Browse Prior Art Database

A method of identifying the real end user for database server's local access

IP.com Disclosure Number: IPCOM000235959D
Publication Date: 2014-Apr-01
Document File: 4 page(s) / 69K

Publishing Venue

The IP.com Prior Art Database

Abstract

According to the latest data breach report, most data breaches are caused by employees. The internal employee might logon the database server as one user, then change to other user(s) before they accesses database to query sensitive data. Existing database security product can capture not only the query sql executed by the internal employee, but also the changed user chain before accessing to database. But existing product has two limitations about the changed user chain capturing. One limitation is that when the initial logon user logon database from local machine and the logon user is shared account or stolen by unauthorized user, the database security product can't identify the real end user. The other limitation is that the changed user chain can't be captured if the database session is very short. This disclosure will present methods on how to identify real end user for the database access.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 4

A method of identifying the real end user for database server

A method of identifying the real end user for database server'

Existing database security product can capture not only sql traffic, but also database connection info and the user id change chain before connecting to database. For example, before connecting to database with the user 'dbuser1', the user changes many times -- firstly logon database machine as 'root', then switch to user 'testuser', finally switch into 'dbuser1'. Then the user id change chain will be captured like below.

If the user 'dbuser1' accesses some sensitive information, with the uid chain, it's easy to find who is the real end user stolen the information. But if the user 'root' is shared by several administrators or the password of the root is attacked by malicious user, then it's hard to find the real end user when data breach happens. If more logon info about the original user is provided, it will be easier to find the real end user when data breach happens.

The user's logon info such as logon from IP and logon timestamp is stored in the user logon history file (e.g /var/log/wtmp in Linux)), so logon from IP and logon timestamp can be got via reading the file or system command as below.

[root@guardrhel12 11475]# who -u |grep 11373

root pts/2 2014-01-15 11:18 00:23 11373 (9.125.29.3)

Combining the logon IP address with existing user chain can further help security person to investigate who is the real end user and where the real end user comes from. The improved userid change chain likes below.


(2014 2014-

--01 01

Pic 1 shows the flow chart of getting the improved user id change chain.

''s local access

s local access

(11373,root,/etc/init)->(3866854,root,/usr/sbin/srcmstr)->(4915264,root,/usr/sbin/sshd)->(26083448,root,sshd: testuser [priv]
iv])->(17957046,testuser,sshd: testuser@pts/3 /3)->(11206658,testuser,-ksh)->(21758026,dbuser1,-ksh)->(41287830,dbuser1,dbname)

01-

                    ..333,, 11373,root,/etc/init)->(3866854,root,/usr/sbin/srcmstr)->(4915264,root,/usr/sbin/sshd)->(26083448,root,sshd: testuser [priv]
iv])->(17957046,testuser,sshd: testuser@pts/3 /3)->(11206658,testuser,-ksh)->(21758026,dbuser1,-ksh)->(41287830,dbuser1,dbname)

::18

18

18,

...