Apparatus and method for protecting against data tampering in an audit subsystem
First Claim
1. A method for protecting against data tampering in a audit subsystem in a data processing system, comprising:
- creating an audit log data structure and a system data structure;
assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record;
storing in the system data structure a first serial number value corresponding to the serial number of the first audit record and a next serial number value corresponding to the next serial number to be assigned in the audit log data structure;
calculating a system integrity value for the system data structure; and
storing the system integrity value in the system data structure.
1 Assignment
0 Petitions
Accused Products
Abstract
A data processing system and method stores a relational database in which audit records are stored without compromising the ability to detect data tampering. The technique provides for detection of unauthorized row modification, row deletion, and row insertion. Extra measures are incorporated to protect from administrator attacks. In addition, the technique enables integrity checking and audit log archiving without having to suspend or bring down the audit subsystem. These on-line capabilities are especially important in mission critical applications which must satisfy the requirement that the application be disabled if the audit subsystem is not functioning properly.
153 Citations
58 Claims
-
1. A method for protecting against data tampering in a audit subsystem in a data processing system, comprising:
-
creating an audit log data structure and a system data structure;
assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record;
storing in the system data structure a first serial number value corresponding to the serial number of the first audit record and a next serial number value corresponding to the next serial number to be assigned in the audit log data structure;
calculating a system integrity value for the system data structure; and
storing the system integrity value in the system data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
creating a keystore; and
storing integrity information in the keystore.
-
-
4. The method of claim 3, wherein the keystore has associated therewith a password and the integrity information is encrypted using a key derived from the password.
-
5. The method of claim 3, wherein the integrity information includes a key.
-
6. The method of claim 5, further comprising:
wherein the system integrity value for the system data structure is calculated using the key system.
-
7. The method of claim 6, wherein the step of storing integrity information in the keystore comprises storing the system integrity in the keystore.
-
8. The method of claim 6, wherein the system integrity value comprises a system message authentication code computed for at least one other data item in the system data structure.
-
9. The method of claim 5, further comprising:
computing for each record in the audit data structure an audit record integrity value using the key.
-
10. The method of claim 9, wherein the audit record integrity value comprises an audit record message authentication code computed for at least one other data item in the audit record.
-
11. The method of claim 3, wherein the integrity information includes the first serial number value and the next serial number value.
-
12. The method of claim 3, wherein the audit log structure and the system data structure are stored as tables in an audit database.
-
13. The method of claim 12, wherein the integrity information includes database credentials for the audit database.
-
14. The method of claim 3, wherein the keystore determines whether calling code is trusted code.
-
15. The method of claim 14, wherein the keystore allows access to the contents of the keystore in response to a determination that the calling code is trusted code.
-
16. The method of claim 1, further comprises:
-
computing for each record in the audit log data structure an audit record integrity value; and
storing each audit record integrity value in the corresponding audit record.
-
-
17. The method of claim 16, wherein the audit record integrity value comprises an audit record message authentication code computed for at least one other data item in the audit record.
-
18. The method of claim 1, wherein the audit log data structure and the system data structure are stored as tables in an audit database.
-
19. The method of claim 18, wherein the audit database is a relational database.
-
20. The method of claim 18, wherein the audit database further comprises at least one auxiliary table and the system table stores an integrity value for each of the at least one auxiliary table.
-
21. A method for creating an event record in an audit subsystem in a data processing system, comprising:
-
creating a new record in an audit log data structure;
receiving a next serial number value from a system data structure;
storing the next serial number value in the new record of the audit log data structure;
incrementing the next serial number value in the system data structure;
calculating an integrity value for the new record of the audit data structure; and
storing the integrity value in the new record of the audit log data structure;
calculating a system integrity value for the system data structure; and
storing the system integrity value in the system data structure. - View Dependent Claims (22, 23, 24)
-
-
25. A method for performing an on-line integrity check of an audit subsystem in a data processing system, comprising:
-
logging into a keystore;
receiving database credentials from the keystore;
accessing an audit database using the database credentials, wherein the audit database includes an audit log table;
querying the audit log table for a range of serial numbers;
receiving a results table of audit records in response to the query; and
performing an integrity check on the audit records in the results table. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
receiving an integrity value for the audit record;
recomputing the integrity value; and
comparing the received integrity value and the recomputed integrity value.
-
-
28. The method of claim 25, wherein the step of performing an integrity check on the results table comprises determining whether an audit record has been deleted.
-
29. The method of claim 28, wherein the step of determining whether an audit record has been deleted comprises:
-
examining the serial numbers of the audit records in the results table; and
identifying a pair of successive audit records that do not have monotonically increasing serial numbers.
-
-
30. The method of claim 28, wherein the step of determining whether an audit records has been deleted comprises:
determining whether an audit record is missing at the end of the audit log table.
-
31. The method of claim 25, wherein the step of querying the audit log table for a range of serial numbers comprises querying the audit log table for records outside the range and wherein the step of performing an integrity check on the results table comprises identifying each record in the results table as an extraneous record.
-
32. The method of claim 25, wherein the audit database includes a system table that stores integrity information for the audit log table, the method further comprising determining whether the system table has been modified.
-
33. The method of claim 32, wherein the step of determining whether the system table has been modified comprises:
-
receiving an integrity value for the system table;
recomputing the integrity value; and
comparing the received integrity value and the recomputed integrity value.
-
-
34. The method of claim 32, wherein the integrity information includes an integrity value for the system table and the integrity information is stored in the keystore, the step of determining whether the system table has been modified comprises:
-
receiving the integrity information form the keystore;
receiving the integrity information from the system table; and
comparing the integrity information received from the keystore with the integrity information received from the system table.
-
-
35. The method of claim 25, wherein a system table stores integrity information for an auxiliary table, the method further comprising determining whether the auxiliary table has been modified.
-
36. The method of claim 35, wherein the step of determining whether the auxiliary table has been modified comprises:
-
receiving an integrity value for the auxiliary table from the system table;
recomputing the integrity value; and
comparing the received integrity value and the recomputed integrity value.
-
-
37. An apparatus for protecting against data tampering in an audit subsystem in a data processing system, comprising:
-
means for creating an audit log data structure and a system data structure;
means for assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record; and
means for storing in the system data structure the first serial number and the next serial to be assigned;
means for calculating a system integrity value for the system data structure; and
means for storing the system integrity value in the system data structure. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
means for creating a keystore; and
means for storing integrity information in the keystore.
-
-
39. The method of claim 38, wherein the integrity information includes the system integrity value.
-
40. The method of claim 38, wherein the system integrity value comprises a system message authentication code computed for at least one other data item in the system data structure.
-
41. The method of claim 37, further comprising:
-
means for computing for each record in the audit log data structure an audit record integrity value; and
means for storing each audit record integrity value in the corresponding audit record.
-
-
42. The method of claim 41, wherein the audit record integrity value comprises an audit message authentication code computed for at least one other data structure are stored as tables in an audit database.
-
43. The method of claim 37, wherein the audit log data structure and the system data structure are stored as tables in an audit database.
-
44. The method of claim 43, wherein the audit database is a relational database.
-
45. The apparatus of claim 43, wherein the audit database further comprises at least one auxiliary table and the system table stores an integrity value for each of the at least one auxiliary table.
-
46. An apparatus comprising:
-
a processor; and
a memory electrically connected to the processor, the memory having stored therein a program to be executed on the processor for performing the following steps;
creating a new record in an audit log data structure;
receiving a next serial number value from a system data structure;
storing the next serial number value in the new record of the audit log data structure;
increasing the next serial number value in the system data structure;
calculating an integrity value for the new record of the audit log data structure;
storing the integrity value in the new record of the audit data structure;
calculating a system integrity value for the system data structure; and
storing the system integrity value in the system data structure.
-
-
47. An apparatus comprising:
-
a processor; and
a memory electrically connected to the processor, the memory having stored therein a program to be executed on the processor for performing the following steps;
logging into a keystore;
receiving database credentials from the database credentials, wherein the audit database includes an audit log table;
querying the audit log table for a range of serial numbers;
receiving a results table of audit records in response to the query; and
performing an integrity check on the audit records in the results table. - View Dependent Claims (48, 49, 50, 51, 52)
receiving an integrity value for the audit record;
recomputing the integrity value; and
comparing the received integrity value and the recomputed integrity value.
-
-
50. The apparatus of claim 47, wherein the step of performing an integrity check on the results table comprises determining whether an audit record has been deleted.
-
51. The apparatus of claim 50, wherein the step of determining whether an audit record has been deleted comprises:
-
examining the serial numbers of the audit records in the results table; and
identifying a pair of successive audit records that do not have monotonically increasing serial numbers.
-
-
52. The apparatus of claim 47, wherein the step of querying the audit log table for a range of serial numbers comprises querying the audit log table for records outside the range and wherein the step of performing an integrity check on the results table comprises identifying each record in the results table as an extraneous record.
-
53. An audit system comprising:
-
an audit client; and
an audit server for receiving audit events from the audit client, the audit server having an audit database, wherein the audit database includes an audit log table for storing an audit event record for each received audit event and a system table for storing integrity information for the audit database, and a keystore, wherein the keystore stores database credentials for the audit database.
-
-
54. A data structure embodied on a computer readable medium comprising:
-
an audit database comprising an audit log table for storing audit event records, at least one auxiliary table, and a system table for storing integrity information for the audit database; and
a keystore for storing integrity information for the system table, wherein the keystore includes application program interface logic for accessing the keystore. - View Dependent Claims (55, 56)
-
-
57. A computer program in a computer readable medium for creating an event record in an audit subsystem in a data processing system, comprising:
-
instructions for creating a new record in an audit data structure;
instructions for receiving a new serial number value from a system data structure;
instructions for storing the next serial number value in the new record of the audit log data structure;
instructions for incrementing the next serial number value in the system data structure;
instructions for calculating an integrity value for the new record of the audit log data structure;
instructions for storing the integrity value in the new record of the audit log data structure;
instructions for calculating a system integrity value for the system data structure; and
instructions for storing the system integrity value in the system data structure.
-
-
58. A computer program product in a computer readable medium for creating an on-line integrity check of an audit subsystem in a data processing system, comprising:
-
instructions for ogging into a keystore;
instructions for receiving database credentials from the keystore;
instructions for accessing an audit database using the database credentials, wherein the audit database includes an audit log table;
instructions for querying the audit log table for a range of serial numbers;
instructions for receiving a results table or audit records in response to the query; and
instructions for performing an integrity check on the audit records in the results table.
-
Specification