Carl Dudley – University of Wolverhampton Auditing Techniques for Oracle Database 11g Carl Dudley...

Carl Dudley – University of Wolverhampton

Auditing Techniques for Oracle Database 11g


Carl Dudley

University of Wolverhampton, UK

UKOUG CommitteeOracle ACE Director

[email protected]

Carl Dudley



[email protected]

2

Auditing Techniques for Oracle Database 11gAuditing Techniques for Oracle Database 11g

Working with Oracle since 1986

Oracle DBA - OCP Oracle7, 8, 9, 10

Oracle DBA of the Year – 2002

Oracle ACE Director

Regular Presenter at Oracle Conferences

Consultant and Trainer

Technical Editor for a number of Oracle texts

UK Oracle User Group Director

Member of IOUC

Day job – University of Wolverhampton, UK

Working with Oracle since 1986

Oracle DBA - OCP Oracle7, 8, 9, 10

Oracle DBA of the Year – 2002

Oracle ACE Director

Regular Presenter at Oracle Conferences

Consultant and Trainer

Technical Editor for a number of Oracle texts

UK Oracle User Group Director

Member of IOUC

Day job – University of Wolverhampton, UK

Auditing Overview

Application Auditing

Trigger-based Auditing

Auditing the sys User

Standard Auditing

Fine-Grained Auditing

Managing the Audit Trail

Auditing Recommendations

3

Security – Main facetsSecurity – Main facets

Authentication / Identification— Who are you

Authorisation— What you can do/see

Auditing— What you did

• The what, when, who, where and how

Security should be database-centric, not application centric

There is now a focus on the database

A well known adage about software development

“You can have it done right, you can have it done fast, you can have it done cheap

Pick any two”

A possible adage about database security

“You can have high performance, high security, high usability

Pick any one”

4

Auditing OverviewAuditing Overview

What to audit

How to audit

How to use audit records

Handling performance issues

Auditing can also show work patterns, frequency of use etc.

Auditing allows you to know when you have been robbed and by whom— Data can be 'stolen' without anyone knowing

Perform selective auditing— Blanket auditing can have a negative performance effect— Also produces massive, difficult to handle, audit trails

Last phase in security cycle – never dispense with it

5


Auditing Overview




Standard Auditing




6

Application AuditingApplication Auditing

Programmed into an application— Often implemented in third party applications

Often done for portability across DBMSs, or when database auditing is not well understood

All aspects can be audited— Extremely flexible and extensible

Maintenance of the code can be onerous

Big applications are often targets for hackers

Application can be bypassed rendering auditing useless— It’s application centric

7

Application Auditing ExampleApplication Auditing Example

Create a table (aud_emp) designed to capture audit information for the emp_under_audit table

CREATE TABLE aud_emp ( username VARCHAR2(30) ,action VARCHAR2(12) ,empno NUMBER(4), ,column_name VARCHAR2(255) ,call_stack VARCHAR2(4000) ,client_id VARCHAR2(255) ,old_value VARCHAR2(25) ,new_value VARCHAR2(25) ,action_date DATE);

CREATE TABLE emp_under_audit AS SELECT * FROM empcopy;

8

Application Auditing Example (continued)Application Auditing Example (continued)

Create a procedure to generate auditing information

CREATE OR REPLACE PROCEDURE proc_audit_emp ( pi_username IN VARCHAR2 ,pi_action IN VARCHAR2 ,pi_empno IN NUMBER ,pi_column_name IN VARCHAR2 ,pi_old_value IN VARCHAR2 ,pi_new_value IN VARCHAR2)AS BEGIN INSERT INTO aud_emp (username,action,empno,column_name,call_stack, client_id,old_value,new_value,action_date) VALUES (pi_username ,pi_action ,pi_empno ,pi_column_name ,dbms_utility.format_call_stack ,sys_context('userenv','client_identifier') ,pi_old_value ,pi_new_value ,sysdate);END;

9


Create a procedure to show and format the auditing information

CREATE OR REPLACE PROCEDURE proc_format_aud_emp ASBEGIN FOR r IN (SELECT * FROM aud_emp ORDER BY action_date DESC) LOOP dbms_output.put_line('User: '||r.username); dbms_output.put_line('Client ID: '||r.client_id); dbms_output.put_line('Action: '||r.action); dbms_output.put_line('Empno: '||r.empno); dbms_output.put_line('Column: '||r.column_name); dbms_output.put_line('Old Value: '||r.old_value); dbms_output.put_line('New Value: '||r.new_value); dbms_output.put_line('Date: '|| TO_CHAR(r.action_date,'MON-DD-YYYY HH24:MI')); END LOOP;END;

10


Create an application procedure that is audited

CREATE OR REPLACE PROCEDURE proc_update_sal( pi_empno IN NUMBER, pi_salary IN NUMBER)AS v_old_sal VARCHAR2(25);BEGIN SELECT sal INTO v_old_sal FROM emp_under_audit WHERE empno = p_empno FOR UPDATE; UPDATE emp_under_audit SET sal = pi_salary WHERE empno = pi_empno; proc_audit_emp (pi_username => user ,pi_action => 'UPDATE' ,pi_empno => pi_empno ,pi_column_name => 'SAL' ,pi_old_value => v_old_sal ,pi_new_value => pi_salary);END;/

11


Run application, executing the update procedure and auditing the changes

BEGIN proc_update_sal(p_empno => 7369,p_salary => 950); proc_format_aud_emp;END;/

SELECT username,call_stack FROM aud_emp;

USERNAME CALL_STACK-------- -------------------------------------SCOTT ----- PL/SQL Call Stack ----- object line object handle number name 664B1434 1 anonymous block 6A1DFC34 10 procedure SCOTT.PROC_AUDIT_EMP 66614FA0 11 procedure SCOTT.PROC_UPDATE_SAL 6651D620 2 anonymous block

Show the resultant call stack

12


Show the captured audit information— The Client ID returns the IP_address if user was remote— Could capture much more about the user context

BEGIN proc_format_aud_emp;END; /

User: SMITHClient ID: 127.0.0.1Action: UPDATEEmpno: 7369Column: SALOld Value: 800New Value: 950Date: SEP-07-2012 18:37

13


Auditing Overview




Standard Auditing




14

Trigger-based AuditingTrigger-based Auditing

Database centric – very popular— Sometimes called value-based auditing

Can be used on INSERT, UPDATE, DELETE events (but not SELECTs)

Transparent to all applications

Flexible and extensible

Do not always fire — Do not fire on TRUNCATE

Cannot receive parameters – restricted to column values

Need to be created for each and every object— Could call common procedures

15

Trigger-based Auditing – Simple ExampleTrigger-based Auditing – Simple Example

Capture salary changes, who made the change and when using a simple trigger

CREATE TRIGGER trg_a_idu_r_emp_sal AFTER INSERT OR DELETE OR UPDATE OF sal ON emp FOR EACH ROW BEGIN IF (:NEW.sal > :OLD.sal * 1.10) THEN INSERT INTO emp_sal_audit VALUES (:OLD.empno ,:OLD.sal ,:NEW.sal ,user ,sysdate); END IF; END; /

— Triggers cannot capture the triggering statement

— Cannot be used to define alert actions

— Fine-Grained auditing may be a better option

16

Trigger to Populate Audit tableTrigger to Populate Audit table

Trigger fires on updates of sal— Executes proc_audit_emp to populate the pre-constructed audit table

(aud_emp)

CREATE OR REPLACE TRIGGER trg_b_u_r_emp_copy_salBEFORE UPDATE OF salON emp_copyFOR EACH ROWDECLAREBEGIN proc_audit_emp (p_username => user, ,p_action => 'UPDATE' ,p_empno => :OLD.empno ,p_column_name => 'SAL' ,p_old_value => TO_CHAR(:OLD.sal) ,p_new_value => TO_CHAR(:NEW.sal));END;/

17

Firing the Audit TriggerFiring the Audit Trigger

Smith performs an update which fires the trigger

SMITH> UPDATE scott.emp_copy 2 SET sal = sal*1.1 3 WHERE job = 'ANALYST';

SCOTT> SELECT DISTINCT call_stack FROM aud_emp;

CALL_STACK----------------------------------------------------- PL/SQL Call Stack ----- object line object handle number name665C3F84 1 anonymous block6675288C 10 procedure SCOTT.PROC_AUDIT_EMP6A297C30 3 SCOTT.TRG_B_U_R_EMP_COPY_SAL

The call stack shows the trigger firing

18

The Triggered Audit RecordsThe Triggered Audit Records

The auditing information shows two records suffering update

SCOTT> BEGIN 2 proc_format_aud_emp; 3 END; 4 /

User: SMITHClient ID:Action: UPDATEEmpno: 7902Column: SALOld Value: 3000New Value: 3300Date: SEP-07-2012 19:37

User: SMITHClient ID:Action: UPDATEEmpno: 7788Column: SALOld Value: 3000New Value: 3300Date: SEP-07-2012 19:37

19

Handling Rollback - Autonomous TransactionsHandling Rollback - Autonomous Transactions

Scenario— User makes an update, inspects values and then rolls back the transaction— Records in the auditing table will also be rolled back

• Loss of auditing information

Cannot place COMMIT in the trigger— But can use Autonomous Transactions

• Allows actions of triggers to commit independently of the triggering statement

• Preserves the auditing information on rollback

20

Handling Rollback – Autonomous Transactions (continued)Handling Rollback – Autonomous Transactions (continued)

All updates will be audited

CREATE OR REPLACE PROCEDURE proc_audit_emp ( p_username IN VARCHAR2 ,p_action IN VARCHAR2 ,p_empno IN NUMBER ,p_column_name IN VARCHAR2 ,p_old_value IN VARCHAR2 ,p_new_value IN VARCHAR2)AS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN INSERT INTO aud_emp (username,action,empno,column_name,call_stack, client_id,old_value,new_value,action_date) VALUES (p_username ,p_action ,p_empno ,p_column_name ,dbms_utility.format_call_stack ,sys_context('userenv','client_identifier') ,p_old_value ,p_new_value ,sysdate); COMMIT;END;

21


Auditing Overview




Standard Auditing




22

Mandatory Database AuditingMandatory Database Auditing

Mandatory Auditing always records— Startup— Shutdown— User logins and logoffs with SYSDBA and SYSOPER privileges

• Shows if an administrator has disabled auditingAUDIT_TRAIL = FALSE (or NONE)

Records must be stored in the operating system because database not available on starting or stopping— On Windows in the Event Logs— On Linux and unix in $ORACLE_HOME/rdbms/audit

23

Auditing the SYS User with AUDIT_SYS_OPERATIONSAuditing the SYS User with AUDIT_SYS_OPERATIONS

Actions by users having SYSDBA or SYSOPER are written to OS files (XML as appropriate), not the database— All successful sys top-level SQL actions are audited

• Can be seen in the Windows Event Viewer (not in aud$)— These database users should not have access to the audit records

The parameter is deliberately not dynamic— Database must be 'bounced' to change its value— Stops the DBA from simply turning off auditing, perform a malicious action

and then turning auditing back on• Having to bounce the database captures the disabling of the auditing

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE = SPFILE;

24

Example sys AuditExample sys Audit

When sys auditing is enabled, both the ALTER SYSTEM and UPDATE statements are displayed in the OS audit file or event log:

Audit trail: LENGTH: '177' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[10] 'UNV\in8308' CLIENT TERMINAL:[14] 'WXPLT-ITR12680' STATUS:[1] '0' DBID:[10] '1318485259' .

Audit trail: LENGTH: '201' ACTION :[30] 'ALTER SYSTEM FLUSH SHARED_POOL' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[10] 'UNV\in8308' CLIENT TERMINAL:[14] 'WXPLT-ITR12680' STATUS:[1] '0' DBID:[10] '1318485259' .

Audit trail: LENGTH: '220' ACTION :[49] 'UPDATE scott.emp SET sal=1000 WHERE ename='SCOTT'' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[10] 'UNV\in8308' CLIENT TERMINAL:[14] 'WXPLT-ITR12680' STATUS:[1] '0' DBID:[10] '1318485259' .

CONNECT / AS SYSDBA ALTER SYSTEM FLUSH SHARED_POOL; UPDATE scott.emp SET sal=1000 WHERE ename='SCOTT';

25

AuditingAuditing

Auditing Overview




Standard Auditing




26

The audit trail does not store data values

Value of AUDIT_TRAIL

Auditing Activity

FALSE (Default) (NONE on Oracle10g)

No standard auditing activity

OS Records are written to OS

Do this for same reasons as for AUDIT_SYS_OPERATIONS

Accessible when database is down

XML (or XML,EXTENDED)

Records written as XML

New view (V$XML_AUDIT_TRAIL ) shows these records in relational format and makes them 'queryable' via SQL

EXTENDED causes audit of sql text and bind variable values

DB(or DB,EXTENDED)

Records are written to a database table (sys.aud$)

Makes it easier to run reports

Values of AUDIT_TRAIL for Standard AuditingValues of AUDIT_TRAIL for Standard Auditing

27

Setting Standard AuditingSetting Standard Auditing

The parameter is deliberately not dynamic— Database must be 'bounced' to change its value— Set this value on database creation to avoid a database 'bounce' later

If AUDIT_FILE_DEST is not specified, the default OS location is — Solaris

$ORACLE_BASE/admin/$DB_UNIQUE_NAME/adump — Windows

$ORACLE_BASE\admin\$DB_UNIQUE_NAME\adump

ALTER SYSTEM SET AUDIT_TRAIL = DB,EXTENDED SCOPE = SPFILE;

28

Scoping Audit Activity – Standard AuditingScoping Audit Activity – Standard Auditing

Specific objects

Executing procedures

Use of a system privilege

Specific users

Successful and/or unsuccessful actions

Per action or per session (per session is not a realistic option on 11g)

Allows focussing of auditing activity— Important to fine tune this to avoid performance and storage issues

Allows monitoring of privileged users – DBAS etc.

29

Auditing ConnectionsAuditing Connections

Need to know who and when— Most outages are down to human activity— Not easy for users of applications using connection pools

Generates lots of records— Need adequate disk space and purging policy

To audit connections, two criteria must be set— Ensure AUDIT_TRAIL = DB,EXTENDED— When connected as the user system, issue the command

— Audits connections only for scott and smith

Not much defence for not having this information

AUDIT SESSION;

AUDIT SESSION BY scott,smith;

30

Auditing Connections (continued)Auditing Connections (continued)

Script to report on audit of user logons and logoffs

BEGIN FOR r IN (SELECT username ,action_name ,TO_CHAR(timestamp, 'DD-MON HH24:MI') LOGON ,TO_CHAR(logoff_time, 'DD-MON HH24:MI') LOGOFF ,priv_used ,comment_text FROM dba_audit_trail) LOOP dbms_output.put_line('User: '||r.username); dbms_output.put_line('Action: '||r.action_name); dbms_output.put_line('Logon: '||r.LOGON); dbms_output.put_line('Logoff: '||r.LOGOFF); dbms_output.put_line('Priv: '||r.priv_used); dbms_output.put_line('Comments: '||r.comment_text); dbms_output.put_line('-----End of audit record-----'); END LOOP;END;

31

Audit Report OutputAudit Report Output

User scott has created a session and then exited almost immediately

SYS>/User: SCOTTAction: LOGONLogon: 12-SEP 09:24Logoff:Priv: CREATE SESSIONComments: Authenticated by: DATABASE; Client address:(ADDRESS=(PROTOCOL=tcp)(HOST=169.254.207.135)(PORT=2817))------End of audit record------

PL/SQL procedure successfully completed.

SYS> /User: SCOTTAction: LOGOFFLogon: 12-SEP 09:24Logoff: 12-SEP 09:25Priv: CREATE SESSIONComments: Authenticated by: DATABASE; Client address:(ADDRESS=(PROTOCOL=tcp)(HOST=169.254.207.135)(PORT=2817))---------End of audit record---------

User has yet to logoff

— On Oracle11g you may see DBSNMP and SYSMAN activity

32

Statement AuditingStatement Auditing

The use of any kind of SQL statement can be audited— Can be based on whether the statement is successful, unsuccessful or both

Examples of auditing based on statements affecting types of objects

— Audits CREATE, ALTER, DROP of any role or table

— Audits CREATE TABLE statements

— Audits ALTER TABLE statements only when they are unsuccessful

AUDIT ALTER TABLE WHENEVER NOT SUCCESSFUL;

AUDIT CREATE TABLE;

AUDIT ROLE,TABLE;

33

Statement Auditing (continued)Statement Auditing (continued)

Audit all unsuccessful SELECT, INSERT, DELETE statements on all tables and any unsuccessful attempt at executing a procedure

AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ACCESS WHENEVER NOT SUCCESSFUL;

AUDIT DELETE TABLE BY tt BY ACCESS;

Can be specified on a per user basis

34

Tracking Statement AuditingTracking Statement Auditing

Statement level auditing is shown in dba_stmt_audit_opts

AUDIT CREATE EXTERNAL JOB BY tt;SELECT * FROM dba_stmt_audit_opts;USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE--------- ---------- ------------------- ---------- ---------- : : : : DROP ANY TABLE BY SESSION BY SESSION CREATE EXTERNAL JOB BY SESSION BY SESSIONTT CREATE EXTERNAL JOB BY SESSION BY SESSION : : : :

NOAUDIT CREATE EXTERNAL JOB;SELECT * FROM dba_stmt_audit_opts;USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE--------- ---------- ------------------- ---------- ---------- : : : : DROP ANY TABLE BY SESSION BY SESSION TT CREATE EXTERNAL JOB BY SESSION BY SESSION : : : :

35

Privilege-Based AuditingPrivilege-Based Auditing

Examples of auditing on types of privileges

— Audits any successful or unsuccessful action that depends on the DELETE ANY TABLE privilege

— Audits each unsuccessful use of the UPDATE ANY TABLE privilege• Default is BY SESSION

The AUDIT SYSTEM privilege is required by any user that sets up system or privilege-based auditing— This would normally be the security administrator and no-one else

AUDIT UPDATE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;

AUDIT DELETE ANY TABLE;

36

Object-based AuditingObject-based Auditing

Object owners and administrators can set object-based auditing— AUDIT ANY allows auditing to be set on any object

Examples of auditing on specific objects

— Audit successful attempts to query the emp table on a session basis

— Audit all unsuccessful attempts to query scott's dept table by access

AUDIT SELECT ON emp WHENEVER SUCCESSFUL;

AUDIT SELECT, INSERT, DELETE ON scott.dept BY ACCESS WHENEVER NOT SUCCESSFUL;

37

Object-based Auditing (continued)Object-based Auditing (continued)

Object Option Table View Seq

ProcFuncPkg Mview Dir Lib

ObjectType Context

ALTER X -- X -- X -- -- X --

AUDIT X X X X X X -- X X

COMMENT X X -- -- X -- -- -- --

DELETE X X -- -- X -- -- -- --

EXECUTE -- -- -- X -- -- X -- --

FLASHBACK X X -- -- -- -- -- -- --

GRANT X X X X -- X X X X

INDEX X -- -- -- X -- -- -- --

INSERT X X -- -- X -- -- -- --

LOCK X X -- -- X -- -- -- --

READ -- -- -- -- -- X -- -- --

WRI ????

RENAME X X -- -- -- -- -- -- --

REF Obsolete, do not use

SELECT X X X -- X -- -- -- --

UPDATE X X -- -- X -- -- -- --

CRE ????

38

Object Level AuditingObject Level Auditing

SELECT * FROM dba_obj_audit_opts;

OBJECT_ OWNER OBJECT_NAME TYPE ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK----- ----------- ------- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---SCOTT EMP TABLE -/- -/- -/- -/S -/- -/- A/- -/- -/- A/A -/S -/- -/- -/- -/- -/- -/-

AUDIT ALL ON dept;— Audits all possible options on the object

AUDIT DELETE,UPDATE ON SCOTT.EMP WHENEVER NOT SUCCESSFUL;

AUDIT SELECT ON SCOTT.EMP BY ACCESS;

AUDIT INSERT ON SCOTT.EMP BY ACCESS WHENEVER SUCCESSFUL;

Cannot be specified on a per user basis

NOAUDIT ALL ON dept;— Removes EVERY audit option on the object

39

BY SESSION vs BY ACCESSBY SESSION vs BY ACCESS

Originally, BY SESSION created one audit record for statements causing the same auditing activity— BY ACCESS creates audit record each time an auditable statement is run

On Oracle 11g BY SESSION causes auditing as many times as BY ACCESS but records less information— Still remains as default

Oracle recommend to use BY ACCESS — Similar overheads but more information

40

Monitoring Object Auditing Monitoring Object Auditing

Status of objects being audited

SELECT upd "Update Option" FROM dba_obj_audit_opts WHERE object_name IN ('DEPT','EMP');

OBJECT_NAME Update Option----------- -------------DEPT A/-EMP S/A

First character shows if auditing is enabled for successful attempts

S = by session A = by access- = no auditing

Character after the '/' shows if auditing is enabled for unsuccessful attempts

Object auditing in audit trail

SELECT ses_actions,returncode FROM dba_audit_object;

SES_ACTIONS RETURNCODE---------------- -------------------F------ 913---F------------ 913---------S------ 0---S------------ 0

DELETE FROM emp WHERE empno = (SELECT * FROM emp WHERE ename = 'x');ORA-00913: too many values

DELETE FROM emp WHERE empno = (SELECT empno FROM emp WHERE ename = 'x');delete select

41

Monitoring System Wide AuditingMonitoring System Wide Auditing

Show auditing status of user logins with dba_stmt_audit_opts

SELECT * FROM dba_stmt_audit_opts;

USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE--------- ---------- -------------- --------- --------- CREATE SESSION BY ACCESS BY ACCESS

Show auditing status of system privileges with dba_priv_audit_opts

SELECT * FROM dba_priv_audit_opts;

USER_NAME PROXY_NAME PRIVILEGE SUCCESS FAILURE--------- ---------- ---------------- --------- --------- SELECT ANY TABLE BY ACCESS BY ACCESS

The dba_common_audit_trail view shows all auditing information— Includes Fine-Grained Auditing

42

Auditing the Audit TrailAuditing the Audit Trail

If ordinary users have access to sys.aud$ then that access needs to be audited

— Any actions performed by non-SYSDBA users will now be audited

A simple SELECT on sys.aud$ will generate an audit record in aud$— A DELETE of this audit record will succeed, but it will generate another

record of the delete operation

Any records of DML performed on aud$ cannot be deleted by regular users

Setting up this type of auditing acts as a safety feature, potentially revealing unusual or unauthorized actions

AUDIT SELECT, INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS;

43

The Auditing ViewsThe Auditing Views

STMT_AUDIT_OPTION_MAP Contains information about auditing option type codes. Created by the SQL.BSQ script at CREATE DATABASE time.

AUDIT_ACTIONS Contains descriptions for audit trail action type codesALL_DEF_AUDIT_OPTS Contains default object-auditing options to be applied on object creationDBA_STMT_AUDIT_OPTS Describes current system auditing options across system and by userDBA_PRIV_AUDIT_OPTS Describes current system privileges being audited across system and by userDBA_OBJ_AUDIT_OPTS Describes auditing options on all objectsUSER_OBJ_AUDIT_OPTS The USER view shows auditing options on all objects owned by current userDBA_AUDIT_TRAIL Lists all audit trail entriesUSER_AUDIT_TRAIL The USER view shows audit trail entries relating to current user.DBA_AUDIT_OBJECT Contains audit trail records for all objects in the systemUSER_AUDIT_OBJECT The USER view lists audit trail records for statements concerning objects that are accessible to the current userDBA_AUDIT_SESSION Lists all audit trail records concerning CONNECT and DISCONNECTUSER_AUDIT_SESSION The USER view lists all audit trail records concerning connections and disconnections for the current userDBA_AUDIT_STATEMENT Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the databaseUSER_AUDIT_STATEMENT , or for the USER view, issued by the user.DBA_AUDIT_EXISTS Lists audit trail entries produced by AUDIT NOT EXISTSDBA_AUDIT_POLICIES Shows all the auditing policies on the system.DBA_FGA_AUDIT_TRAIL Lists audit trail records for value-based auditingDBA_COMMON_AUDIT_TRAIL Combines standard and fine-grained audit log records, and includes sys and mandatory audit records written in XML format

44

Setting up Audit InformationSetting up Audit Information

Trigger sets the client identifier for each session at login time

CREATE OR REPLACE TRIGGER trg_set_client_infoAFTER LOGON ON DATABASE DECLARE v_module v$session.module%TYPE;BEGIN SELECT module INTO v_module FROM v$process p, v$session s WHERE p.addr = s.paddr AND s.audsid = USERENV('sessionid'); dbms_session.set_identifier(sys_context ('userenv','ip_address') ||' - '||v_module);END;/

— Could set many other criteria such as authentication method

45

Auditing StatementsAuditing Statements

Example shows three SELECT statements that will generate audit records— The statement issued by system will generate three audit records

CONN system/manager

SELECT ename,salFROM scott.emp WHERE sal < (SELECT sal FROM scott.emp WHERE ename = 'WARD')AND job = (SELECT job FROM scott.emp WHERE ename = 'WARD');

CONN scott/tiger

SELECT job FROM scott.emp; SELECT empno FROM scott.emp;

46

Correlating Audit RecordsCorrelating Audit Records

CREATE OR REPLACE PROCEDURE format_audASBEGIN FOR r IN (SELECT db_user ,client_id ,object_schema ,object_name ,extended_timestamp ,sql_text ,statementid FROM dba_common_audit_trail GROUP BY db_user ,statementid ,sql_text ,object_schema ,object_name ,client_id ,extended_timestamp ORDER BY extended_timestamp ASC) LOOP dbms_output.put_line('Who: '||r.db_user); dbms_output.put_line('What: '||r.object_schema||'.'||r.object_name); dbms_output.put_line('Where: '||r.client_id); dbms_output.put_line('When: ' ||TO_CHAR(r.extended_timestamp,'MON-DD HH24:MI')); dbms_output.put_line('How: '||r.sql_text); dbms_output.put_line('--------------End of audit record--------------'); END LOOP;END;

The grouping of statementids will cause the system statement to show as one entry

47

Correlated Output from the Audit TrailCorrelated Output from the Audit Trail

The system record shows only once

SQLPLUS is shown as part of the identifier (set by the trigger)Who: SYSTEMWhat: SCOTT.EMPWhere: 127.0.0.1 - sqlplus.exeWhen: SEP-2012 11:15How: SELECT ename,salFROM scott.empWHERE sal < (SELECT salFROM scott.emp WHERE ename = 'WARD')AND job = (SELECT jobFROM scott.emp WHERE ename = 'WARD')--------------End of audit Record--------------Who: SCOTTWhat: SCOTT.EMPWhere: 127.0.0.1 - sqlplus.exeWhen: SEP-2012 11:15How: SELECT job FROM scott.emp--------------End of audit Record--------------Who: SCOTTWhat: SCOTT.EMPWhere: 127.0.0.1 - sqlplus.exeWhen: SEP-2012 11:15How: SELECT ename FROM scott.emp;

The SELECT statement is captured because AUDIT_TRAIL = DB,EXTENDED

48

Performance Impact of Audit Performance Impact of Audit

With auditing

CREATE OR REPLACE PROCEDURE perf_test_audASBEGIN FOR rec IN 1..50000 LOOP FOR inner_rec IN (SELECT ename FROM scott.emp) LOOP NULL; END LOOP; END LOOP; END;/

EXEC perf_test_aud

Elapsed : 39.93 seconds

49

Performance Impact of Audit (continued)Performance Impact of Audit (continued)

Disable auditing and then re-execute

CREATE OR REPLACE PROCEDURE perf_test_audASBEGIN FOR rec IN 1 ..50000 LOOP FOR inner_rec IN (SELECT ename FROM scott.emp) LOOP NULL; END LOOP; END LOOP; END;/

EXEC perf_test_aud

Elapsed : 12.26 seconds

NOAUDIT SELECT ON scott.emp;

50

Auditing LimitationsAuditing Limitations

Not able to show what data the user actually saw— But captures SCN of the operation— Could use Flashback based on the SCN to see the data

• Depends on UNDO_RETENTION— Oracle Consultancy have Selective Audit as a 'full' solution

Audit data persists after a rollback

Audit is generated even when no rows affected

Cannot audit on specific columns or conditions

Fine-grained auditing gives extra possibilities

51

AuditingAuditing

Auditing Overview




Standard Auditing




52

Fine-Grained Auditing (FGA) FeaturesFine-Grained Auditing (FGA) Features

1. Boolean condition check— Anything specified in SQL— Comparison of function call results

2. Column sensitivity

3. Event Handler

4. SQL capture

Conditional auditing helps to reduce unnecessary audits

Business rule— Employees should see only their own record

• Auditing on the table generates audit information for all SELECTs• Sifting through the audit is cumbersome

53

Setting UP FGASetting UP FGA

FGA does not depend on any initialisation parameters

Implement auditing for users accessing other employees' records

BEGIN dbms_fga.add_policy(object_schema => 'SCOTT' ,object_name => 'EMPTAB_FGA' ,policy_name => 'fga_emp' ,audit_condition => 'ENAME != USER'

,audit_trail => dbms_fga.db + dbms_fga.extended);END;

audit_trail will place audit in fga_log$ (with sql texts) (default)— Can alternatively be specified as XML

If audit_condition is left as NULL, the audit always happens

Requires the use of the cost-based optimizer and generation of statistics

54

Generating FGA recordsGenerating FGA records

— Only one entry is placed in the audit table (SMITH is not the user SCOTT)

SELECT sal,ename FROM scott.emptab_fga WHERE ename = 'SCOTT';

SAL ENAME---------- ---------- 3000 SCOTT

SELECT sal,ename FROM scott.emptab_fga WHERE ename = 'SMITH';

SAL ENAME---------- ---------- 2850 SMITH

Who: SCOTTWhat: SCOTT.EMPTAB_FGAWhere: - sqlplusw.exeWhen: Nov-09 12:52How: SELECT sal,ename FROM scott.emptab_fga WHERE ename = 'SMITH'--------------End of audit record--------------

Two statements using the emptab_fga table

55

Fine Grained Auditing FeaturesFine Grained Auditing Features

When AUDIT_TRAIL = DB or DB,EXTENDED, the FGA records are stored in the fga_log$ table owned by sys by default— Shown in dba_fga_audit_trail— Also seen in dba_common_audit_trail with other auditing information

• Clearing out aud$ will not remove FGA records

Fine-grained auditing goes beyond triggers— Triggers incur a PL/SQL call for every row processed

• Create an audit record only when a relevant column is changed by DML— FGA is not invoked for every row - only once for every policy

• Audit occurs when a specified column is either changed or used in selection criteria – Uncovers users who hope their actions will be masked because

they use the sensitive columns only in the selection criteria

56

Targeting Fine-Grained AuditingTargeting Fine-Grained Auditing

Use functions to perform complex checking— Gives flexibility to policies

CREATE OR REPLACE FUNCTION outside_hoursRETURN BINARY_INTEGERAS v_return_val NUMBER; v_day_of_week VARCHAR2(1) := TO_CHAR(sysdate,'DY'); v_hour NUMBER(2):= TO_NUMBER(TO_CHAR(sysdate, 'HH24'));BEGIN IF (v_day_of_week IN ('SAT', 'SUN') OR v_hour < 8 OR v_hour > 17) THEN v_return_val := 1; ELSE v_return_val := 0; END IF; RETURN v_return_val;END;

— Checks if time is outside of working hours

57

Manipulating Auditing PolicesManipulating Auditing Polices

Auditing occurs on emptab_fga if function outside_hours returns '1'— Outside of working hours

BEGIN dbms_fga.drop_policy( object_schema => 'SCOTT' ,object_name => 'EMPTAB_FGA' ,policy_name => 'fga_emp');END;/

BEGIN dbms_fga.add_policy( object_schema => 'SCOTT' ,object_name => 'EMPTAB_FGA' ,policy_name => 'fga_emp' ,audit_condition => 'SECADMIN.OUTSIDE_HOURS = 1');END;/

58

Column SensitivityColumn Sensitivity

Any employee is allowed to access other employee's records— But must not access the sensitive sal column

This rule needs column sensitivity— Auditing occurs only if the column is retrieved and the condition is met— If no condition, auditing happens when the column is retrieved or

manipulated

BEGIN dbms_fga.add_policy(object_schema => 'SCOTT' ,object_name => 'EMPTAB_FGA' ,policy_name => 'fga_emp' ,audit_condition => 'ENAME != USER' ,audit_column => 'SAL');END;/

59

Options for Column AuditingOptions for Column Auditing

Use audit_column_opts— Relevant only when there is a list of columns in audit_column — Governs whether a statement is audited

Value of audit_column_opts Auditing action

any_columns

(default value)

the statement is audited if it references any column specified in the audit_column parameter

all_columns the statement must reference all columns listed in audit_column to be audited

60

Column Sensitive Audit TestColumn Sensitive Audit Test

Which of the following statements will be audited?

1. SELECT AVG(sal) FROM emptab_fga;

2. SELECT sal FROM emptab_fga WHERE ename = 'SCOTT';

3. SELECT empno,job,sal FROM emptab_fga WHERE deptno = 10;

4. SELECT empno,job FROM emptab_fga WHERE deptno = 10;

5. SELECT sal FROM emptab_fga WHERE ename = 'ZULU';

6. SELECT ename FROM emptab_fga WHERE ename = 'SMITH';

7. SELECT ename FROM emptab_fga WHERE sal > 2975;

61

Audited StatementsAudited Statements

Statements 1, 3 and 7

Who: SCOTTWhat: SCOTT.EMPTAB_FGAWhere: - sqlplusw.exeWhen: Nov-11 16:18How: SELECT AVG(sal) FROM emptab_fga--------------End of audit record--------------Who: SCOTTWhat: SCOTT.EMPTAB_FGAWhere: - sqlplusw.exeWhen: Nov-11 16:18How: SELECT empno,job,sal FROM emptab_fga WHERE deptno = 10--------------End of audit record--------------Who: SCOTTWhat: SCOTT.EMPTAB_FGAWhere: - sqlplusw.exeWhen: Nov-11 16:18How: SELECT ename FROM emptab_fga WHERE sal > 2975--------------End of audit record--------------

62

Pushing Audit InformationPushing Audit Information

Could be a delay before audit records are seen

Push alerts out to DBAs— Use an event handler— No need to query the audit log for information

BEGIN dbms_fga.add_policy(object_schema => 'SCOTT', ,object_name => 'EMPTAB_FGA' ,policy_name => 'fga_emp' ,audit_condition => 'ENAME != USER' ,audit_column => 'SAL' ,handler_schema => 'SECADMIN' ,handler_module => 'FGA_ALERT');END;/

63

The Event HandlerThe Event Handler

CREATE OR REPLACE PROCEDURE fga_alert (pi_sch VARCHAR2 ,pi_tab VARCHAR2 ,pi_pol VARCHAR2)ASmsg VARCHAR2(20000);BEGIN msg := 'Wake up Carl - the '||pi_tab||' table owned by '|| pi_sch||' has been accessed with this statement : '||sys_context('userenv','current_sql')||'. The time is : ' ||TO_CHAR(SYSDATE, 'Day DD MON, YYYY HH24:MI:SS'); UTL_MAIL.SEND (

sender => '[email protected]',recipients => '[email protected]',subject => 'Salaries in the HR.EMPLOYEES table have been accessed',message => msg);

END email_alert;/

64

FGA SummaryFGA Summary

FGA will not see modifications to queries caused by RLS

FGA does not show the data that the user received

FGA does not occur when no rows are returned or updated— Could combine it with standard auditing

Cannot circumvent any fine-grained auditing arrangements—

Database centric

65

AuditingAuditing

Auditing Overview




Standard Auditing




66

Managing Auditing – the aud$ TableManaging Auditing – the aud$ Table

When AUDIT_TRAIL is set to DB or DB,EXTENDED— Auditing information is stored in sys.aud$ in the system tablespace— Maximum size governed by storage parameters for system tablespace

Periodically remove data from aud$ to free up space and aid searching— The aud$ (and fga_log$) tables are ABSOLUTELY THE ONLY

dictionary tables on which direct DML can be performed• Do not insert, update or delete records in any other dictionary table

— Ordinarily, only sys can perform deletes on the aud$ table

Any delete on the audit trail is itself audited— Beware sys can TRUNCATE the aud$ table

67

Audit Trail – Manual ManagementAudit Trail – Manual Management

If audit trail is full and CREATE SESSION is being audited— Users cannot connect to the database— In this case, connect as SYS and make space in the audit trail

TRUNCATE TABLE sys.aud$;

ALTER TABLE sys.aud$ SHRINK SPACE;

DELETE FROM sys.aud$;

DELETE FROM sys.aud$ WHERE ntimestamp# > TO_TIMESTAMP ('01-JAN-12 08.08.58.427000 PM')AND ntimestamp# < TO_TIMESTAMP ('31-MAR-12 10.23.59.681000 PM');

Shrink or truncate aud$ to regain the space if required

68

Audit Trail Management SettingsAudit Trail Management Settings

Values can be set using dbms_audit_mgmt— Part of SE and EE from Oracle11gR2

• Previously available only through Audit Vault

SELECT * FROM dba_audit_mgmt_config_params;

PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL------------------------- --------------- --------------------DB AUDIT TABLESPACE SYSAUX STANDARD AUDIT TRAILDB AUDIT TABLESPACE SYSAUX FGA AUDIT TRAILAUDIT FILE MAX SIZE 10000 OS AUDIT TRAILAUDIT FILE MAX SIZE 10000 XML AUDIT TRAILAUDIT FILE MAX AGE 5 OS AUDIT TRAILAUDIT FILE MAX AGE 5 XML AUDIT TRAILDB AUDIT CLEAN BATCH SIZE 10000 STANDARD AUDIT TRAILDB AUDIT CLEAN BATCH SIZE 10000 FGA AUDIT TRAILOS FILE CLEAN BATCH SIZE 1000 OS AUDIT TRAILOS FILE CLEAN BATCH SIZE 1000 XML AUDIT TRAIL

69

Audit Trail – Automatic ManagementAudit Trail – Automatic Management

For the database audit trail, individual audit records created before a specified timestamp can be purged using dbms_audit_mgmt

For the operating system audit trail, you purge whole audit files that were created before the timestamp— Can take a while to complete

Preliminary steps :

1. If necessary, tune online and archive redo log sizes• Deleting the audit trail can generate much redo and undo• Could move audit trail to sysaux tablespace

– Use dbms_audit_mgmt.set_audit_trail_location

2. Plan a timestamp and archive strategy• Decide how much audit to keep

3. Initialize the audit trail cleanup operation• Use dbms_audit_mgmt.init_cleanup

70

Automatic Management using dbms_audit_trailAutomatic Management using dbms_audit_trail

FGA audit trail will now be in sysaux

BEGIN dbms_audit_mgmt.init_cleanup( audit_trail_type => dbms_audit_mgmt.audit_trail_fga_std ,default_cleanup_interval => 24);END;

CREATE OR REPLACE PROCEDURE sys.delete_dbfga_records ISBEGIN dbms_audit_mgmt.set_last_archive_timestamp( audit_trail_type => dbms_audit_mgmt.audit_trail_fga_std ,last_archive_time => SYSTIMESTAMP – 1); dbms_audit_mgmt.clean_audit_trail( audit_trail_type => dbms_audit_mgmt.audit_trail_fga_std ,use_last_arch_timestamp => TRUE);END;

Cleans out FGA audit records earlier than the newly set timestamp

71

Create Job with Schedule to Clean the Audit TrailCreate Job with Schedule to Clean the Audit Trail

Test routine cleans the audit trail every ten seconds

BEGIN dbms_scheduler.create_job ( job_name => 'DELETE_DBFGA_RECORDS_JOB' ,job_type => 'STORED_PROCEDURE' ,job_action => 'SYS.DELETE_DBFGA_RECORDS' ,enabled => TRUE ,auto_drop => false ,schedule_name => 'DELETE_DBFGA_RECORDS_SCHED');END;

BEGIN dbms_scheduler.create_schedule ( schedule_name => 'DELETE_DBFGA_RECORDS_SCHED' ,repeat_interval =>'FREQ = SECONDLY; INTERVAL = 10;’);END;

72

dbms_audit_mgmt.create_purge_jobdbms_audit_mgmt.create_purge_job

Automates setting up the job for purging (wrapper on dbms_scheduler)

— But cannot advance/change the timestamp• Still need to set up a procedure and job/schedule to do the advance

— Minimum interval is one hour

BEGIN dbms_audit_mgmt.create_purge_job( audit_trail_type => dbms_audit_mgmt.audit_trail_fga_std ,audit_trail_purge_interval => 1 ,audit_trail_purge_name => 'HOURLY_PURGE_FGA' ,use_last_arch_timestamp => TRUE); END;

See the Oracle Support document— Known Issues When Using: DBMS_AUDIT_MGMT [ID 804624.1]

73

Audit Trail – Automatic Management (continued)Audit Trail – Automatic Management (continued)

Optionally, Configure audit trail records to be deleted in batches

BEGIN dbms_audit_mgmt.set_audit_trail_property( audit_trail_type => dbms_audit_mgmt.audit_trail_db_std ,audit_trail_property => dbms_audit_mgmt.db_delete_batch_size ,audit_trail_property_value => 100000); END; Standard auditing

— audit_trail_type can be set to • audit_trail_db_std audit_trail_fga_std• audit_trail_db_aud ?? audit_trail_os• audit_trail_xml audit_trail_files• audit_trail_all ??

Automatic Purging of Audit TrailAutomatic Purging of Audit Trail

Start auditing1st purge 2nd purge 3rd purge 4th purgetime

74

AuditingAuditing

Auditing Overview




Standard Auditing




75

Auditing RecommendationsAuditing Recommendations

Use system level auditing

Use FGA where appropriate

Audit access and change to critical data

Analyse the audit trail and logs— Tools can help here

Create reports

Create procedures / policies

Review report contents

Set alerts

Act on the contents

Carl Dudley – University of Wolverhampton



Carl Dudley



[email protected]

Carl Dudley



[email protected]

Carl Dudley – University of Wolverhampton Auditing Techniques for Oracle Database 11g Carl Dudley...

Documents

Transcript of Carl Dudley – University of Wolverhampton Auditing Techniques for Oracle Database 11g Carl Dudley...