SlideShare a Scribd company logo

Ibm informix security functionality overview

BeGooden-IT Consulting
BeGooden-IT Consulting

This presentation is an introduction to security handled by IBM Informix

Technology
1 of 22
Download to read offline
IBM Informix Security functional overview Luxembourg, October 2012 Eric Vercelletto, Begooden-IT Consulting www.
Agenda  Informix security: OS perspective (overview)  Informix security: database perspective (overview)  Roles: configuration et separation (detail)  Administration/Roles (detail)  Auditing (detail)  Performance considerations (overview) www. 2
OS security/1  Informix can authenticate users through ◦ os authentication: user must have a login on the system ◦ Trusted user: use OS trust capability if dbserver and app server are different systems ◦ PAM (pluggable authentication module: Informix supports the PAM framework, that can be used to develop company standards for authentication ◦ Lightweight Directory Access Protocol (LDAP): Informix also supports LDAP as an authentication method, only on Windows clients  Informix and users permissions ◦ Informix uses OS permissions to protect Informix utilities ◦ By default, user informix is the super user BUT ◦ DBSA, DBSSO, AAO and informix roles can be separated using OS built-in capabilities www. 3
OS security/2  Informix uses standard network security capabilities ◦ ssh can be used to run Informix utilities in a secure way ◦ The Informix database server instance can(must) be placed behind a firewall to protect it from malicious external attacks www. 4
Sql security/1 Informix can secure data thru SQL commands in 2 ways  DAC: discretionary access control use of GRANT and REVOKE statements applied to users, roles, having effect on databases, tables, views, fragments, routines, UDT… The permission granted can be connect, resource, dba, create, alter, select,insert, update, delete, usage, execute etc…, according to the type of object impacted www. 5
Sql security/2 Informix can also secure data thru SQL commands using  LBAC: label-based access control ◦ Security can b defined at a row level or at a column level  Tables are protected by security POLICIES  Rows and columns are protected by LABELS  Policies and Labels are granted to users by the database security administrator  Labels can look like ◦ CREATE SECURITY LABEL COMPONENT classification ARRAY ['Top-Secret','Secret', 'Confidential', Unclassified']; ◦ CREATE SECURITY LABEL COMPONENT org_position ARRAY ['CEO', 'VP','Director', 'Manager','Staff']; ◦ CREATE SECURITY LABEL COMPONENT region TREE ( 'HeadQuarters' ROOT,’East' UNDER 'HeadQuarters','West' UNDER HeadQuarters','North' UNDER 'HeadQuarters','South' UNDER 'HeadQuarters','Georgia' UNDER 'East','Florida' UNDER 'East','Atlanta' UNDER 'Georgia','Texas' UNDER 'South','Dallas' UNDER Texas','Houston' UNDER 'Texas'); ◦ Customer labels can be created  Policies can look like ◦ CREATE SECURITY POLICY sales_plcy COMPONENTS org_position, region;  Policies and labels are granted to users like this: ◦ GRANT SECURITY LABEL sales_plcy.sales_rep TO "usr3" FOR WRITE ACCESS; ◦ GRANT SECURITY LABEL sales_plcy.sales_rep_mgr TO "usr3" FOR READ www. 6
Roles separation Informix IDS considers 7 distinct roles  The DBSA (database system administrator) is in charge of configuring, tuning and maintaining the IDS instances. Tasks include startup and shutdown instances, disk space management, performance tuning etc…  The DBSSO (database system security officer) is in charge of defining audit masks on a large possible range of audit targets  The AAO (audit analysis officer) configures, runs and analyzes the audit trail  The DBA (database administrator) manages databases (not necessarily instances)  the OSA (operating system administrator) handles user accounts, groups, sets permissions, handles system resource  The user runs database applications  The privileged users « root » and « informix » are the default privileged users defined by IDS www. 7
Roles separation: When and how?  The company can decide to use role separation or not  If not applied, the informix user has all the roles  At IDS install time, you must decide to use it or not ◦ You will be asked to enter the unix group names of DBSSO, AAO and « regular » users.  To apply separation after installation, you must change group ownsership of $INFORMIXDIR/dbssodir and $INFORMIXDIR/aaodir ◦ You will rebounce the IDS instance to enable role separation ◦ You can switch back to no role separation by changing group ownership of those directories back to informix, and rebounce again  Security rules can then be set in a more detailed manner by editing the $INFORMIXDIR/dbssodir/seccfg file www. 8
IDS Audit www. 9
Configure IDS audit  The general configuration of audit is done in the $INFORMIXDIR/aaodir/adtcfg file ADTMODE 0 # Auditing mode ADTPATH /usr/informix/aaodir # Directory where audit trails will be written by IDS ADTSIZE 50000 # Maximum size of any single audit trail file ADTERR 0 # Error handling modes. audit dbsso and dbsa operations  Possible modes are ◦ 0 audit off ◦ 1 audit on ◦ 3 audit dbsso operations ◦ 5 audit dbsso and dbsa operations ◦ 7 audit dbsso, dbsa operations and normal user operations  Rebounce the instance to validate config, or use onaudit command to set the configuration dynamically www. 1 0
audit events  After general configuration is set, audit policy is configured by specifying audit events  Audit events are instance and database operations identified by an audit mnemonic like CRTB,CRIX,DLRW,RDRW ….  You can request specific status for each even: ‘S’ for sucessful, ‘F’ for failed  If ‘S’ or ‘F’ is not specified, all the events will be audited Ex: SCRTB will audit only successful table creations FDLRW will audit only failed rows deletes CRVW will audit all the view creations www. 1 1
audit events CRLB Security Label, Create ACTB Access Table CRLC Security Label Component, Create ADCK Chunk, Add CROC Operator Class, Create ADLG Transaction Log, Add ALFR Alter Fragment CROP Optical Cluster, Create ALIX Index, Alter CRPL Security Policy, Create ALLC Security Label Component, Alter CRPT Encryption/Decryption ALME Access Method, Alter CRRL Create Role ALOC Operator Class, Alter CRRT Named Row Type, Create ALOP Optical Cluster, Alter ALSQ Sequence, Alter CRSN Synonym, Create ALTB Table, Alter CRSP SPL Routine, Create BGTX Transaction, Begin CRSQ Sequence, Create CLDB Database, Close CRTB Table, Create CMTX Transaction, Commit CRTR Trigger, Create CRAG Aggregate, Create CRAM Audit Mask, Create CRVW View, Create CRBS Storage Space, Create DLRW Row, Delete CRBT Opaque Type, Create DNCK Chunk, Bring Off-line CRCT Cast, Create DNDM Disk Mirroring, Disable CRDB Database, Create DRAM Audit Mask, Delete CRDM Domain, Create CRDS Dbspace, Create DRBS Storage Space, Drop CRDT Distinct Type, Create DRCK Chunk, Drop CRIX Index, Create DRDB Database, Drop www. 1 2
audit events CRLB Security Label, Create ACTB Access Table CRLC Security Label Component, Create ADCK Chunk, Add CROC Operator Class, Create ADLG Trnsaction Log, Add ALFR Alter Fragment CROP Optical Cluster, Create ALIX Index, Alter CRPL Security Policy, Create ALLC Security Label Component, Alter CRPT Encryption/Decryption ALME Access Method, Alter CRRL Create Role ALOC Operator Class, Alter CRRT Named Row Type, Create ALOP Optical Cluster, Alter ALSQ Sequence, Alter CRSN Synonym, Create ALTB Table, Alter CRSP SPL Routine, Create BGTX Transaction, Begin CRSQ Sequence, Create CLDB Database, Close CRTB Table, Create CMTX Transaction, Commit CRTR Trigger, Create CRAG Aggregate, Create CRAM Audit Mask, Create CRVW View, Create CRBS Storage Space, Create DLRW Row, Delete CRBT Opaque Type, Create DNCK Chunk, Bring Off-line CRCT Cast, Create DNDM Disk Mirroring, Disable CRDB Database, Create DRAM Audit Mask, Delete CRDM Domain, Create CRDS Dbspace, Create DRBS Storage Space, Drop CRDT Distinct Type, Create DRCK Chunk, Drop CRIX Index, Create DRDB Database, Drop www. 1 3
audit events RNIX Rename index GRTB Grant Table Access RNLB Security Label, Rename GRXM Grant Exemption RNLC Security Label Component, Rename INRW Row, Insert LGDB Database Log Mode, Change RNPL Security Policy, Rename LKTB Table, Lock RNTC Table/ Column, Rename LSAM Audit Masks, List RSOP Optical Cluster, Reserve LSDB Databases, List RVDB Revoke Database Access MDLG Modify Transaction Logging RVDR Revoke Default Role ONAU onaudit ONBR onbar RVFR Revoke Fragment Access ONCH oncheck RVLB Revoke Security Label ONIN oninit RVRL Revoke Role ONLG onlog RVSA Revoke DBSECADM ONLO onload RVSS Revoke SETSESSIONAUTH ONMN onmonitor ONMO onmode RVTB Revoke Table Access ONPA onparams RVXM Revoke Exemption ONPL onpload SCSP SPL Routine, System Command ONSP onspaces STCO Collation®, Set STCN Constraint, Set STDF Set Debug File STDP Set Database Password STDS Set Dataskip www. 1 4
audit masks  The audit masks contain a list of events mnemonics to be audited  Events can be easily added or removed without affecting the ongoing configuration  Events can be included or excluded from auditing  There are 5 types of masks ◦ Template masks are self explanatory. Their names must begin with a ‘_’ character ◦ User masks will define an events list for a specific user. Their name are made of the audited user ID. They are generally derivated from template masks. ◦ The _ default mask contains the default list of events to be audited, generally for all the users ◦ The _require mask contains the list of events that must be audited. ◦ The _exclude mask contains the list that must not be audited ◦ The order rule is: user masks, _default mask, _require mask and finally _exclude mask.  The masks are created using the onaudit command www. 1 5
The onaudit command  The onaudit command is multipurpose: ◦ To set up and configure auditing Ex: onaudit -l 3 onaudit -s 10000000 ◦ To manipulate/change audit masks Ex: onaudit -a -u _user1 -e +CRTB,INRW onaudit -a -u _user1 -e –CRTB onaudit –f audit file  It is used only by the dbsso and the aao if roles are separated, else it can also be user by the informix user  To stop auditing onaudit -l 0 www. 1 6
The audit log file  The audit log files are generated in the directory specified by the ADTPATH config parameter in the $INFORMIXDIR/aaodir/adtcfg file  The log file names are built this way: <value of onconfig DBSERVERNAME parameter>.sequence number. Ex bcv_boc9 .1  The log file have a size limited by the adtcfg ADTSIZE parameter. Once this size is reached, a new file is created, with an incremented sequence number.  The audit trail can grow consequently according to what events are audited. It is recommanded to put a regular archiving procedure in place.  Compression can also be applied www. 1 7
The audit log file format  The audit log file looks like this www. 1 8
The audit log file output  First columns are self explanatory  The event specific colum is made of, and sepated by ‘:’ ◦ Error code ◦ Event mnemonic ◦ Database name ◦ Event specific fields, can be user name,table name,rowid etc… ie all relevant information used for auditing  This file is an ascii separated file, readable as is by any tool that can read this type of file  Results can also be loaded into a database  Formatted / Structured output is provided by the onshowaudit command www. 1 9
The onshowaudit command  The onshowaudit command reads and formats the audit trail files in a structured readable way, read-only  A number of options allow the aao to filter the records by different criteria  Onshowaudit can also be used to generate a file to be loaded to database for further SQL analysis  Some scripts are provided to do so www. 2 0
Performance considerations  Activating the audit will never enhance the Informix performance  It consists in Informix server threads that write system files, not directly IFMX buffers and tables  Important questions are: ◦ What events are audited ◦ How many events are audited ◦ How is Informix performance before auditing ◦ How many transactions are effectively audited  To be considered: ◦ Some events will generate huge amount of data (row read etc..) ◦ Define an archiving procedure, that may also filter out unrelevant data www. 2 1
Appendix We recommand the reading of these documentations  The IBM Informix Security guide, chapters 7,8,9,10,11,12 & 13, accessible on the Web http://publib.boulder.ibm.com/infocenter/idshelp/v117/ index.jsp?topic=%2Fcom.ibm.sec.doc%2Fids_sec_019. htm  The Security and Compliance Solutions for IBM Informix Dynamic Server Redbook http://www.redbooks.ibm.com/abstracts/sg247556.ht ml www. 2 2

Recommended

[Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step [Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
Ming-Hung Hseih
 
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
涛 吴
 
Informix HA Best Practices
Informix HA Best Practices Informix HA Best Practices
Informix HA Best Practices
Scott Lashley
 
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseStreaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Amazon Web Services
 
FSlogix ODFC POC Guide (version 1.3)
FSlogix ODFC POC Guide (version 1.3)FSlogix ODFC POC Guide (version 1.3)
FSlogix ODFC POC Guide (version 1.3)
Michael Baars
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
NSConclave
 
IBM PowerVM Best Practices
IBM PowerVM Best PracticesIBM PowerVM Best Practices
IBM PowerVM Best Practices
IBM India Smarter Computing
 
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Redis Labs
 

Recommended

[Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step [Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
Ming-Hung Hseih
 
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)
涛 吴
 
Informix HA Best Practices
Informix HA Best Practices Informix HA Best Practices
Informix HA Best Practices
Scott Lashley
 
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseStreaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Amazon Web Services
 
FSlogix ODFC POC Guide (version 1.3)
FSlogix ODFC POC Guide (version 1.3)FSlogix ODFC POC Guide (version 1.3)
FSlogix ODFC POC Guide (version 1.3)
Michael Baars
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
NSConclave
 
IBM PowerVM Best Practices
IBM PowerVM Best PracticesIBM PowerVM Best Practices
IBM PowerVM Best Practices
IBM India Smarter Computing
 
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Dynomite: A Highly Available, Distributed and Scalable Dynamo Layer--Ioannis ...
Redis Labs
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
Anatoliy Okhotnikov
 
Tutorial: Cross-compiling Linux Kernels on x86_64
Tutorial: Cross-compiling Linux Kernels on x86_64Tutorial: Cross-compiling Linux Kernels on x86_64
Tutorial: Cross-compiling Linux Kernels on x86_64
Samsung Open Source Group
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
Matt Leming
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Opersys inc.
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Traffic
real_slacker007
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
Opersys inc.
 
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
Rob Convery
 
Mqtt overview (iot)
Mqtt overview (iot)Mqtt overview (iot)
Mqtt overview (iot)
David Fowler
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?
Guido Schmutz
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
SafeNet
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging Service
Peter R. Egli
 
The Linux Scheduler: a Decade of Wasted Cores
The Linux Scheduler: a Decade of Wasted CoresThe Linux Scheduler: a Decade of Wasted Cores
The Linux Scheduler: a Decade of Wasted Cores
yeokm1
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
Morag Hughson
 
Security best practices for informix
Security best practices for informixSecurity best practices for informix
Security best practices for informix
IBM_Info_Management
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
SinanPetrusToma
 

More Related Content

What's hot

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?
Guido Schmutz
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging Service
Peter R. Egli
 

What's hot (20)

Spring Security
Spring SecuritySpring Security
Spring Security
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Tutorial: Cross-compiling Linux Kernels on x86_64
Tutorial: Cross-compiling Linux Kernels on x86_64Tutorial: Cross-compiling Linux Kernels on x86_64
Tutorial: Cross-compiling Linux Kernels on x86_64
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Traffic
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
Whats New in Integration What's New in IBM Integration Bus and IIB on Cloud
 
Mqtt overview (iot)
Mqtt overview (iot)Mqtt overview (iot)
Mqtt overview (iot)
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?Kafka as an Event Store - is it Good Enough?
Kafka as an Event Store - is it Good Enough?
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging Service
 
The Linux Scheduler: a Decade of Wasted Cores
The Linux Scheduler: a Decade of Wasted CoresThe Linux Scheduler: a Decade of Wasted Cores
The Linux Scheduler: a Decade of Wasted Cores
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
 

Similar to Ibm informix security functionality overview

how to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vaulthow to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vault
Anar Godjaev
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
André Braga
 

Similar to Ibm informix security functionality overview (20)

Security best practices for informix
Security best practices for informixSecurity best practices for informix
Security best practices for informix
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
2) security
2) security2) security
2) security
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Presentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solarisPresentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solaris
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Ingres For Oracle Users
Ingres For Oracle UsersIngres For Oracle Users
Ingres For Oracle Users
 
how to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vaulthow to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vault
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
 

More from BeGooden-IT Consulting

More from BeGooden-IT Consulting (8)

Querix lycia presentation v1.2 fr
Querix lycia presentation v1.2 frQuerix lycia presentation v1.2 fr
Querix lycia presentation v1.2 fr
 
Querix 4 gl app analyzer 2016 journey to the center of your 4gl application
Querix 4 gl app analyzer 2016 journey to the center of your 4gl applicationQuerix 4 gl app analyzer 2016 journey to the center of your 4gl application
Querix 4 gl app analyzer 2016 journey to the center of your 4gl application
 
Querix Lycia: 4GL is modern!
Querix Lycia: 4GL is modern!Querix Lycia: 4GL is modern!
Querix Lycia: 4GL is modern!
 
A15 ibm informix on power8 power linux
A15 ibm informix on power8 power linuxA15 ibm informix on power8 power linux
A15 ibm informix on power8 power linux
 
IBM informix: compared performance efficiency between physical server and Vir...
IBM informix: compared performance efficiency between physical server and Vir...IBM informix: compared performance efficiency between physical server and Vir...
IBM informix: compared performance efficiency between physical server and Vir...
 
A12 vercelletto indexing_techniques
A12 vercelletto indexing_techniquesA12 vercelletto indexing_techniques
A12 vercelletto indexing_techniques
 
Informix4gl status
Informix4gl statusInformix4gl status
Informix4gl status
 
F12 vercelletto innovator-c_tpc_benchmark
F12 vercelletto innovator-c_tpc_benchmarkF12 vercelletto innovator-c_tpc_benchmark
F12 vercelletto innovator-c_tpc_benchmark
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Ibm informix security functionality overview

  • 1. IBM Informix Security functional overview Luxembourg, October 2012 Eric Vercelletto, Begooden-IT Consulting www.
  • 2. Agenda  Informix security: OS perspective (overview)  Informix security: database perspective (overview)  Roles: configuration et separation (detail)  Administration/Roles (detail)  Auditing (detail)  Performance considerations (overview) www. 2
  • 3. OS security/1  Informix can authenticate users through ◦ os authentication: user must have a login on the system ◦ Trusted user: use OS trust capability if dbserver and app server are different systems ◦ PAM (pluggable authentication module: Informix supports the PAM framework, that can be used to develop company standards for authentication ◦ Lightweight Directory Access Protocol (LDAP): Informix also supports LDAP as an authentication method, only on Windows clients  Informix and users permissions ◦ Informix uses OS permissions to protect Informix utilities ◦ By default, user informix is the super user BUT ◦ DBSA, DBSSO, AAO and informix roles can be separated using OS built-in capabilities www. 3
  • 4. OS security/2  Informix uses standard network security capabilities ◦ ssh can be used to run Informix utilities in a secure way ◦ The Informix database server instance can(must) be placed behind a firewall to protect it from malicious external attacks www. 4
  • 5. Sql security/1 Informix can secure data thru SQL commands in 2 ways  DAC: discretionary access control use of GRANT and REVOKE statements applied to users, roles, having effect on databases, tables, views, fragments, routines, UDT… The permission granted can be connect, resource, dba, create, alter, select,insert, update, delete, usage, execute etc…, according to the type of object impacted www. 5
  • 6. Sql security/2 Informix can also secure data thru SQL commands using  LBAC: label-based access control ◦ Security can b defined at a row level or at a column level  Tables are protected by security POLICIES  Rows and columns are protected by LABELS  Policies and Labels are granted to users by the database security administrator  Labels can look like ◦ CREATE SECURITY LABEL COMPONENT classification ARRAY ['Top-Secret','Secret', 'Confidential', Unclassified']; ◦ CREATE SECURITY LABEL COMPONENT org_position ARRAY ['CEO', 'VP','Director', 'Manager','Staff']; ◦ CREATE SECURITY LABEL COMPONENT region TREE ( 'HeadQuarters' ROOT,’East' UNDER 'HeadQuarters','West' UNDER HeadQuarters','North' UNDER 'HeadQuarters','South' UNDER 'HeadQuarters','Georgia' UNDER 'East','Florida' UNDER 'East','Atlanta' UNDER 'Georgia','Texas' UNDER 'South','Dallas' UNDER Texas','Houston' UNDER 'Texas'); ◦ Customer labels can be created  Policies can look like ◦ CREATE SECURITY POLICY sales_plcy COMPONENTS org_position, region;  Policies and labels are granted to users like this: ◦ GRANT SECURITY LABEL sales_plcy.sales_rep TO "usr3" FOR WRITE ACCESS; ◦ GRANT SECURITY LABEL sales_plcy.sales_rep_mgr TO "usr3" FOR READ www. 6
  • 7. Roles separation Informix IDS considers 7 distinct roles  The DBSA (database system administrator) is in charge of configuring, tuning and maintaining the IDS instances. Tasks include startup and shutdown instances, disk space management, performance tuning etc…  The DBSSO (database system security officer) is in charge of defining audit masks on a large possible range of audit targets  The AAO (audit analysis officer) configures, runs and analyzes the audit trail  The DBA (database administrator) manages databases (not necessarily instances)  the OSA (operating system administrator) handles user accounts, groups, sets permissions, handles system resource  The user runs database applications  The privileged users « root » and « informix » are the default privileged users defined by IDS www. 7
  • 8. Roles separation: When and how?  The company can decide to use role separation or not  If not applied, the informix user has all the roles  At IDS install time, you must decide to use it or not ◦ You will be asked to enter the unix group names of DBSSO, AAO and « regular » users.  To apply separation after installation, you must change group ownsership of $INFORMIXDIR/dbssodir and $INFORMIXDIR/aaodir ◦ You will rebounce the IDS instance to enable role separation ◦ You can switch back to no role separation by changing group ownership of those directories back to informix, and rebounce again  Security rules can then be set in a more detailed manner by editing the $INFORMIXDIR/dbssodir/seccfg file www. 8
  • 9. IDS Audit www. 9
  • 10. Configure IDS audit  The general configuration of audit is done in the $INFORMIXDIR/aaodir/adtcfg file ADTMODE 0 # Auditing mode ADTPATH /usr/informix/aaodir # Directory where audit trails will be written by IDS ADTSIZE 50000 # Maximum size of any single audit trail file ADTERR 0 # Error handling modes. audit dbsso and dbsa operations  Possible modes are ◦ 0 audit off ◦ 1 audit on ◦ 3 audit dbsso operations ◦ 5 audit dbsso and dbsa operations ◦ 7 audit dbsso, dbsa operations and normal user operations  Rebounce the instance to validate config, or use onaudit command to set the configuration dynamically www. 1 0
  • 11. audit events  After general configuration is set, audit policy is configured by specifying audit events  Audit events are instance and database operations identified by an audit mnemonic like CRTB,CRIX,DLRW,RDRW ….  You can request specific status for each even: ‘S’ for sucessful, ‘F’ for failed  If ‘S’ or ‘F’ is not specified, all the events will be audited Ex: SCRTB will audit only successful table creations FDLRW will audit only failed rows deletes CRVW will audit all the view creations www. 1 1
  • 12. audit events CRLB Security Label, Create ACTB Access Table CRLC Security Label Component, Create ADCK Chunk, Add CROC Operator Class, Create ADLG Transaction Log, Add ALFR Alter Fragment CROP Optical Cluster, Create ALIX Index, Alter CRPL Security Policy, Create ALLC Security Label Component, Alter CRPT Encryption/Decryption ALME Access Method, Alter CRRL Create Role ALOC Operator Class, Alter CRRT Named Row Type, Create ALOP Optical Cluster, Alter ALSQ Sequence, Alter CRSN Synonym, Create ALTB Table, Alter CRSP SPL Routine, Create BGTX Transaction, Begin CRSQ Sequence, Create CLDB Database, Close CRTB Table, Create CMTX Transaction, Commit CRTR Trigger, Create CRAG Aggregate, Create CRAM Audit Mask, Create CRVW View, Create CRBS Storage Space, Create DLRW Row, Delete CRBT Opaque Type, Create DNCK Chunk, Bring Off-line CRCT Cast, Create DNDM Disk Mirroring, Disable CRDB Database, Create DRAM Audit Mask, Delete CRDM Domain, Create CRDS Dbspace, Create DRBS Storage Space, Drop CRDT Distinct Type, Create DRCK Chunk, Drop CRIX Index, Create DRDB Database, Drop www. 1 2
  • 13. audit events CRLB Security Label, Create ACTB Access Table CRLC Security Label Component, Create ADCK Chunk, Add CROC Operator Class, Create ADLG Trnsaction Log, Add ALFR Alter Fragment CROP Optical Cluster, Create ALIX Index, Alter CRPL Security Policy, Create ALLC Security Label Component, Alter CRPT Encryption/Decryption ALME Access Method, Alter CRRL Create Role ALOC Operator Class, Alter CRRT Named Row Type, Create ALOP Optical Cluster, Alter ALSQ Sequence, Alter CRSN Synonym, Create ALTB Table, Alter CRSP SPL Routine, Create BGTX Transaction, Begin CRSQ Sequence, Create CLDB Database, Close CRTB Table, Create CMTX Transaction, Commit CRTR Trigger, Create CRAG Aggregate, Create CRAM Audit Mask, Create CRVW View, Create CRBS Storage Space, Create DLRW Row, Delete CRBT Opaque Type, Create DNCK Chunk, Bring Off-line CRCT Cast, Create DNDM Disk Mirroring, Disable CRDB Database, Create DRAM Audit Mask, Delete CRDM Domain, Create CRDS Dbspace, Create DRBS Storage Space, Drop CRDT Distinct Type, Create DRCK Chunk, Drop CRIX Index, Create DRDB Database, Drop www. 1 3
  • 14. audit events RNIX Rename index GRTB Grant Table Access RNLB Security Label, Rename GRXM Grant Exemption RNLC Security Label Component, Rename INRW Row, Insert LGDB Database Log Mode, Change RNPL Security Policy, Rename LKTB Table, Lock RNTC Table/ Column, Rename LSAM Audit Masks, List RSOP Optical Cluster, Reserve LSDB Databases, List RVDB Revoke Database Access MDLG Modify Transaction Logging RVDR Revoke Default Role ONAU onaudit ONBR onbar RVFR Revoke Fragment Access ONCH oncheck RVLB Revoke Security Label ONIN oninit RVRL Revoke Role ONLG onlog RVSA Revoke DBSECADM ONLO onload RVSS Revoke SETSESSIONAUTH ONMN onmonitor ONMO onmode RVTB Revoke Table Access ONPA onparams RVXM Revoke Exemption ONPL onpload SCSP SPL Routine, System Command ONSP onspaces STCO Collation®, Set STCN Constraint, Set STDF Set Debug File STDP Set Database Password STDS Set Dataskip www. 1 4
  • 15. audit masks  The audit masks contain a list of events mnemonics to be audited  Events can be easily added or removed without affecting the ongoing configuration  Events can be included or excluded from auditing  There are 5 types of masks ◦ Template masks are self explanatory. Their names must begin with a ‘_’ character ◦ User masks will define an events list for a specific user. Their name are made of the audited user ID. They are generally derivated from template masks. ◦ The _ default mask contains the default list of events to be audited, generally for all the users ◦ The _require mask contains the list of events that must be audited. ◦ The _exclude mask contains the list that must not be audited ◦ The order rule is: user masks, _default mask, _require mask and finally _exclude mask.  The masks are created using the onaudit command www. 1 5
  • 16. The onaudit command  The onaudit command is multipurpose: ◦ To set up and configure auditing Ex: onaudit -l 3 onaudit -s 10000000 ◦ To manipulate/change audit masks Ex: onaudit -a -u _user1 -e +CRTB,INRW onaudit -a -u _user1 -e –CRTB onaudit –f audit file  It is used only by the dbsso and the aao if roles are separated, else it can also be user by the informix user  To stop auditing onaudit -l 0 www. 1 6
  • 17. The audit log file  The audit log files are generated in the directory specified by the ADTPATH config parameter in the $INFORMIXDIR/aaodir/adtcfg file  The log file names are built this way: <value of onconfig DBSERVERNAME parameter>.sequence number. Ex bcv_boc9 .1  The log file have a size limited by the adtcfg ADTSIZE parameter. Once this size is reached, a new file is created, with an incremented sequence number.  The audit trail can grow consequently according to what events are audited. It is recommanded to put a regular archiving procedure in place.  Compression can also be applied www. 1 7
  • 18. The audit log file format  The audit log file looks like this www. 1 8
  • 19. The audit log file output  First columns are self explanatory  The event specific colum is made of, and sepated by ‘:’ ◦ Error code ◦ Event mnemonic ◦ Database name ◦ Event specific fields, can be user name,table name,rowid etc… ie all relevant information used for auditing  This file is an ascii separated file, readable as is by any tool that can read this type of file  Results can also be loaded into a database  Formatted / Structured output is provided by the onshowaudit command www. 1 9
  • 20. The onshowaudit command  The onshowaudit command reads and formats the audit trail files in a structured readable way, read-only  A number of options allow the aao to filter the records by different criteria  Onshowaudit can also be used to generate a file to be loaded to database for further SQL analysis  Some scripts are provided to do so www. 2 0
  • 21. Performance considerations  Activating the audit will never enhance the Informix performance  It consists in Informix server threads that write system files, not directly IFMX buffers and tables  Important questions are: ◦ What events are audited ◦ How many events are audited ◦ How is Informix performance before auditing ◦ How many transactions are effectively audited  To be considered: ◦ Some events will generate huge amount of data (row read etc..) ◦ Define an archiving procedure, that may also filter out unrelevant data www. 2 1
  • 22. Appendix We recommand the reading of these documentations  The IBM Informix Security guide, chapters 7,8,9,10,11,12 & 13, accessible on the Web http://publib.boulder.ibm.com/infocenter/idshelp/v117/ index.jsp?topic=%2Fcom.ibm.sec.doc%2Fids_sec_019. htm  The Security and Compliance Solutions for IBM Informix Dynamic Server Redbook http://www.redbooks.ibm.com/abstracts/sg247556.ht ml www. 2 2