I have read that Microsoft SQL Server don't log queries which include sp_password for security reasons. Does SQL Aynwhere have a similar restriction? Do any keywords exists which prevent an SQL command from appearing in the logs? |
Request level logging logs all queries and SQL statements. It does not make any attempt to determine which queries or SQL statements may contain passwords or other sensitive information. |
You are refering to the transaction log? AFAIK, password-relevant commands are logged in encrypted/obfuscated form. E.g. I just changed the dba PWD in the v12 demo db back to "sql" by using GRANT CONNECT, and the log contains this:
Personally, I don't think the statement on MS SQL's behaviour is correct, as the non-logging would mean that this change would not be recoverable, and that sould be a no-go. Therefore I guess any RDMS must log these commands but should encrypt/hide them somehow. That's what SQL Anyhwere seems to do, too. The same reason would make a keyword that prevents the logging of statements very risky. I meant more the request level logging. I read that using sp_password is part of intrusion techniques for MS SQL because it hides the attempts to break into the system from any request logging. This might be outdated information anyway it lead me to the question if anything similar exists for SQL Anywhere.
(08 Apr '11, 06:52)
Martin
Replies hidden
Well, I can't tell what the request level logging does with these commands but it should be not too hard to inspect that for yourself:) Furthermore, I really can't tell on the MS SQL side - AFAIK MS SQL has no builtin tool to translate the transaction log (like SA's DBTRAN), and I don't think the SQL Profiler will show such commands in plain text.
(08 Apr '11, 07:28)
Volker Barth
|