes-Oxley • CEO, CFO must certify that they: • Are responsible for establishing and maintaining internal controls. • Have designed the internal controls so material information is made known to them by others in the organization. • Internal controls are accounting terms (SEC rules): • A process designed to provide reasonable assurance about the reliability of financial reporting. • Maintenance of records that accurately reflect transactions • Transactions are properly recorded and authorized to permit preparation of statements in line with the GAAP • Prevention or timely detection of unauthorized activity • That would materially affect the financial statements Informix User Forum 2006 | Auditing With IDS

  11. Sarbanes-Oxley • COSO (Treadway Commission) defines accounting rules • http://www.coso.org/ • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring • COBIT defines software rules related to: • Planning and Organization • Acquisition and Implementation • Delivery and Support • Monitoring and Evaluation Informix User Forum 2006 | Auditing With IDS

  12. Sarbanes-Oxley • Routine Re-evaluation of Internal Controls • CEO and CFO must evaluate the effectiveness of controls • Within 90 days prior to any report • Present conclusions about the effectiveness of internal controls • In the report • The company must annually assess the effectiveness too • Disclosure of any material problems found • All significant deficiencies in design or operation of internal controls • Any fraud, whether or not material, that involves management or employees who have a role in running the internal controls Informix User Forum 2006 | Auditing With IDS

  13. Access Control Requirements • Access to the DBMS is a major part of compliance • It is far from the only issue • Only authorized users should be able to do anything • And even they should have minimum permissions • Do not grant RESOURCE or DBA to PUBLIC • Don’t even grant CONNECT to PUBLIC usually • Grant SELECT to PUBLIC on non-sensitive tables • Don’t even grant that on sensitive tables Informix User Forum 2006 | Auditing With IDS

  14. Access Control Requirements • Exploit roles to control permissions • Create a separate role for each class of user • Grant that role the necessary permissions for the job • Assign the permitted users the role • Write the application to set the correct role • Note that this form of role-based security is imperfect • It is a form of ‘security by obscurity’ • If the user is assigned the role • The user can use DB-Access to set the role • And then modify the tables using the role’s permissions Informix User Forum 2006 | Auditing With IDS

  15. Encryption of Data • Some data must not be stored in the database • PCI says the CVV number cannot be stored after authentication • Other data must be stored encrypted • Typically, the credit card number and the social security number • If an old database uses SSN as a key for joins • Redesign your database with an arbitrary number for the joins • Use a SERIAL column (employee number) • Or a SEQUENCE • Data encryption slows things down • It is a necessary evil • Do not use it unless it is necessary Informix User Forum 2006 | Auditing With IDS

  16. Auditing Requirements • You need to be confident that you can track changes • Who changed what structurally • Only a very few staff can make schema changes • Sometimes you need to track who sees data • Identity theft takes a copy of information • It does not alter the information • Database auditing can track DBAs too • Database auditing is not sufficient • You need controls over backups etc Informix User Forum 2006 | Auditing With IDS

  17. Test Database Requirements • Developers need test databases • Companies must keep customer information safe • Developers cannot work on copies of production data • When that data contains sensitive information • There are companies with tools to transform data • Take in valid data and randomize it • While retaining referential integrity • The key point is to be sure that everyone is aware: • Developers may not work on live data! Informix User Forum 2006 | Auditing With IDS

  18. Features in IDS to Address External Requirements • IDS has features to help address these requirements: • Auditing • Encrypted Communications • Column-level Encryption • Other vendors can help • Vormetric • Protegrity • Future directions too • Fine-Grained Auditing • Label-Based Access Control Informix User Forum 2006 | Auditing With IDS

  19. Basic Auditing • IDS 7 and later has ON-Audit and ON-ShowAudit • ON-Audit controls what is audited • ON-Audit also controls how the audit results are recorded • ON-ShowAudit shows what auditable events occurred • Can be controlled by separate roles • DBSSO: Database Security Officer • Controls who is audited • Controls which events are audited • AAO: Audit Analysis Officer • Controls whether auditing is in use or not • Analyzes audit logs Informix User Forum 2006 | Auditing With IDS

  20. Overview of Auditing in IDS • Most operations can be audited. • All auditable operations have a 4-letter mnemonic. • CREATE DATABASE = CRDB • SELECT ROW = RDRW – generates voluminous output! • Audit masks dictate which operations are monitored. • Different masks for different people. • Global masks – default, require, exclude. • Template masks • User masks. Informix User Forum 2006 | Auditing With IDS

  21. Overview of Auditing in IDS • Audit logging can use operating system audit facilities. • Only available on some Unix platforms. • Requires server running as root. • Audit logging can use Informix audit facilities. • Available on all platforms. • Available when running the server as informix. • Generally the better choice. Informix User Forum 2006 | Auditing With IDS

  22. Roles: DBSSO versus AAO • DBSSO controls what is audited. • Which users are audited. • Which operations are audited for each user. • Uses ON-Audit command. • Setting auditing masks. • AAO controls whether auditing is active or not. • Uses ON-Audit command. • AAO monitors the results of auditing. • Uses ON-ShowAudit command. • DBSA runs the server. • Should not subvert the auditing set up by DBSSO and AAO. Informix User Forum 2006 | Auditing With IDS

  23. Using ON-Audit as DBSSO • Define which events are audited for specific users. • Various aids: • _default – events audited if no other list specified for a user. • _required – events always audited, even if not listed. • _excluded – events always excluded, even if listed. • _templates – lists of events defined by the DBSSO. • Basic usages: • onaudit -a -u gandalf -r _guest -e –CRDB • onaudit -m -u _default -e +UPAM,DRAM • onaudit –d –u gandalf • onaudit –o –y • onaudit –o –u gandalf Informix User Forum 2006 | Auditing With IDS

  24. Audit Masks • Set the _require mask to the Informix recommended events: • onaudit -a -u _require –e +OPDB,GRDB,RVDB,GRTB,RVTB • onaudit –m –u _require –e +CRRL,STRL,STSA,STOM • onaudit –m –u _require –e +GRRL,RVRL,GRFR,RVFR • Add the main DDL operations: • onaudit –m –u _require –e +CRDB,DRDB,CRTB,DRTB,ALTB • onaudit –m –u _require –e +CRIX,DRIX,ALIX,CRSN,DRSN • onaudit –m –u _require –e +CRSP,DRSP,CRTR,DRTR • onaudit –m –u _require –e +CRVW,DRVW • Add the utilities: • onaudit –m –u _require –e +ONAU,ONBR,ONCH,ONIN • onaudit –m –u _require –e +ONLG,ONLO,ONMN,ONMO,ONPA • onaudit –m –u _require –e +ONPL,ONSP,ONST,ONTP,ONUL Informix User Forum 2006 | Auditing With IDS

  25. Audit Masks • The high-intensity audit events are candidates for _exclude mask: • ACTB – Access table • INRW – Insert row • UPRW – Update row • DLRW – Delete row • RDRW – Read row Informix User Forum 2006 | Auditing With IDS

  26. Using ON-Audit as AAO • Defines whether auditing occurs, and auditing behaviour. • Auditing mode • 0 – Auditing is turned off. • 1,3,5,7 • Increasingly complete auditing of users, including DBSSO and DBSA. • Using server-managed auditing. • Add 1 on Unix to have operating system managed auditing. • Auditing error action • When an audit message cannot be written • 0 continue • 1 suspend server until audit message can be written • 3 halt server because audit message cannot be written Informix User Forum 2006 | Auditing With IDS

  27. Using ON-Audit as AAO • Auditing directory • Default is /tmp – which is awful and should never be used. • Make sure that the directory is: • Owned by user informix • Belongs to the AAO group • No public access (no write access) – 770 permissions. • Audit file size • How big audit files get before switching to a new one. • Basic usages: • onaudit –c • onaudit –l mode –e errmode –p path –s size • onaudit -n Informix User Forum 2006 | Auditing With IDS

  28. Audit Information Stored in SysMaster • The sysadtinfo table reflects the configuration in adtcfg. • One row of data. • Five columns. • The sysaudit table contains encoded audit masks. • Bit-encoded numeric values spread across two sets of four columns. • One set for failed operations. • One set for successful operations. • But there’s no documented way to set these differently. • Access to these tables is restricted. Informix User Forum 2006 | Auditing With IDS

  29. Contents of Audit Log Files • All audit records have a common structure: • 7 pipe-separated fields • Last field contains variable colon-separated fields • Common preamble is: • ONLN • To distinguish IDS (OnLine) records from other systems • Timestamp to milliseconds (USEOSTIME=1) • Host name • Session ID • IDS server name • User name • ONLN|2006-11-10 00:08:22.829|anubis|9556|anubis_17|jleffler Informix User Forum 2006 | Auditing With IDS

  30. Contents of Audit Log Files • Last field contains: • Error code • Operation mnemonic • Auxilliary information for operation • Varies by mnemonic • 9305|anubis_17|jleffler|0:OPDB:stores:0:- • 9305|anubis_17|jleffler|0:STSN • 9305|anubis_17|jleffler|0:ACTB:stores:informix:sysprocedures:16 • 9305|anubis_17|jleffler|0:RDRW:stores:16:1049029:2310 • 9305|anubis_17|jleffler|0:RDRW:stores:16:1049029:2561 • … • 9305|anubis_17|jleffler|0:RDRW:stores:16:1049029:2566 • 9305|anubis_17|jleffler|0:RDRW:stores:16:1049029:2817 database owner table name tabid rowid partnum Informix User Forum 2006 | Auditing With IDS

  31. Contents of Audit Log Files – Example Errors • -239:CRAM:_exclude • -26008:CRPT:stores:select decrypt_char(v, 'XXXXXXX') from t; • -8301:CRSQ:stores:0:jleffler:s9:0:- • -511:ALIX:stores:17:informix:procbody:1 • -212:CRIX:stores:1990:c1:jleffler:1:dbspace_16 • -19803:GRRL:stores:root :extend:jleffler • -218:DRSN:stores:0:-:dbd_ix_public01 • -9628:DRTY:stores: - :dbd_ix_distofi8 • -350:CRIX:new_stores:108:idxmsgs_frfr:jleffler:1:rootdbs • -1:ONSP:-c -d nfs_disk -p /nfs/anubis_17.nfs_disk.c0 -s 10240 -o 0 • -705:DRSP:stores:1237:-:^Ly☼~T • -661:EXSP:stores:1242 • -1:ONTP:-s -L 0 • -388:CRSP:stores:0:username:exitfail Fixed bug Informix User Forum 2006 | Auditing With IDS

  32. Example Trace • sqlcmd –d stores –e ‘update elements set atomic_number = atomic_number + 0’ • 0:OPDB:stores:0:- • 0:STSN • 0:ACTB:stores:jleffler:elements:101 • 0:RDRW:stores:101:1049066:257 • 0:UPRW:stores:101:1049066:257:1049066:257 • 0:RDRW:stores:101:1049066:258 • 0:UPRW:stores:101:1049066:258:1049066:258 • … • Even for small tables, output is voluminous • And tedious Informix User Forum 2006 | Auditing With IDS

  33. Audit Log File Management • Use a different audit log directory for each server • Based on server name or number • E.g. $INFORMIXDIR/tmp/anubis_17 • Backup and compress logs • Compression ratio 25:1 possible • Into sub-sub-directory: • $INFORMIXDIR/tmp/anubis_17/backup • $INFORMIXDIR/tmp/anubis_17/00000-00999 • $INFORMIXDIR/tmp/anubis_17/01000-01999 • Leave empty files to avoid reuse • Otherwise, IDS reuses log files when restarting Informix User Forum 2006 | Auditing With IDS

  34. Weirdnesses Associated with Auditing • All servers use same adtcfg file • Hard to have different servers auditing to different directories • Changes to audit configuration written to private adtcfg • adtcfg.NN for server NN • But file is not used at start-up! • Servers should keep track of last audit log file used Informix User Forum 2006 | Auditing With IDS

  35. Using ON-ShowAudit • ON-ShowAudit command selects data from audit logs. • On Unix, you specify where to pull the audit data from: • The operating system managed audit log, or • The database server managed audit log. • You can specify which user to select the information for: • Default – all users. • You can specify which database server to select the information for: • Default – all servers. • It shows you all the data for all users and all servers • Using the information indicated by the adtcfg file. Informix User Forum 2006 | Auditing With IDS

  36. Managing Auditing • Beware of the non-technical requirements! • Publish security policies documenting that actions are audited. • Document that activities may be recorded and analyzed. • Auditing is pointless unless you analyze the logs. • It reduces the performance of the system • How much depends on what you audit. • You need two sorts of analysis • Post-incident forensic analysis • Something went wrong; who, what, when, how? • Routine usage pattern tracking • Fred’s on a hiking vacation in the Sierras • Why was he logged in at 03:00 on Sunday morning? Informix User Forum 2006 | Auditing With IDS

  37. Forensic Auditing • More typically, audit logs are used forensically. • To analyze, after the event, who did it, and when. • Since it may be a while before stolen data is noticed, • It is important to keep (compressed) audit logs. • And to monitor all the relevant events. • Note that you can audit every row that is read. • But the volume of data will be enormous. • Although you may know the user ID that did it, • It is hard to prove that the bona fide owner of that user ID did it. Informix User Forum 2006 | Auditing With IDS

  38. Encrypted Communications for IDS • Available in IDS 9.40 and later • Encrypts communications between client and server • Using standard encryption techniques to establish session keys • Also used for distributed database access – I-Star • ER (Enterprise Replication) can be encrypted • Often replicating over WAN • With effect from Cheetah • HDR (Heterogeneous Data Replication) will support encryption • Previously assumed HDR only over LAN Informix User Forum 2006 | Auditing With IDS

  39. Encrypted Communications • Applications communicate with IDS unencrypted • This is safe enough for local connections • Shared memory – usually OK – just about • IPC Streams or equivalent – OK • Loopback connection – OK (does not hit network) • This may be safe enough on intranet • But it may allow too many people to snoop • Consider all PCs as potential problems • Do not expose your IDS server on the internet! • See session 1716 Encrypted Communications in IDS 10 • From IBM Information on Demand 2006 conference Informix User Forum 2006 | Auditing With IDS

  40. Column-Level Encryption • Available in IDS 10 • Permits encryption of data in selected fields in tables • But requires schema changes • And modifications to applications • Unless you use INSTEAD OF triggers on views • Uses AES 128-bit encryption • Or Triple-DES • See session M08 Column-Level Encryption in IDS • From IDUG North America 2006 Informix User Forum 2006 | Auditing With IDS

  41. Vormetric CoreGuard – Disk Encryption • Available 2007Q2 for IDS and DB2 • http://www.vormetric.com/ • Works with any version of IDS • Works with dbspaces in cooked files • Access controlled by PEM • Privacy Enforcement Module • Linked into operating system kernel • Mediates all access to disk • Decrypts or encrypts data for authorized uses • Encryption is transparent to IDS • IDS only sees unencrypted data Informix User Forum 2006 | Auditing With IDS

  42. Authenticated Users Software Policy Enforcement Modules (PEM) • File Encryption / Access Control • Host Protection • Control System Administrators Applications DBMS PEM File System 1 – N Gigabit Ethernet Volume Manager DAS/ ETC. SAN/ NAS Policy Enforcement Modules CoreGuard Security Servers • Central Point of Management • Rules-Based Policy Authoring • FIPS Validated • Separation of Duties • High Availability Informix User Forum 2006 | Auditing With IDS

  43. Label-Based Access Control • Major feature in Cheetah release • Parallel to, and based upon, DB2 Viper implementation • Complex structure • But achieves complex result • CREATE SECURITY LABEL COMPONENTS • Defines things like ‘top secret’, ‘secret’ etc. • CREATE SECURITY POLICY • Uses one or more security label components • CREATE SECURITY LABEL • Specifies one set of values for a security policy Informix User Forum 2006 | Auditing With IDS

  44. Label-Based Access Control • Users are granted certain labels for each policy • This controls which rows they can read and write • Other rows are simply not shown to the unprivileged user • Users can be granted exemptions to policy • But this should happen rarely • And under extreme supervision • New database role – DBSECADM • Responsible for LBAC administration • Creating security policies and assigning labels Informix User Forum 2006 | Auditing With IDS

  45. Fine-Grained Auditing • Existing auditing facilities do not record SQL statements • Cheetah can log all SQL statements • Originally for performance analysis • Extended for auditing too • Fine-grained auditing to provide selective recording • Some databases • Some users • Some statements – probably • Some tables – probably Informix User Forum 2006 | Auditing With IDS

  46. External Auditing of IDS • Guardium • Monitors Informix SQL traffic on the network • Can be used to detect unauthorized activity • http://www.guardium.com/ • Princeton Softech • http://www.princetonsoftech.com/ • sudo + sudosh • Controls over who has access to user informix • Logs all activity • http://www.courtesan.com/sudo/ • http://sudosh.sourceforge.net/ Informix User Forum 2006 | Auditing With IDS

  47. Other Possible Future Features • Server-managed table- or column-level encryption • IDS consciously in charge of encryption • Leads to key management issues • Key management is where encryption usually breaks down • Encrypted back-ups • Shipping back-ups off-site unencrypted leads to embarrassment • Key management is the crucial issue • As ever with encryption Informix User Forum 2006 | Auditing With IDS

  48. http://www.ibm.com/software/data/informix http://www.iiug.org/ Informix User Forum 2006 | Auditing With IDS

  49. http://www.ibm.com/software/data/informix http://www.iiug.org/ Informix User Forum 2006 | Auditing With IDS

More Related