Integirgy IOUG 2009 Real World Database Auditing

8/14/2019 Integirgy IOUG 2009 Real World Database Auditing

1/33

StephenKost

IntegrigyCorporation

Session# 602

RealWorldDatabaseAuditing


2/33

Introduction

Stephen

Kost

ChiefTechnologyOfficerofIntegrigyCorporation

14yearsexperiencewithOracletechnologyas

databaseadministrator,

architect,

and

application

administrator

Foundmorethan40securitybugsfixedinCPUs


DedicatedtoOracleSecurity

Services OracleSecurityAssessments

Products AppSentryandAppDefend


3/33

Agenda

Overview Managing

Protecting Spoofing

Thirdparty

Tools


4/33

Some

auditing is

alwaysbetterthannone


5/33

Designedauditing is

always

better

than

some

auditing


6/33

thatIcancatchsomeonedoingsomethingbad

Reasonable Assurance


7/33

Effort

5%

Designing5%

Enabling

10% Archiving&

Purging

80%

Monitoring,Alerting,

Reporting,

Reviewing

Task


8/33

Inside

Native

Finegrained

Triggers

Outside

Networkbased

Agentbased

Logbased

Native

Protective


9/33

ALWAYS* enablenativeauditing

AUDIT_TRAILinitialization parameter

os db db_extended

xml xml_extended

*Noperformanceimpactifjustenabled


10/33

Managing


11/33

MovingSYS.AUD$

Supported

by

Oracle?

Recommended?

MetalinkNoteID72460.1

NotSupported,

but

heres

how

BackupsandUpgrades

Movingmaycauseproblems

11.1Security

Guide

Considermovingit

9.2.0.8AdminGuide

Shouldnotbemoved


12/33

WhyMove

SYS.AUD$?

Iftheaudittrailbecomescompletelyfullandnomoreauditrecordscanbeinserted,auditedstatementscannotbesuccessfullyexecuteduntiltheaudittrailispurged.Warningsarereturnedtoallusersthatissueauditedstatements.

Abletocauseadenialofserviceifcanfillup

theaudit

trail


13/33

IntroducingDBMS_AUDIT_MGMT

10.2.0.3,

10.2.0.4,

11.1.0.x

support

for

movingAUD$andFGA_LOG$tonewtablespace

Only

currently

available

for

most

popular

platforms

GrantedtoEXECUTE_CATALOG_ROLE

SeeAuditVaultdocumentationformostdetailedinformation

SeeMetalink

Note

ID

731908.1


14/33

DBMS_AUDIT_MGMT

SET_AUDIT_TRAIL_LOCATION MoveAUD$/FGA_LOG$toanewtablespace

SQL> begin

2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(

3 audit_trail_type =>

DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,4 audit_trail_location_value => 'AUDIT_TS');

5 end;

6 /


15/33

DBMS_AUDIT_MGMT

CLEAN_AUDIT_TRAIL Manuallypurgeaudittrail

SQL> begin DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(

2 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_AUD,

3 USE_LAST_ARCH_TIMESTAMP => TRUE );4 end;

5 /


16/33

DBMS_AUDIT_MGMT

PurgeJobs

Schedulejobstopurgeaudittablesusing

INIT_CLEANUP,

CREATE_PURGE_JOB,

SET_PURGE_JOB_STATUS

ManageOSAuditingFiles

CancontrolsizeorageofOSlevelaudittrail

files


17/33

Protecting


18/33

AuditTrail

Destination

Options

OracleVersion AUDIT_TRAIL SYSDBA FGA

8.0.x OS/DB

8.1.xOS/DB

9.0.x OS/DB DB

9.2.xOS/DB

OS DB

10.1.x OS/DB OS DB

10.2.xOS/DB/XML/

SYSLOGOS/XML DB/XML

11.1.xOS/DB/XML/

SYSLOGOS/XML DB/XML


19/33

AuditTrail

Destination

Database

AUD$and

FGA_LOG$

Checkprivilegesonthesetablesandany

views

such

as

DBA_AUDIT_*

and

DBA_FGA_AUDIT_TRAIL

DefaultprivilegeisDELETEfor

DELETE_CATALOG_ROLE

DatabaseVaultcanbeused


20/33

AuditTrail

Destination

OS

Files

must

be

owned

by

Oracle

owner

AnyOracleprocessstillcanaccessthefiles,includingUTL_FILE

Alwaysset

AUDIT_FILE_DEST

Otherwisefilesgoto

$ORACLE_HOME/rdbms/audit CheckpermissionsonAUDIT_FILE_DEST

Check

privileges

on

V$XML_AUDIT_TRAIL


21/33

AuditTrail

Destination

SYSLOG

AUDIT_SYSLOG_LEVEL=facility.priority Availablein10.2and11.1

SetAUDIT_TRAIL=OS

Audit

trail

and

SYS

audit

trail

written

to

standardUnix/LinuxSyslog

Can

only

be

modified

by

root

and

completely

protectedfromDBA,exceptdisablingauditing

Canbesenttoexternalloggingsystem

Does

not

include

database

SID


22/33

Spoofing


23/33

SessionValue V$SESSION

ViewSYS_CONTEXT

FunctionSYS.AUD$

DBA_AUDIT_*FGA_LOG$

AUDIT_TRAILAuditVault

DBUserName

SchemaName

OSUserName

Machine

Terminal

Program

IPAddress

ClientProcessID

Module

Action

ClientInfo

ClientID


24/33

AuditingSession

Data

DatabaseUserName

OSUser

Name Schema

Name

IPAddress

Machine/

Userhost Terminal

Program Client

Process

ID Module

Action ClientInfo ClientID


25/33

AuditingSession

Data

Spoofable

DatabaseUserName

OSUser

Name Schema

Name

IPAddress

Machine/

Userhost Terminal

Program Client

Process

ID Module

Action ClientInfo ClientID


26/33

SpoofingAudit

Session

Data

Easyto

spoof

client

supplied

session

valuesusingacustomprogram

Java/JDBC

is

easiest,

but

possible

using

any

Oracleclient

Onlytimestamp,IPaddress,DBuser

name,andSQLarereliable

LookatV$SESSION oftengrantedtoPUBLIC


27/33

JavaCode

to

Spoof

Session

Values

java.util.Properties info = new java.util.Properties();

info.put("v$session.osuser", "dummy-osuser");

info.put("v$session.terminal", "dummy-terminal");

info.put("v$session.machine

", "dummy-machine");

info.put("v$session.program", "dummy-program");

info.put("v$session.process", "123456");

info.put("v$session.module", "dummy-module");

conn.setClientIdentifier("dummy-clientidentifier");

java.sql.Connection conn =

(new oracle.jdbc.OracleDriver()).connect(url,info);


28/33

Thirdparty

AuditingSolutions


29/33

ThirdParty

Auditing

Solutions

Defineyour

STRATEGY first

Databasesecurityandauditingstrategyis

critical

to

successful

implementation DefineresponsibilitiesforDBsecurityand

auditing difficultinmostorganizations

Thestrategywilldrivetherequirements


30/33

ThirdParty

Auditing

Solutions

Application Security

AppRadar

Embarcadero

DSAuditor

Guardium

SQLGuard

ImpervaDB Monitoring

Fortinet*IPLocks

LumignetAudit DB

NitroSecurity

NitroGuard DBM

Secerno

DataWall

Sentrigo

Hedgehog

Symantec

DatabaseSecurity Tizor*Mantra OracleAuditVault

Therearefundamental differencesamongthevendors

Database

activity

capture

vs.

intrusion

detection

DataCaptureTechniques=network,agent,log,native

Architecture=appliancevs.software

Bellsandwhistles =connectionpooling,blocking,assessment,etc.


31/33

MyOther

Sessions

IOUGCriticalPatchUpdates:InsightandUnderstanding Database

Wednesday,8:30amto9:30am

Room222B

OAUG

CriticalPatch

Updates

Unwrapped

Oracle

EBusiness

Suite

Wednesday,9:45amto9:30am

Room

304G


32/33

Questions?


33/33

Copyright 2009 Integrigy Corporation All rights reserved

ContactInformation

www.integrigy.com

Forinformationon

Oracle

Database

Security OracleEBusinessSuiteSecurity

OracleCriticalPatchUpdates

OracleSecurityBlog

StephenKost

ChiefTechnologyOfficer


email:[email protected]

blog:integrigy.com/oraclesecurityblog

Integirgy IOUG 2009 Real World Database Auditing

Documents

Transcript of Integirgy IOUG 2009 Real World Database Auditing