> Performance reasons might be of the past. > There are non-intrusive DB auditing solutions out there that > are very low on maintenance and has zero impact on performance. > These solutions do not work off of the DB server. Instead, they > monitor the network traffic directed to and from the DB server > and they sit on an applicance of their own. In every DB audit/monitoring case I have participated or had extensive discussions, everyone wanted to monitor local admin activity. This is a key issue for audit controls, and since all DB auditing I believe are always compliance driven, if you can't cover on-the-box admin access, it's not worth implementing one of these in-line app layer appliances. The in-line solutions also typically only cover sql traffic it can see. There is a lot that goes on with a DB as you know including stored procedures, triggers, job automation, etc. The in-line appliances have a variety of ways to address this but they solutions are never complete and always intrusive (e.g. they need to log into the DB). If you cannot be 100% passive and you lack coverage, I haven't seen a customer yet adopt the in-line solution for DB auditing. The only reason I've seen in-line sql monitoring is for sql injection coverage for very large web server farms (an IDS role rather than compliance). Performance usually is not a problem once you intelligently identify the compliance controls. Each auditor has different requirements (which makes life hard for log analysis), but in no case have I had an auditor tell us "monitor everything". Usually the "performance issue" is first raised by the DBA's at project introduction. Once they accept the compliance mandate and realize we only have to monitor a subset of transactions, it doesn't become as much of an issue. What I'm suggesting to answer Anton's original question is that DB auditing is not "hot" because it won't be championed by internal users. DBA's implement it reluctantly. It requires a compliance mandate and even then encounters various levels of resistance. When you look at other log analysis projects (such as security event monitoring or log aggregation), you'll find other internal champions where none exists for DB auditing. YMMV. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Mar 21 2007 - 10:23:36 PST