0

How do you configure MySQL users and logging to satisfy SOX auditors?

For example, if you need to log queries and the source of the query for later review by an internal SOX controls group.

Is there an easy way to distinguish queries generated by an application versus those generated by a (potentially malicious) user "logging directly into the database" ?

Are there any 3rd party tools or scripts you've found helpful?

Kieran Tully
  • 143
  • 1
  • 7

1 Answers1

1

Configuration

  • Separate application users from manual human users
  • Use a separate user for each application
  • Whitelist the hosts all users can connect from to the minimum necessary. An application user should only connect from the servers for that application. Manual users should only connect from a limited set of servers which are NOT the application servers.
  • Restrict the privileges of all users to the minimum required, down to the table level
  • Enable the MySQL general query log.
    • This may have a performance impact. If you are already doing replication, the binary log already contains all queries that modify data, which may be sufficient (not sure if the binary log contains the source IP address / user though).
    • If you are in a PCI environment query logs need to be on an encrypted volume or in an encrypted table. Beware that plaintext passed to mysql encryption functions will be logged as part of query!

Tools

  • Lumigent Audit DB
  • SoftTree DB Audit

Links

Kieran Tully
  • 143
  • 1
  • 7