如何实现基于上下文的数据库审计?
我当前有一个数据库驱动的应用程序,它有多种访问数据的方法。
- Web 应用程序
- 直接 SQL 访问用户(我正在尝试删除这些)
- 客户端 服务器应用程序
- 批量输入和输出
我需要实现基于上下文的审核,因为当前的数据审核不足以回顾性识别导致数据更改的进程。
我目前正在考虑将数据模型隐藏在 XAPI(事务 API)后面,数据模型上的每个操作都必须提供某种形式的识别关联操作或数据更改原因的形式,这些操作或数据更改将与审核数据本身一起存储。
谁能为我提供一种更好的方法来实现基于上下文的审计,涵盖对数据库的所有访问? 或者甚至指出我目前的方法中我遗漏的任何明显缺陷?
提前致谢。
I have a current DB driven application which has several methods for accessing data.
- Web Application
- Direct SQL Access users (I'm trying to remove these)
- Client Server application
- Batch inputs and outputs
I need to implement context based auditing as the current data auditing is not enough for retrospective identification of what processes caused the data changes.
I am currently thinking of hiding the data model behind XAPIs (Transactional APIs) and each action on the data model will have to supply some form of identifying associated action or reason for the data change which will be stored alongside the audited data itself.
Can anyone offer me a better method for achieving context based auditing that will cover all access into the database?
Or even point out any obvious flaws in my current approach that I have missed?
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是一篇较旧的帖子,但我仍然想提供一个解决方案,可能对某人有用。
Oracle 为每个会话提供“上下文”变量。在使用连接池连接数据库的应用程序中,Oracle提供了一个名为“CLIENTCONTEXT”的默认命名空间。在该命名空间中,您可以创建诸如 USER ID 之类的变量,并确保在将连接移交给服务器 Web 请求时设置此变量。这样,在数据库内,您可以识别数据库内正在处理哪个“Web 用户”(或称应用程序用户)请求。
例如
dbms_session.set_context('CLIENTCONTEXT',user_id, );
希望有帮助。
This is an older post, but I still want to provide a solution, may be it will be useful for someone.
Oracle provides "context" variables for each session. In an application that uses connection pool to connect to the database, Oracle provides a default namespace called "CLIENTCONTEXT". With in that namespace you can create variables such as USER ID and make sure this variable is set when a connection is handed off to server web requests. This way, inside the database you can identify which "web user" (or app user per say) request is being handled inside the database.
e.g.
dbms_session.set_context('CLIENTCONTEXT',user_id, );
Hope it helps.
我们有一个项目,要求我们提供有关更改内容、更改时间和更改者的详细审核信息。
在我们的例子中,我们所做的是改进我们的 MVC 解决方案,以便在事情发生变化时保留审计跟踪。在这种情况下,我们能够存储辅助信息,例如 Web 用户、IP 等。
此外,我们还启用了 mysql 二进制日志记录,因此我们可以在必要时回滚完整历史记录,并存储有关访问的附加日志以区分来源的变化。
在您的情况下,如果数据库和实际数据库访问之间没有任何层,那么这会有点棘手。因此,我建议创建用于数据操作的 api,它将作为中间层,并为您提供所需的所有控制。
这将为您提供入门指导。
we had a project where we were required to have detailed audit information on what was changed, when and by whom.
in our case, what we did, is improved our MVC solution, to keep audit trail when things were changed. in that situation, we were able to store auxiliary information, such as web user, ip, etc.
additionally we had mysql binary logging enabled, thus we could roll back full history if necessary and given the additional logs stored about accesses to distinguish the source of change.
in your case it would be somewhat trickier, if you don't have any layer between database and actual database accesses. so, I would suggest creating api for operations with data which would work as intermediary layer and would give you all the control you are looking for.
this should give you directions to get started with.
编辑将答案的上下文特定部分添加到底部
上述问题唯一变得棘手的地方是网络应用程序。
这里有一些 T-SQL说明
上下文约束可以直接在审计触发器中实现。
这可能有点油嘴滑舌,但是......
EDIT added context specific portion of answer to bottom
The only place where the above becomes tricky is for the web app.
Here's some T-SQL to illustrate
Context constraints can be achieved directly in the audit triggers.
This may be a little glib but...