2.18.1 Overview of the audit trail facility
Information about activity by HADB users, such as database access and command execution, is recorded and output to a file called an audit trail file. The facility that outputs this information is called the audit trail facility. The records of access and operation output by this facility are called an audit trail. For example, when an HADB user accesses a table, information about the operations they perform is output as an operation record (audit trail). This might include the time at which the user accessed the table, their authorization identifier, the operations they performed, and the schema object on which they performed the operations. By viewing the output audit trail, an auditor can find out information such as who accessed what schema object at what time, and what operations they performed. The following are examples of the ways in which audit trails might be used:
-
When auditing database usage, audit trails can be used to investigate the operations performed by a specific database user.
-
When a security incident occurs, audit trails can be used to investigate the cause, or find out what data might have been divulged.
The following figure provides an overview of the audit trail facility.
Explanation
-
An operation record is output to an audit trail file when an HADB user performs an operation such as searching or updating a table, or executing a command.
-
When auditing database usage, the person performing the audit (the auditor) can use the audit trail information as part of their investigation. An audit trail can also be used as a resource when looking into the cause of a security incident.
When using a database system, you need to conduct regular audits to ensure that no unauthorized use of the database is taking place, and that the security policy is being followed. Audit trails serve as evidentiary material for auditors conducting such regular audits.
- Note
-
The audit trail facility is not a facility that directly enhances security. Its purpose is to help assess whether the database is being used appropriately and in keeping with the security policy. Use of the audit trail facility does not necessarily prevent database users from engaging in unauthorized activity. However, simply knowing that auditors are using the audit trail facility to monitor database usage could be enough to discourage users with malicious intent. Therefore, the audit trail facility can be seen to have a role in enhancing overall security.