防止审计表篡改 [英] Prevent audit table tampering

问题描述

我们的数据库中有审计表.此表的记录是使用触发器完成的.

We have audit table in our database. Records to this table are done using triggers.

目前，没有什么可以阻止用户登录数据库服务器、从管理工作室打开表和更改审计表中的数据.

Currently, there is nothing that prevents user to log on to database server, open table from management studio and change data in audit table.

有哪些可能的机制可以防止(或至少检测)审计数据篡改案例?

What are possible mechanisms that can prevent (or at least detect) cases of audit data tampering?

我正在考虑在审计表中添加一列，该列应包含一些基于该行中输入的值计算的哈希值.但是，由于审计是使用触发器完成的，恶意用户可以打开任何触发器并查看计算此哈希值的逻辑.

I'm thinking of adding one column in audit table which should contain some hash calculated based on values that are entered in that row. However, since audit is done using trigger, malicious user could open any trigger and see the logic by which this hash is calculated.

我不够清楚.应用程序用户无权访问数据库.我指的是像数据库管理员这样的用户，对数据库有适当的权限.尽管如此，如果这个数据库管理员登录并有权修改审计表，我希望至少有一些机制来检测这种篡改.

I was not clear enough. Application user does not have access to database. I was referring to some user like DB admin, with appropriate rights on database. Still, if this DB admin logins and has rights to temper with audit table, I would like to have some mechanism to detect this tampering at least.

推荐答案

没有什么可以阻止通过 SQL 管理器访问您的数据库的人更改内容.不过，您可以将其篡改明显.

Nothing can prevent someone accessing your database via SQL manager from changing the contents. You can make it tamper evident though.

基本上你需要使用 HMACs，它们是键控哈希.不幸的是，这导致您需要密钥管理以确保密钥保密，而这在触发器中可能是不可能的.我们使用加密服务来提供密钥管理，但这是通过代码访问的.

Basically you need to use HMACs which are keyed hashes. Unfortunately this leads you to requiring key management to ensure the key stays secret which may not be possible in triggers. We use a cryptographic service to provide the key management but this is accessed from code.

您还需要考虑用户删除记录而不是更改其内容的能力.我们最终得到了两个 HMAC，一个使用记录的内容计算(以对记录进行明显的更改)，第二个使用当前记录 HMAC 和前一行的 HMAC 来使任何行删除篡改明显.

You also need to think about a users ability to delete a record rather than change its contents. We ended up with two HMACs, one calculated using the contents of the record (to make changes to a record evident), the second using the current records HMAC and the HMAC from the previous line to make any line deletion tamper evident.

那么你需要担心删除第一个或最后的x条记录.为此，我们使用始终具有相同内容的尾部和标题记录，如果它们不存在，则表的顶部或底部已被删除.头的组合 HMAC 使用它之后的记录而不是之前的记录(因为之前没有记录).

Then you need to worry about deleting the first or last x records. For this we use a trailer and header record which always have the same contents, if those aren't present then the top or the bottom of the table has been deleted. The combined HMAC of the header uses the record after it rather than the record before (as there is no record before).

当然，如果您要删除旧记录来管理您存储的数据量，则需要一种机制来在删除后添加新的标题记录.

And, of course, if you are going to be deleting old records to manage the amount of data you store you'll need a mechanism to add a new header record after the deletion.

这篇关于防止审计表篡改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！