Improving Audit and Accountability in Firebird [CORE5786]

[firebird-automations]

Submitted by: Tony Whyman (twhyman)

Votes: 1

Audit and Accountability are important for some users where there is a need to monitor access and/or modification of data. It is understood that the current Firebird implementation does allow the creation of triggers that can monitor and record various events in a user database or even a security database. However, there are many security related events that cannot be logged using triggers and which may, nevertheless, be important to some users.

These events include:

Failed Login attempts
Database Creation and Deletion
Database Encryption/Decryption
Operations performed through the Services API.
Creation/Deletion of metadata objects
Activation/Deactivation of metadata objects where applicable.

It is proposed that Firebird should be enhanced such that a logging mechanism is provided to permit such events to be logged and that the use of such a logging mechanism should be configurable on a global or per database basis.

[firebird-automations]

Commented by: @hvlad

Audit and Trace services allows to log every item at the list above.
And Audit feature is specially designed for such needs.
There is some issues with logging of failed login attempts (due to changes in authentication in fb3), though.

DDL triggers allows to log most list items, i believe, namely:
- Database Encryption/Decryption
- Creation/Deletion of metadata objects
- Activation/Deactivation of metadata objects where applicable.

[firebird-automations]

Commented by: Sean Leyne (seanleyne)

Vlad,

How can triggers on metadata be created? User triggers on system tables (where the metadata is stored) are not allowed.

[firebird-automations]

Commented by: @hvlad

Sean,

i speak about DDL triggers, already implemented in Firebird 3

https://www.firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-psql-ddltriggers.html