forensic audit logging for postgresql
play

Forensic Audit Logging for PostgreSQL Moshe Jacobson - PowerPoint PPT Presentation

Dec 20, 2023 •364 likes •977 views

Forensic Audit Logging for PostgreSQL Moshe Jacobson http://cyanaudit.neadwerx.com The Situation Data is mysteriously wrong/missing Legal is asking for records Who, when, how? How to respond? CYA with proof! Application-Level

  1. Forensic Audit Logging for PostgreSQL Moshe Jacobson http://cyanaudit.neadwerx.com

  2. The Situation • Data is mysteriously wrong/missing • Legal is asking for records • Who, when, how? • How to respond? • CYA with proof!

  3. Application-Level Logging • Explicit • Tedious • Easy to miss something • Not always consistent • Increases development time • Better alternative?

  4. Database-Level Logging • pg_audit https://github.com/jcasanov/pg_audit • pgtrail http://code.google.com/p/pgtrail/ • tablelog http://pgfoundry.org/projects/tablelog/ • Audit trigger 91plus http://wiki.postgresql.org/wiki/Audit_trigger_91plus • Half-baked home-grown solutions? • I wanted something better.

  5. Our Application • 80,000 users • 1TB database • 450 tables, 3200 columns • 14 million daily page requests • 8.5 million daily database updates • 99.999% uptime SLA

  6. Wishlist • Extension-based • Space-efficient, organized logging • Per-column control of logging • Attach descriptions to events • Scalability to years’ worth of logs • Export / import between log & files • Automated log maintenance • Easy recovery from mistakes

  7. Cyan Audit - Logged Data • Timestamp • Name of table & column modified • Integer PK of row modified • You do have integer surrogate PKs, right?? • Application-level userid of responsible user • Transaction ID • Application-supplied description • Operation type ('I', 'U', 'D') • Old and new values (stored as text)

  8. Installation – Part I • Unpack extension tarball, “make install” • Configure custom_variable_classes in postgresql.conf (9.1 only): custom_variable_classes = 'cyanaudit' • Create extension db=# create schema cyanaudit; db=# create extension cyanaudit schema cyanaudit; • Set up logging triggers db=# select cyanaudit.fn_update_audit_fields(); • Now you’re logging!

  9. Installation – Part II • Install cron jobs to rotate and archive logs • Set your database-specific settings alter database mydb set cyanaudit.archive_tablespace = 'big_slow_drive'; ... set cyanaudit.user_table = 'users'; ... set cyanaudit.user_table_uid_col = 'entity'; ... set cyanaudit.user_table_username_col = 'username'; ... set cyanaudit.user_table_email_col = 'email_address'; • Add cyanaudit schema to database search path alter database mydb set search_path = public, cyanaudit;

  10. Post-installation

  11. Post-installation

  12. Selecting what to log • Upon installation, all fields are enabled • Consider high traffic fields • tb_audit_field has one row per table/column • " active " boolean controls logging for a column • select fn_update_audit_fields() reindexes fields after DDL • Disable logging for a session: set cyanaudit.enabled = 0

  13. Selecting what to log

  14. Selecting what to log

  15. Selecting what to log

  16. Selecting what to log

  17. Selecting what to log

  18. Selecting what to log

  19. Querying the audit log View: vw_audit_log • Columns: recorded | uid | user_email | txid | description | table_name | column_name | pk_val | op | old_value | new_value • Millions of rows accumulate quickly • E specially when you’re doing admin work and forget to turn off logging… • Use indexed columns when querying: recorded, table_name + column_name, txid

  20. Example

  21. Example

  22. Example

  23. Reconstructing Queries View: vw_audit_transaction_statement Reconstructs queries effectively equivalent to original DML Columns: txid | recorded | email | description | query

  24. Reconstructing Queries

  25. Reconstructing Queries

  26. When You F*** Up… • We can reconstruct queries… Why not reverse them? • fn_undo_transaction(txid) Undoes recorded changes for txid • fn_get_last_audit_txid() Gives txid of last logged transaction • select fn_undo_last_transaction() Combines two functions above.

  27. When You F*** Up

  28. When You F*** Up

  29. Application Integration How DBAs see application code:

  30. Application Integration • Don't want to? Don't have to! • Two modifications if you want: • Attach UIDs to transactions • Attach descriptions to transactions

  31. Attaching UIDs to DML • fn_set_audit_uid(uid) • Match current_user to user_table_username_col • Otherwise, assume 0

  32. Attaching UIDs to DML

  33. Attaching UIDs to DML

  34. Attaching UIDs to DML

  35. Attaching UIDs to DML

  36. Attaching UIDs to DML

  37. Attaching UIDs to DML

  38. Attaching UIDs to DML

  39. Attaching UIDs to DML

  40. Attaching UIDs to DML

  41. Attaching UIDs to DML

  42. Attaching UIDs to DML

  43. Labeling transactions • Not everyone understands the schema. • Let's help them out. • Two functions for labeling transactions: fn_label_audit_transaction(label, txid) fn_label_last_audit_transaction(label)

  44. Labeling transactions

  45. Labeling transactions

  46. Log Rotation/Archival • You’re gonna run out of space eventually. • What is the solution?

  47. Log Rotation/Archival

  48. Log Rotation/Archival

  49. Log Rotation/Archival

  50. Log Rotation/Archival

  51. Log Rotation/Archival

  52. Log Rotation/Archival

  53. Log Rotation/Archival

  54. Log Rotation/Archival

  55. Log Rotation/Archival

  56. Log Rotation/Archival

  57. Log Rotation/Archival • cyanaudit_log_rotate.pl Log entries since last rotation become a new child partition of parent table tb_audit_event. • cyanaudit_dump.pl Back up audit data, remove old tables. • cyanaudit_restore.pl Restore dumps created with cyanaudit_dump.pl

  58. Wishlist – Nailed it! • Extension-based • Space-efficient, organized logging • Per-column control of logging • Attach descriptions to events • Scalability to years’ worth of logs • Export / import between log & files • Automated log maintenance • Easy recovery from mistakes • Plus: Released under PostgreSQL license

  59. Cyan Audit Caveats • PostgreSQL version compatibility: • >= 9.3.3: All features supported • < 9.3.3: No DDL triggers. After any DDL you must select fn_update_audit_fields() • < 9.2.0: Must modify postgresql.conf with custom_variable_classes = cyanaudit • < 9.1.7: Not supported • Logs only tables with integer PK. • Logs only public schema. • Truncates are not logged. • Does not store original SQL.

  60. Cyan Audit Challenges • Proper behavior with pg_dump/pg_restore • Log tables using OID as PK • Log tables in other schemas than public • Amazon RDB – non-extension version? • Automatic testing • Leverage 9.4’s logical replication • Wide use, inclusion with PostgreSQL core! YEAAH!

  61. Questions? Comments? Moshe Jacobson moshe@neadwerx.com Download: http://cyanaudit.neadwerx.com Thanks to Nead Werx, my employer, for sponsoring the development of Cyan Audit.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays Entity Thursday, October 27, 2016 PRESENTER : COLLIN A. A. GREENLAND, Forensic Accountant, MBA, FJIM, CFE, CFSA, CFC. 1 To Sensitize /

1.12k views • 88 slides
Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon

Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon

Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon State University 1 How does someone know they have been HACKED!? and WHO did it!? HACKED!? and WHO did it!? 2 Audit Logs in the News!

701 views • 51 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Electronic Logging Devices (ELDs) Reviewing the capabilities of an ELD for use during an audit

Electronic Logging Devices (ELDs) Reviewing the capabilities of an ELD for use during an audit

Electronic Logging Devices (ELDs) Reviewing the capabilities of an ELD for use during an audit Presenter: Soona Lee What well cover today 1. A quick recap on the ELD mandate 2. The key differences between ELD and IFTA record keeping

413 views • 16 slides
Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu Advanced Cyber Attacks (e.g. APTs): What can we do? Defense! Firewall

257 views • 21 slides
Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma, Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma, Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma, Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu (ACSAC 15) Presented by Noor Michael CS 563 (Fall 2018) Motivation

399 views • 19 slides
PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core team: https://www.postgresql.org/community/contributors/ Large Users: https://www.postgresql.org/about/users/ Case Studies:

517 views • 7 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What? Is an relational database Licence PostgreSQL: Released under the PostgreSQL management system (RDBMS) License. (Similar to the BSD or MIT)

232 views • 10 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
City of Claremont WHAT ARE FORENSIC AUDITS? PRESENTED BY New VACHON, CLUKAY &amp; COMPANY PC

City of Claremont WHAT ARE FORENSIC AUDITS? PRESENTED BY New VACHON, CLUKAY &amp; COMPANY PC

City of Claremont WHAT ARE FORENSIC AUDITS? PRESENTED BY New VACHON, CLUKAY &amp; COMPANY PC Hampshire Presented August 14, 2019 What is a Financial Audit? A financial audit is an independent objective evaluation of the Citys

489 views • 9 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
How to FAIL at Agiel Lee Elliott We are agile, we stand up! Let me check my notes Here are

How to FAIL at Agiel Lee Elliott We are agile, we stand up! Let me check my notes Here are

How to FAIL at Agiel Lee Elliott We are agile, we stand up! Let me check my notes Here are the issues I found and we will discuss during this retrospective. Time to retro, sit down, shut up and write some notes We are too busy to have

401 views • 14 slides
SO SOMEDANISH PERSPEC ECTIVES ES Report for the Villum founda tion on the sta tus on the Da

SO SOMEDANISH PERSPEC ECTIVES ES Report for the Villum founda tion on the sta tus on the Da

SO SOMEDANISH PERSPEC ECTIVES ES Report for the Villum founda tion on the sta tus on the Da nish Ma rine Wa ters, including the use Some exa mples AARHUS A U UNIVERSITET INSTITUT FOR MILJVIDENSKAB 1 Fish landings, Denmark AARHUS A U

618 views • 17 slides
&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

AT9 Concurrent Session 11/14/2013 3:45 PM &quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon Group Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

575 views • 22 slides
AGRICHEMICAL AGRICHEMICAL RELEASE REPORTING RELEASE REPORTING Susan Parker Susan Parker

AGRICHEMICAL AGRICHEMICAL RELEASE REPORTING RELEASE REPORTING Susan Parker Susan Parker

Agrichemical Release Reporting AGRICHEMICAL AGRICHEMICAL RELEASE REPORTING RELEASE REPORTING Susan Parker Susan Parker Michigan Michigan SARA Title III SARA Title III Program Program January 2010 January 2010 1 1 WHAT IS A

500 views • 19 slides
Leadership Workshop Dale MacPhee, General Manager, Waldorf Astoria Edinburgh The Caledonian

Leadership Workshop Dale MacPhee, General Manager, Waldorf Astoria Edinburgh The Caledonian

Leadership Workshop Dale MacPhee, General Manager, Waldorf Astoria Edinburgh The Caledonian Valerie Lederer, Marketing Executive, Criton Presentation Topics &amp; Discussions Manager or Leader What Makes a Great Leader? Leadership

404 views • 26 slides
Spurring Change Driving NPC Process Improvement Against the Odds Amy H. Kimball | CEO, BVARI

Spurring Change Driving NPC Process Improvement Against the Odds Amy H. Kimball | CEO, BVARI

Spurring Change Driving NPC Process Improvement Against the Odds Amy H. Kimball | CEO, BVARI Daniel Norton | Entrepreneur &amp; Startup Advisor NAVREF Annual Meeting 2019 Image Source: https://images.app.goo.gl/fiFKn2JhEwiXpSVP9 Background

628 views • 41 slides
GENERAL SERVICES DEPARTMENT FY17 APPROPRIATION REQUEST Edwynn Burckle, Cabinet Secretary GSD

GENERAL SERVICES DEPARTMENT FY17 APPROPRIATION REQUEST Edwynn Burckle, Cabinet Secretary GSD

GENERAL SERVICES DEPARTMENT FY17 APPROPRIATION REQUEST Edwynn Burckle, Cabinet Secretary GSD Budget Bureau December 7, 2015 2 GSD Vision To be a national leader in strategic public sector support services. Mission To deliver innovative,

618 views • 17 slides
Health Poverty Action Experiences and Achievements in Malaria Control in Communities (January to

Health Poverty Action Experiences and Achievements in Malaria Control in Communities (January to

Health Poverty Action Experiences and Achievements in Malaria Control in Communities (January to December 2012) Coverage Areas: Preah Vihea and Ratanakiri Provinces) Date: 21-22 March 201 3 Agendas Introduction Main Activities

191 views • 17 slides

More recommend