S 2.133 Checking the log files of a database system

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, auditor

The logging and auditing functions available in a database system must be utilised to an appropriate extent. Logging too many events will impair the performance of a database and cause log files to accumulate rapidly. A balance always needs to be struck between the requirement to collect as much information as possible in order to ensure database security, and the capability to store and analyse this information.

In this context, the following occurrences are of particular interest:

• Times and duration of user logins

• Number of database connections

• Failed or rejected attempts to establish connections

• Occurrence of deadlocks within the database system

• I/O statistics for every user

• Access to system tables (refer to S 4.69 Regular checks of database security)

• Generation of new database objects

• Data modifications (if required, together with the date, time and user)

However, the logging of security-related events only proves useful if the recorded data can also be analysed. For this reason, the log files should be checked by an auditor at regular intervals. If, for organisational or technical reasons, it is not possible to engage an independent auditor for the purpose of analysing the log files, it will be very difficult to control the activities of the database administrator.

The logged data must be deleted at regular intervals in order to prevent the log files from growing excessively. However, the log files must only be deleted after they have been viewed and analysed. This can be done manually or automatically, if appropriate tools are available.

Furthermore, access to the log files must be carefully restricted. On one hand, intruders must be prevented from concealing their activities through a later manipulation of log files; on the other hand, a selective analysis of the log files allows profiles of users to be generated. Consequently, no modifications should be permitted and read-access should only be granted to the auditors, for example.

To facilitate analysis of the log files, the database administrator can make use of additional tools which automatically perform monitoring. Such products can, for example, analyse the log files of a database system in accordance with specified patterns and output an alarm under certain conditions.

Additional measures which need to be observed in this context are stated in S 2.64 Checking the log files.

Additional controls:

• Who analyses the log files? Is the two-person control rule employed?

• Can the activities of the administrator be monitored to a sufficient extent?

• Is the IT security management notified of irregularities?