Database audit trail

Question

Post reply

Database audit trail

calvin nguyen-255465

SSC Enthusiast

Points: 181
More actions
July 27, 2006 at 12:53 pm

#94168

Hi,
My app have a couple of database tables that contain credit card cardholder data and we are under PCI audit. One of the task I need to complete is create a way for database audit trail of who, what and when anyone perform an action to these tables (like dump cardholder data to steal, insert, delete, update any row, or drop the whole table). Is there any tool that you could recommend for this? Thanks

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Bhushan Default port Points: 1427 More actions · Answer 1

Bhushan

Default port

Points: 1427

July 27, 2006 at 2:28 pm

#652022

Use DDL and DML triggers to log these actions..

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 2

You can use a trigger to log inserts, updates and deletes. There's no way to audit selects though, not within SQL directly. Books online gives a good overview of trigger creation. Just note that it will slow down inserts, updates and deletes a little

If you have SQL 2005, you can use a DDL trigger to prevent or log table alterations but those aren't available in SQL 2000. Best suggestion there is to lock your security down so that only a very few (DBAs) have access to modify tables

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

calvin nguyen-255465 SSC Enthusiast Points: 181 More actions · Answer 3

thanks for all your answer. I know trigger can log insert, update, delete but we are required to also log select as well. I search and found there AuditDB from Lumigent but it cost $10K, just wonder anyone else know a cheaper solution.

Stewart Joslyn SSCertifiable Points: 6131 More actions · Answer 4

I would recommend strongly that nobody has direct access to these tables. If all access is through stored procedures, you have full security control and can implement whatever logging you want. ... and nobody can implement an injection attack to do something like SELECT * FROM dbo.CreditCardData !!

Richard Banners Valued Member Points: 51 More actions · Answer 5

When you HAVE to audit Selects, there are cheaper solutions for ddl auditing, we looked around and only Lumigent AuditDB offered the right technology approach and which could also audit SELECTS for PCI compliance. Their partner in the UK is SolutionData Ltd, they provide all UK support and offered discount on our licenc purchase. The new V5 platform is much improved on V2.x