Security-relevant events for databases are centrally logged, including: • access or modification of particularly important content • addition of new users, especially privileged users • changes to user roles or privileges • attempts to elevate user privileges • queries containing comments • queries containing multiple embedded queries • database and query alerts or failures • database structure changes • database administrator actions • use of executable commands • database logons and logoffs.
Topic
Database event logging
Applicable to
all
History
Priority
Should
Sep 2024
Security-relevant events for databases are centrally logged, including:
• access or modification of particularly important content
• addition of new users, especially privileged users
• changes to user roles or privileges
• attempts to elevate user privileges
• queries containing comments
• queries containing multiple embedded queries
• database and query alerts or failures
• database structure changes
• database administrator actions
• use of executable commands
• database logons and logoffs.
The existing control recommending specific events for databases be centrally logged was slightly reworded for consistency with similar controls.
Dec 2023
The following events are centrally logged for databases:
• access or modification of particularly important content
• addition of new users, especially privileged users
• changes to user roles or privileges
• attempts to elevate user privileges
• queries containing comments
• queries containing multiple embedded queries
• database and query alerts or failures
• database structure changes
• database administrator actions
• use of executable commands
• database logons and logoffs.
The existing control relating to the centralised storage of database event logs was merged into the existing control relating to collecting database event logs. [ISM-1537, ISM-1758]
Jun 2022
The following events are logged for databases:
• access or modification of particularly important content
• addition of new users, especially privileged users
• changes to user roles or privileges
• attempts to elevate user privileges
• queries containing comments
• queries containing multiple embedded queries
• database and query alerts or failures
• database structure changes
• database administrator actions
• use of executable commands
• database logons and logoffs.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content. This included the adoption of ‘control’ terminology, in preference to ‘security control’ terminology, to allow for the capture of other types of controls in the future, such as privacy controls, in addition to security controls.
In addition, formatting changes were made to the system security plan annex template and the cloud controls matrix template in order to increase their alignment, such as the inclusion of an ‘implementation status’ column within the system security plan annex template. Furthermore, a new ‘responsible entity’ column was added to both templates in order to capture information on the responsible system (in the case of inherited controls) or responsible vendor (in the case of multi-vendor systems) that are responsible for the implementation of controls. Note, this column can also be used to capture information on teams or individuals that are responsible for the implementation of controls if desired.
Mar 2022
The following events are logged for databases:
• access or modification of particularly important content
• addition of new users, especially privileged users
• changes to user roles or database permissions
• attempts to elevate privileges
• any query containing comments
• any query containing multiple embedded queries
• any query or database alerts or failures
• changes to the database structure
• database administrator actions
• use of executable commands
• database logons and logoffs.
The approach to the management of event logs has been standardised to align with the Essential Eight Maturity Model. Furthermore, specific events to be logged, such as those related to databases, operating systems and web applications, have been moved to relevant guidelines.
Nov 2018
The following events are logged for databases:
§ access to particularly important information
§ addition of new users, especially privileged users
§ any query containing comments
§ any query containing multiple embedded queries
§ any query or database alerts or failures
§ attempts to elevate privileges
§ attempted access that is successful or unsuccessful
§ changes to the database structure
§ changes to user roles or database permissions
§ database administrator actions
§ database logons and logoffs
§ modifications to data
§ use of executable commands.
Added as a result of a split of security control 0987.