IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.133 Checking the log files of a database system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator, auditor
The logging and auditing functions available in a database system must be
utilised to an appropriate extent. Logging too many events will impair the
performance of a database and cause log files to accumulate rapidly. A
balance always needs to be struck between the requirement to collect as much
information as possible in order to ensure database security, and the capability
to store and analyse this information.
In this context, the following occurrences are of particular interest:
- Times and duration of user logins
- Number of database connections
- Failed or rejected attempts to establish connections
- Occurrence of deadlocks within the database system
- I/O statistics for every user
- Access to system tables (refer to S 4.69 Regular checks of database
security)
- Generation of new database objects
- Data modifications (if required, together with the date, time and user)
However, the logging of security-related events only proves useful if the
recorded data can also be analysed. For this reason, the log files should be
checked by an auditor at regular intervals. If, for organisational or technical
reasons, it is not possible to engage an independent auditor for the purpose of
analysing the log files, it will be very difficult to control the activities of the
database administrator.
The logged data must be deleted at regular intervals in order to prevent the log
files from growing excessively. However, the log files must only be deleted
after they have been viewed and analysed. This can be done manually or
automatically, if appropriate tools are available.
Furthermore, access to the log files must be carefully restricted. On one hand,
intruders must be prevented from concealing their activities through a later
manipulation of log files; on the other hand, a selective analysis of the log
files allows profiles of users to be generated. Consequently, no modifications
should be permitted and read-access should only be granted to the auditors, for
example.
To facilitate analysis of the log files, the database administrator can make use
of additional tools which automatically perform monitoring. Such products
can, for example, analyse the log files of a database system in accordance with
specified patterns and output an alarm under certain conditions.
Additional measures which need to be observed in this context are stated in S
2.64 Checking the log files.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000