search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
282 stars 203 forks source link

[RDS/IAM] DDL and DML against databases by principals shall be auditable, audited, and preserved #34617

Open rbeckwith-oddball opened 2 years ago

rbeckwith-oddball commented 2 years ago

As a security engineer, I need to have the ability to audit any and all queries performed against any database by a principal that's been granted temporary read-access.

Scenario

Developer DEV does not have access to talk to the database DB directly DEV requests access to DB in environment E and sufficiently justifies access request Access is discussed and Security Team is looped in to evaluate DEV is given an equivalent to the 'sudo lecture'(*) and explicitly confirms understanding of and adherence to lecture's intent and spirit Minimally sufficient access is granted DEV performs commands against the DB and completes their tasks DEV signals end to their need for elevated privileges Access is revoked, DEV is back in initial state The full listing of executed commands is timestamped and preserved in a secure location for at least 90 days; the listing is spot-checked for any outlier-commands.

Requirements

As a security engineer, I need a full and complete listing of any and every command issued by DEV against any database they connected to, this is (among things) for non-repudiation reasons. I need to know any and every DML or DDL statement executed by this principal during their session(s), including any attempts at running a pg_dump or equivalent. I want to be able to replay the entire session of principal DEV, ideally including the output. This will enhance our non-repudiation abilities when it comes to DB access as well as help with individuals trying to lift data from a database onto an unauthorized system.

Sudo lecture

(*) The default sudo lecture is:

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
jhouse-solvd commented 2 years ago

@td-usds or @troymosher

Wondering if either of you has any background on the origin of this request?

It would be good to know if there are any external requirements or dependencies. If there are epics or initiatives that this work relates to, that would also be very helpful.

Thank you!

cc: @mchelen-gov @ph-One