Network Encryption Auditing | Teradata Vantage - 17.10 - Using Network Encryption Auditing - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

Network encryption auditing logs the security level that client interfaces use on the network when sending messages to the database. The messages are logged to the gateway log.

Network encryption auditing allows internal and external security auditors to know which security levels are being used on all connections and when. It allows security administrators to identify IP addresses and users not in compliance with security policy. It reports the following encryption security levels:
  • Plaintext
  • Integrity, Default
  • Integrity, Low
  • Integrity, Medium
  • Integrity, High
  • Confidentiality, Default
  • Confidentiality, Low
  • Confidentiality, Medium
  • Confidentiality, High

There are three auditing options:

  • No auditing: The feature is disabled, so nothing is logged.
  • Audit everything: Any change in the security level used by a client interface for a session is logged in the current gateway log file.
  • Audit cleartext: This only logs security level changes that result in a security level that does not guarantee confidentiality.

This feature is enabled from gtwcontrol; it is disabled by default. For more information about gtwcontrol, see Teradata Vantage™ - Database Utilities.

About the Gateway Log

Network encryption auditing is logged to the gateway log. The auditing information is scattered throughout the log file because it is logged (along with other entries) by the session’s gateway to its current log on its own node.

A new log is opened on restart or when the old log reaches a certain size. Logs that are older than seven days old are deleted when a gateway opens a new log.

The auditing information is not entered into database tables, so it must be extracted from the logs and imported to the database to allow sophisticated analysis.

Example: Enabling Network Encryption Auditing to Log Every Change in Security

The example shows the command to enable network encryption auditing to log every change in the security level of incoming messages. Once enabled, this logs the security level of the first message after a session logs on and also logs subsequent security level changes for each session. Run:

gtwcontrol --auditnetsecurity=yes
Only sessions that log on after the flag is set will have their security level logged.

Example: Enabling Network Encryption Auditing to Log Every Cleartext Change in Security Level

The example shows how to determine which client software is not using encryption. The following command enables network encryption auditing to log all cleartext security levels, that is, any level that is not explicitly a Confidentiality level. Run:

gtwcontrol --auditnetsecurity=ct

If any sessions are not using encryption, a message similar to the following will be logged:

gtwnetio.cpp @1816 (117455456): Thu Jan  5 20:10:30 2017
        Client Security Level: Plaintext for Request 2 from HG 1, Session 1115, IPAddr 192.0.2.2, Port 50117, User "TESTUSER"

Example: Disable Network Encryption Auditing

The example shows the command to disable network encryption auditing. Run:

gtwcontrol --auditnetsecurity=no