Logging SQL using InfoSphere Guardium

IBM® InfoSphere® Guardium® provides a suite of products designed to enhance the security of databases. One component of their line of products is the ability to audit and report all database access.

The InfoSphere Guardium application is able to intercept SQL streams before they reach the DBMS and it records them along with the database connection information in its own repository. This connection information includes the following data:

  • The db account that was used to log into the DBMS
  • The IP address of the client machine accessing the DBMS
  • The Application that was used to access the DBMS.

In addition, the InfoSphere Guardium application records normal audit values such as the timestamp that the SQL statement was received.

By itself, the InfoSphere Guardium application can be installed and can monitor all db traffic on InfoSphere MDM databases without any knowledge by InfoSphere MDM that it is there, recording the traffic. However, InfoSphere Guardium also provides a straightforward API that allows applications to record additional contextual information that can’t be recorded by simply examining the SQL or the database connection properties. In the case of InfoSphere MDM, such contextual information could be any of the following items:

  • The requester ID
  • The transaction name (such as Add Contract, Update Person, and so on.)
  • The client system name

Customers who choose to employ Guardium’s Audit and Reporting capabilities do so because it gives them the ability to centralize their audit and reporting facilities in a single repository. Instead of using Application X’s audit and reporting capabilities to review database activities in Application X, and Application Y’s audit and reporting capabilities to review database activities in application Y, customers can examine all db activity in all applications in a single repository.

Furthermore, the InfoSphere Guardium repository is in a hardened Linux kernel that makes tampering with the audit history far more difficult than tampering with audit logs stored in normal database tables.