Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Audit Logging for PostgreSQL

Published byEthan Pearson Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensic Audit Logging for PostgreSQL"— Presentation transcript:

1 Forensic Audit Logging for PostgreSQL
Moshe Jacobson

2 The Situation Data is mysteriously wrong/missing
Legal is asking for records Who, when, how? How to respond? CYA with proof! Data wrong due to: race conditions; uncaught error conditions; unpredictable customers; heisenbugs Customer/boss looking for scapegoat Data went missing and you have no proof it was there? Restore a backup to find it? Forgetaboutit Is it a bug? Stories?

3 Application-Level Logging
Explicit Tedious Easy to miss something Not always consistent Increases development time Better alternative? Do you add logging as you go? Or afterward? Tell about event tables, meta fields. Different places logging same event differently!

4 Database-Level Logging
pg_audit pgtrail tablelog Audit trigger 91plus Half-baked home-grown solutions? I wanted something better. Note last updated timestamps here.

5 Our Application 80,000 users 1TB database 450 tables, 3200 columns
14 million daily page requests 8.5 million daily database updates 99.999% uptime SLA

6 Wishlist Extension-based Space-efficient, organized logging
Per-column control of logging Attach descriptions to events Scalability to years’ worth of logs Export / import between log & files Automated log maintenance Easy recovery from mistakes

7 Cyan Audit - Logged Data
Timestamp Name of table & column modified Integer PK of row modified You do have integer surrogate PKs, right?? Application-level userid of responsible user Transaction ID Application-supplied description Operation type ('I', 'U', 'D') Old and new values (stored as text)

8 Installation – Part I Unpack extension tarball, “make install”
Configure custom_variable_classes in postgresql.conf (9.1 only): custom_variable_classes = 'cyanaudit' Create extension db=# create schema cyanaudit; db=# create extension cyanaudit schema cyanaudit; Set up logging triggers db=# select cyanaudit.fn_update_audit_fields(); Now you’re logging! Mention two letter prefixes such as fn_ At end, summarize mandatory vs. optional steps

9 Installation – Part II Install cron jobs to rotate and archive logs
Set your database-specific settings alter database mydb set cyanaudit.archive_tablespace = 'big_slow_drive'; ... set cyanaudit.user_table = 'users'; ... set cyanaudit.user_table_uid_col = 'entity'; ... set cyanaudit.user_table_username_col = 'username'; ... set cyanaudit.user_table_ _col = ' _address'; Add cyanaudit schema to database search path alter database mydb set search_path = public, cyanaudit; Mention two letter prefixes such as fn_ At end, summarize mandatory vs. optional steps

10 Post-installation

11 Post-installation

12 Selecting what to log Upon installation, all fields are enabled
Consider high traffic fields tb_audit_field has one row per table/column "active" boolean controls logging for a column select fn_update_audit_fields() reindexes fields after DDL Disable logging for a session: set cyanaudit.enabled = 0

13 Selecting what to log Mention naming scheme of triggers and that they are created automatically

14 Selecting what to log

15 Selecting what to log

16 Selecting what to log

17 Selecting what to log

18 Selecting what to log

19 Querying the audit log View: vw_audit_log
Columns: recorded | uid | user_ | txid | description | table_name | column_name | pk_val | op | old_value | new_value Millions of rows accumulate quickly Especially when you’re doing admin work and forget to turn off logging… Use indexed columns when querying: recorded, table_name + column_name, txid

20 Example

21 Example

22 Example Extended format not typical!

23 Reconstructing Queries
View: vw_audit_transaction_statement Reconstructs queries effectively equivalent to original DML Columns: txid | recorded | | description | query

24 Reconstructing Queries

25 Reconstructing Queries

26 When You F*** Up… We can reconstruct queries… Why not reverse them?
fn_undo_transaction(txid) Undoes recorded changes for txid fn_get_last_audit_txid() Gives txid of last logged transaction select fn_undo_last_transaction() Combines two functions above. Story of working 3 days straight to fix data error. Can only undo recorded DML Undo not accurate if on out of order

27 When You F*** Up

28 When You F*** Up

29 Application Integration
How DBAs see application code: Scary middleware code!

30 Application Integration
Don't want to? Don't have to! Two modifications if you want: Attach UIDs to transactions Attach descriptions to transactions Scary middleware code!

31 Attaching UIDs to DML fn_set_audit_uid(uid)
Match current_user to user_table_username_col Otherwise, assume 0

32 Attaching UIDs to DML

33 Attaching UIDs to DML

34 Attaching UIDs to DML

35 Attaching UIDs to DML

36 Attaching UIDs to DML

37 Attaching UIDs to DML

38 Attaching UIDs to DML

39 Attaching UIDs to DML

40 Attaching UIDs to DML

41 Attaching UIDs to DML

42 Attaching UIDs to DML

43 Labeling transactions
Not everyone understands the schema. Let's help them out. Two functions for labeling transactions: fn_label_audit_transaction(label, txid) fn_label_last_audit_transaction(label)

44 Labeling transactions

45 Labeling transactions

46 Log Rotation/Archival
You’re gonna run out of space eventually. What is the solution?

47 Log Rotation/Archival

48 Log Rotation/Archival

49 Log Rotation/Archival

50 Log Rotation/Archival

51 Log Rotation/Archival

52 Log Rotation/Archival

53 Log Rotation/Archival

54 Log Rotation/Archival

55 Log Rotation/Archival

56 Log Rotation/Archival

57 Log Rotation/Archival
cyanaudit_log_rotate.pl Log entries since last rotation become a new child partition of parent table tb_audit_event. cyanaudit_dump.pl Back up audit data, remove old tables. cyanaudit_restore.pl Restore dumps created with cyanaudit_dump.pl

58 Wishlist – Nailed it! Extension-based
Space-efficient, organized logging Per-column control of logging Attach descriptions to events Scalability to years’ worth of logs Export / import between log & files Automated log maintenance Easy recovery from mistakes Plus: Released under PostgreSQL license

59 Cyan Audit Caveats PostgreSQL version compatibility:
>= 9.3.3: All features supported < 9.3.3: No DDL triggers. After any DDL you must select fn_update_audit_fields() < 9.2.0: Must modify postgresql.conf with custom_variable_classes = cyanaudit < 9.1.7: Not supported Logs only tables with integer PK. Logs only public schema. Truncates are not logged. Does not store original SQL. Mention bug in – Extension’s sequences not correctly saved in dump/restore Mention bug in Extension’s event triggers not correctly saved in dump/restore

60 Cyan Audit Challenges Proper behavior with pg_dump/pg_restore
Log tables using OID as PK Log tables in other schemas than public Amazon RDB – non-extension version? Automatic testing Leverage 9.4’s logical replication Wide use, inclusion with PostgreSQL core! YEAAH! Mention bug in – Extension’s sequences not correctly saved in dump/restore Mention bug in Extension’s event triggers not correctly saved in dump/restore

61 Questions? Comments? Moshe Jacobson moshe@neadwerx.com
Download: Thanks to Nead Werx, my employer, for sponsoring the development of Cyan Audit.

Download ppt "Forensic Audit Logging for PostgreSQL"

Similar presentations

Yukon – What is New Rajesh Gala. Yukon – What is new.NET Framework Programming Data Types Exception Handling Batches Databases Database Engine Administration.

Yukon – What is New Rajesh Gala. Yukon – What is new.NET Framework Programming Data Types Exception Handling Batches Databases Database Engine Administration.
BY LECTURER/ AISHA DAWOOD DW Lab # 3 Overview of Extraction, Transformation, and Loading.

BY LECTURER/ AISHA DAWOOD DW Lab # 3 Overview of Extraction, Transformation, and Loading.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
The Audit System for TWS z/OS

The Audit System for TWS z/OS
Introduction to Databases CIS 5.2. Where would you find info about yourself stored in a computer? College Physician’s office Library Grocery Store Dentist’s.

Introduction to Databases CIS 5.2. Where would you find info about yourself stored in a computer? College Physician’s office Library Grocery Store Dentist’s.
Chapter 3: Using SQL Queries to Insert, Update, Delete, and View Data

Chapter 3: Using SQL Queries to Insert, Update, Delete, and View Data
A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.

A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.
Using SQL Queries to Insert, Update, Delete, and View Data © Abdou Illia MIS 4200 - Spring 2015 Wednesday 1/28/2015 Chapter 3A.

Using SQL Queries to Insert, Update, Delete, and View Data © Abdou Illia MIS Spring 2015 Wednesday 1/28/2015 Chapter 3A.
Kirkwood Center for Continuing Education Introduction to PHP and MySQL By Fred McClurg, Copyright © 2010 All Rights Reserved. 1.

Kirkwood Center for Continuing Education Introduction to PHP and MySQL By Fred McClurg, Copyright © 2010 All Rights Reserved. 1.
DB Audit Expert v1.1 for Oracle Copyright © 1999-2002 SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.

DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Linux Operations and Administration

Linux Operations and Administration
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
FireRMS SQL Audit, Archiving & Purging Presented by Laura Small FireRMS Quality Assurance.

FireRMS SQL Audit, Archiving & Purging Presented by Laura Small FireRMS Quality Assurance.
How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:

How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Chapter 101. 2 Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.

Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
1. Automate a Secure Historical Data Store with Oracle Total Recall Venky RadhakrishnanKevin Jernigan Database DeveloperSenior Director Product Management.

1. Automate a Secure Historical Data Store with Oracle Total Recall Venky RadhakrishnanKevin Jernigan Database DeveloperSenior Director Product Management.
Sofia, Bulgaria | 9-10 October SQL Server 2005 High Availability for developers Vladimir Tchalkov Crossroad Ltd. Vladimir Tchalkov Crossroad Ltd.

Sofia, Bulgaria | 9-10 October SQL Server 2005 High Availability for developers Vladimir Tchalkov Crossroad Ltd. Vladimir Tchalkov Crossroad Ltd.

Similar presentations

Ads by Google