Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Looking for Security Auditing solution


Looking for Security Auditing solution

Author
Message
Linda Johanning
Linda Johanning
Old Hand
Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)Old Hand (333 reputation)

Group: General Forum Members
Points: 333 Visits: 620
I need something that doesn't add tables or triggers to the database being audited. I prefer something that doesn't use trace procedures due to performance, but would consider it. The main area of concern is auditing users connecting to databases with 'outside' applications like Access, Excel, Query Analyzer, etc. and removing certain ODBC sources is out of the question. I also need to monitor at least 10 of the SQL servers so price is also a consideration. I am currently looking at Apex SQL Log which uses live transaction logs or T-log backups, but of course the database has to be in full recovery mode--and I'm not through testing yet. Any suggestions are welcomed :-)



Curtis M
Curtis M
Grasshopper
Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)Grasshopper (16 reputation)

Group: General Forum Members
Points: 16 Visits: 3

At one point I was looking into LogPI (www.logpi.com) but they have since been bought out by a company called Goldengate. I am not getting much feedback from them. I am wondering if anyone out here has any more info on LogPI or Goldengate? Thanks.

Curtis


devereauxj
devereauxj
SSC Veteran
SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)

Group: General Forum Members
Points: 249 Visits: 140

We are looking at Lumigent. We are a utility company and have to comply with SOX. The problem we have is that we use Tivoli by IBM and a tape robot to do backups. The log files go directly to tape and we can't get them back.

Our mandate is to monitor the DBA's and other accounts with Admin and Owner rights and privleges.

Even with those aside, we have been able to get around much of the Lumigent monitoring as DBA. I am no hacker and not very good at, but was able to spoof it so those doing the queries and running report did not pick up on my changes.

Now, all mute point because of it need log backups.

Any other products that can read the log and db files live and do the same type of thing?





Peldin Fernandes
Peldin Fernandes
SSC-Enthusiastic
SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)

Group: General Forum Members
Points: 108 Visits: 37

Check BizRights From approva Systems. www.approva.net the leading provider of enterprise controls management software. its the True Cross-Platform Continuous Controls Compliance Software. for any ERP PeopleSoft, Oracle, SAP .



Regards,
Peldin Fernandes
devereauxj
devereauxj
SSC Veteran
SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)

Group: General Forum Members
Points: 249 Visits: 140

My company needed a solution to watch activity and logging on SQL Server Databases and Oracle databases. Many of the items needed in Oracle were already there with a job and couple triggers along with the built in Auditing. It passes SOX scrutiny, but now SQL had to show the same. (btw: the budget for this was axed, we gave management a 165K purchased solution : current budget, my time as DBA, full salary...so it does not matter how many hours)

Anyway. I came up with a multi-part solution that has satisfied the auditors for now. Any person with real IT experience will see wholes big enought to drive a mack truck through it, but like I said, it was to suffice the auditors.

First I used created my own audit trace. I narrowed down the events to what we wanted to track and the information we wanted to store. If the sql server stops/starts it automatically starts again. The records are processsed twice a day from the flat files into a database table. From there I wrote procedures/views to process the data I need to report on. I crossed the view with a rules table to kick out records that need to be shown on the report. I then set up SSRS (sql server reporting services) 2005 to generate the report. Each morning the report is generated along with the rules, so auditors can compare the rules (ever changing) with the report. I send a copy to the server and email the affected parties, directing them to look at the report. If your name shows up, you have to initial the report, put in a comment. The report is printed by IS security, and people on the report have to initial with pen.

Lots of holes, some good infor came from it, and it got SOX auditors off our back. Until next quarter at least.

joe





calvin nguyen-255465
calvin nguyen-255465
Grasshopper
Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)

Group: General Forum Members
Points: 11 Visits: 4
My company just went through PCI audit and we use Idera Sql Compliance, Lumigent was too expensive for us. The SQL Compliance Manager satisfied the auditors requirements which log all access to the server/databases and log all activities (select, insert, update,...) to database and it cost us $1495 for the license.
Joseph Mulhall
Joseph Mulhall
SSC Veteran
SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)

Group: General Forum Members
Points: 298 Visits: 42
Just for continuities sake, I don't see anyone here describing requirements, I see them offering solution (or solutionizing in management speak )

Most people are talking about auditing access to SQL server - how does that help if all access is through a single account? How does that help you identify unauthorised changes to your data? How does that help prevent fraud?

I put it to you that you, and in my experience the auditors as well, are assuming that by 'logging everything' you have achieved something useful and/or complian with SOX.
Joseph Mulhall
Joseph Mulhall
SSC Veteran
SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)SSC Veteran (298 reputation)

Group: General Forum Members
Points: 298 Visits: 42
"Our mandate is to monitor the DBA's and other accounts with Admin and Owner rights and privleges."

There is no native way of doing this - by nature the sysadmins can do anything they want with SQL Server, so their is little or no point in using SQL Server to monitor them.

Indeed, any system for which I have full-control requires an external factor for logging and monitoring.

The only sure fire way to control, log and audit access is by abstracting DBA work through a third-party management tool; be this an enterprise manager replacement or a remote console with keystroke logging.

Again - how does this address SOX? SOX was created to prevent fraud. Is fraud going to be committed by a sysadmin editing an entry in field in a table, or is it going to be by accountants diverting funds into a variety of accounts?

Move upwards a level - what is the application you're looking at? What does it do? How is user access *within the application* granted, logged and monitored? If the users can freely change stuff in the application, what has database security got to do with it?
roger.price-1150775
roger.price-1150775
Valued Member
Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)Valued Member (58 reputation)

Group: General Forum Members
Points: 58 Visits: 246
Check out Teleran. They have products that can collect information by setting itself up as a proxy and sniffing requests and results. This means zero impact on the sql server being audited. It can parse the sql and give you object level information too. It can also operate as a gatekeeper and stop certain commands, users, etc... even if they are dbowners and the like.
rguier 61805
rguier 61805
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 3
DIAB (DBAinABox) from diabsqlsoftware.com has built in SOX tools to alert you if permissions have been altered. it does this without using a trace or inserting any objects on the sever / database being monitored. It is not a 100% solution to your question but it will keep SOX auditors happy and is inexpensive.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search