The Challenge Often with sensitive information, you need to have an audit log. Not just that a table had a select run, but that specific cells within the table were accessed. Frequently data such as this will contain a classification level as part of the row, defining policies for how it is handled, audited, etc.… Facebook Twitter LinkedIn
10 Older Entries »
Use MySQL Enterprise Audut plugin to track data changes on specific tables.Scripts and documentation on github: https://github.com/wwwted/Database-change-trackingTracked data (audit logs) can then be inserted into reporting db using parser scripts.Limitations:
- Changing tracking rules stopps all tracking for existing connections until the reconnect. This is a limitation in MySQL EE Audit filter handling.
- No filtering for different users, easy to implement if needed in change_tracking.sql SP (START/STOP).
- Only tracking INSERT/UPDATE/DELETE statements. Easy to modify if needed.
As a spin-off from the previous post, https://mysqlmed.wordpress.com/2018/08/23/get-the-auditors-in/, I thought that it would be good to see how well the Audit plugin upgrades to MySQL 8. The big change in auditing is that the tables change from MyISAM to InnoDB, so keep your eyes open.
I’m using the previously used instance in version 5.7.18.
Before we do anything, let’s make sure auditing will be in place when we restart the instance with 8.0.12:
Uncomment the plugin-load & audit-log params we had originally commented out. After all, this is something we should have done in the last post (apologies!):
vi my_audit.cnf: .. [mysqld] plugin-load =audit_log.so audit-log =FORCE_PLUS_PERMANENT ..
Restart the 5.7 instance so we upgrade from a rebooted / ‘as real as can be …[Read more]
Here I have been looking into using the MySQL Enterprise Edition Audit Log plugin for 5.7. We have many options to audit (filters, encryption, compression, Workbench, rotation & purging, viewing the log, etc.) and it’s quite clear cut on what we’re auditing and not when active.
If you’re looking to go deep into the Audit Plugin, as part of the Enterprise Edition, you’ll want to look at the following Support note:
And if you’re looking for other Audit Plugin examples, I’d recommend Tony Darnell’s blog post:
Oracle has done a great technical work with MySQL. Specifically a nice job has been done around security. There is one useful feature that exists in Oracle MySQL and that currently does not exist in MariaDB. Oracle MySQL offers the possibility from within the server to generate asymetric key pairs. It is then possible use ...continue reading "Porting this Oracle MySQL feature to MariaDB would be great ;-)"
In order to spot database misuse and/or to prove compliance to popular regulations including GDPR, PCI DSS, HIPAA, ... database administrators can be required to record and audit database activities. In this fifth episode of the MySQL Security series, we will see what MySQL Enterprise Audit provide to help organizations implement stronger security controls and satisfy regulatory compliance.
In 2017 we have welcomed many new customers into the Percona fold. It’s always interesting to find out what challenges the Percona team helped them to address and how they chose their relationship with Percona. As unbiased champions of open source database software, our consultancy, support and managed services staff apply their expertise across a wide range of technologies. Here are just a few stories from the past year.
Scaling applications on Amazon RDS the right way
Specializing in on-demand transportation services, Grab needed a high-availability, high performing database engine to serve their rapidly growing application. Grab operates in over 30 densely populated …[Read more]
Running out of disk space is something which, of course, should
never happen as we all setup monitoring and alerting and only run
well behaved applications. But when it does happen we want things
to fail gracefully.
So what happens when mysqld runs out of disk space?
The answer is: It depends
- It might start to wait until disk space becomes available.
- It might crash intentionally after a 'long semaphore wait'
- It might return an error to the client (e.g. 'table full')
- It might skip writing to the binlog (see
What actually happens might depend on the filesystem and
Fixing the disk space issue can be done by adding more space or cleaning up some space. The later can often be …
Security auditing plays important role in the process of securing a database system. Thanks to the MySQL Enterprise Audit extension, we can record all activities, such as client connections and execution of queries into a single log file, for later inspection.…
Knowing which privileges a given account has is easy – just issue SHOW GRANTS FOR user@host. But what about when you need visibility into privileges from the other direction – which accounts can access specific data? If you’re a DBA – or perform DBA duties, regardless of your title – you may have been asked this question. It’s an important question to ask in an audit or compliance review – but it can be a difficult question to answer. This post will walk through how to assess this, but if you’re impatient and need answers to this question immediately, jump to the end – there’s a simple shortcut.
Things to consider
There are a few things you’ll want to consider about the implementation of the MySQL privilege system as you try to sort out who has access to certain data.
MySQL can restrict privileges based on operations – somebody who has …[Read more]
10 Older Entries »