1. Field
The present disclosure relates to database auditing. More specifically, the present disclosure relates to a method for non-deterministic audit log protection.
2. Related Art
Database auditing allows a database to monitor actions of database users for security purposes. Typically, database auditing involves creating an audit log file to record various database operations. However, protecting database audit logs is difficult. Audit logs can be modified or deleted by both malicious attackers and accidental mistakes from users.
One way to prevent tampering with audit logs is to apply access control to an audit log file. The database system checks an access control list to determine whether a user has proper privilege to access the audit log. Another way to protect audit logs is to digitally sign the audit log with a private key from time to time. Hence, the signed audit log cannot be altered without the proper private key. The digital signatures of the audit log can also be secured. This way, the audit logs can be read-only and no one should be able to meaningfully modify them.
However, these solutions have a common problem—there is often a “vulnerability window” of opportunity to attack prior to an audit log being signed or protected by access controls (and complete access controls may not be possible). During the vulnerability window, collected audit information is recorded in the audit log, but the audit log is not protected by access control or digital signatures. Thus, during the vulnerability window, an attacker can access and alter the audit log without proper privilege or private key. To solve the “vulnerable window” problem, some systems choose to sign the audit log as soon as the audit information is recorded in the audit logs. Nevertheless, such practice compromises the database system's performance.