Auditing DB Activity in IRI Chakra Max

by Donna Davis

One of the most important, and powerful, features of the IRI Chakra Max database firewall is its ability to audit access and activity from all types of connections. Chakra Max supports real-time monitoring and searching in, and subsequent reporting from, these logging categories:

✔ Database – including all SQL activity, plus their origin and graphical trend analyses
✔ System – to review login attempts and terminal commands
✔ FTP – for file transfers to/from the DB
✔ Alert – showing policy-defined alerts and blocks
✔ Approval – to reveal ‘safe SQL’ and other activity requests and their outcome
✔ Statistics – to review defined policies, their status, and enforcement
✔ Client – for DB activity transacted through the Chakra Max client app
✔ Work History – tasks the security administrator configured, performed, or changed
✔ RDP – Windows Terminal Service activity

Chakra Max also provides DBAs, data governance officers, and security teams with valuable information about changes to conditions and data in the databases, as well as what data was actually seen.

Ad Hoc Log Queries

Information in the Chakra Max logs can be queried very granularly in the Search windows. For example, SQL activity revealing user requests, or updates to the database, can be reviewed:

auditing db activity chakra max screenshot 1

Similarly, work history (like the assignment of database users), will show before and after states:

auditing db activity chakra max screenshot 2

auditing db activity chakra max screenshot 3

Similar information can also be reviewed and shared through a number of predefined, or custom-defined, report formats.

auditing db activity chakra max screenshot 4

Chakra Max audit logs also reveal the state of data in the database before and after changes were made, if the policy is set to record it. That same policy can also be configured to issue an alert in the event of a change, and warn a user that their change(s) will be recorded:

auditing db activity chakra max screenshot 5

Once the changes are made, they are accessible in the audit log in summary and detail form:

auditing db activity chakra max screenshot 6

Chakra Max also allows auditors to see the first 64KB of data that a query user (or hacker) saw:

auditing db activity chakra max screenshot 7

The Chakra Max audit log is powered by a columnar, multi-core database called PetaSQL. Managers can fully administer this encrypted database, which is also secure from deletion.

If you have any questions about these and other DB auditing facilities in IRI Chakra Max, please email chakramax@iri.com.