[logs] Re: on database logging

Tina Bird tbird at precision-guesswork.com
Wed Mar 28 21:47:01 PDT 2007 

 
> I would prefer if application programmers would map the users at the
> application layer of a web application to a database user. I would
> prefer if the RBAC groups implemented in that application were
> manifested in the database as well. Finally I would prefer if 
> the groups
> of logical operations that the groups of users were mapped 
> back into the
> database also. 
> 
> With phpBB, all application users connect to the backend database as
> user phpbbuser (or whatever I happen to configure). That "phpbbuser"
> will have the superset of database access privileges that admins,
> moderators, validated users, unvalidated users, suspended 
> users require.
> 
> This application cannot do not fine-grained access control at the
> database layer. The control objectives I see in ISO 17799 and other
> standards assume that it can. 

And HIPAA. Don't forget HIPAA. I have been blithely making statements along
the lines of "medical applications need to be able to record every write,
change, read or delete to an electronic medical record at a per-user level"
for years, until it finally sunk in (a year or so ago) that the vast
majority of DB applications -- including those with Web front ends -- did
generic authentication "to the database." No hope of individual
accountability.

This discussion brings me back to one of my persistent chants, when it comes
to logging -- the end users (in this case, the sys admins and auditors who
must demonstrate compliance to laws) have *got* to provide the technical
requirements to the developers for more detailed auditing; systems have to
be architected and maintained to support the additional strain created by
the logging.

Does anyone have any numbers on the additional CPU load (or performance hit)
created by this level of auditing in a high-load DB environment? And then,
of course, we can worry about how much worse the performance gets if we
insist that user crendentials and authorization tokens are suitably
encrypted...

cheers -- tbird

p.s. Wynn, I am still laughing about your last posting:

"IT systems often do not fit into simple little boxes and
that is part of the problem. We build cloverleafs at dirt-road
intersections to avoid teaching people about the 4-way stop."

What a *perfect* description.

More information about the LogAnalysis mailing list