Sister CISA CISSP

Sep 8 2008   1:52PM GMT

Auditing Databases – Part II

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Thanks to marketing, we have a confusing jumble of terms when thinking about databases. For instance, Microsoft’s database product, SQL Server, isn’t really a “server.” It has to run on a Microsoft Windows Server 200x operating system. It’s a database system, that can hold many databases inside of it.

Another example would be Oracle databases.Oracle can run on any version of *NIX, and Windows, too (but ooohhh so slowly, since the two don’t get along). But since Oracle sells its database product by the CPU, one database is almost always set up to have multiple “schemas,” and those are actually databases inside the database.

Sybase is very similar to MS SQL (after all, M$ bought it from them!), and DB2 can run on an IBM-based system, like the iSeries, or AIX, or even Windows (good luck there!).

So each database product has a slightly different structure, which means we have to have an understanding of each structure in order to audit who, what and when.

All the products install “pieces” of themselves on top of a server structure, whether it’s Windows, *NIX, or AS 400. They all install a database user ID, usually with administrative rights. They all install files and services that open listening ports so that users or applications can connect to those ports. MS SQL uses 1443 and Oracle uses multiple ports, but principally 1521. It’s important to know those ports, and what connects to them.

Using those ports, someone with an ID and password can connect to your database directly, using any database-aware application to pull data out. Microsoft has an ODBC software client that connects using this port. Many DBA’s and software developers connect directly to databases this way. You will want to monitor any connections to your databases using this access.

A DBA should be able to identify who has direct access and set up a custom procedure to write a report on access via ODBC, or any direct Oracle access. Given that this connection can be unencrypted (by default), any user ID and password could be captured. Another reason to monitor!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: