Click here to load reader

Oracle Auditing Natalka Roshak Presented to ABCD-Oracle 4 March 2004

  • View
    212

  • Download
    0

Embed Size (px)

Text of Oracle Auditing Natalka Roshak Presented to ABCD-Oracle 4 March 2004

  • Slide 1
  • Oracle Auditing Natalka Roshak Presented to ABCD-Oracle 4 March 2004
  • Slide 2
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com About me Oracle and Sybase Database Administrator, Analyst and Architect Experienced database programmer Oracle Certified Professional (OCP) Regular columnist for Oracle trade magazine, orafaq.com, and other trade publications Oracle consultant, serving customers across North America Available for consulting engagements http://rdbms-insight.com
  • Slide 3
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com About this presentation Presented to Oracle users group at Harvard University, ABCD-Oracle 4 March 2004
  • Slide 4
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Auditing 2 main types of auditing: Oracle-supplied auditing using AUD$ Trigger-based DML auditing
  • Slide 5
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Oracle vs. Trigger-based Auditing Different scope & application: AUD$ does not record any of the data values involved in a DML change; need to use trigger- based auditing to capture this info Obviously, Oracle auditing allows auditing of non-DML statements, eg. ALTER ROLE
  • Slide 6
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Oracle Auditing I.Overview of Oracle Auditing II.Fun with AUDIT SESSION III.Security considerations & AUD$ size
  • Slide 7
  • I. Overview of Oracle Auditing
  • Slide 8
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Enabling Oracle Auditing First step: set static initialization parameter AUDIT_TRAIL in INIT.ORA Values: DB/TRUE OS NONE/FALSE
  • Slide 9
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com OS Audit Trail Even if OS audit trail is not enabled, Oracle will still write default actions to OS audit trail: instance startup instance shutdown connections to the database as SYSOPER or SYSDBA
  • Slide 10
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com OS Audit Trail
  • Slide 11
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com DB trail Writes all audit information to SYS.AUD$ AUD$ installed by catalog.sql Create auditing data dictionary views by running $oracle_home\rdbms\admin\cataudit.sql Remove these views using catnoaud.sql
  • Slide 12
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com SYS.AUD$ SQL> desc aud$ Name Null? Type ----------------------------------------- -------- -------------- SESSIONID NOT NULL NUMBER ENTRYID NOT NULL NUMBER STATEMENT NOT NULL NUMBER TIMESTAMP# NOT NULL DATE USERID VARCHAR2(30) USERHOST VARCHAR2(128) TERMINAL VARCHAR2(255) ACTION# NOT NULL NUMBER RETURNCODE NOT NULL NUMBER OBJ$CREATOR VARCHAR2(30) OBJ$NAME VARCHAR2(128) AUTH$PRIVILEGES VARCHAR2(16) AUTH$GRANTEE VARCHAR2(30) NEW$OWNER VARCHAR2(30) NEW$NAME VARCHAR2(128) SES$ACTIONS VARCHAR2(19) SES$TID NUMBER LOGOFF$LREAD NUMBER LOGOFF$PREAD NUMBER LOGOFF$LWRITE NUMBER LOGOFF$DEAD NUMBER LOGOFF$TIME DATE COMMENT$TEXT VARCHAR2(4000) SPARE1 VARCHAR2(255) SPARE2 NUMBER OBJ$LABEL RAW(255) SES$LABEL RAW(255) PRIV$USED NUMBER
  • Slide 13
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Audit Views STMT_AUDIT_OPTION_MAP Contains information about auditing option type codes. AUDIT_ACTIONS Contains descriptions for audit trail action type codes. ALL_DEF_AUDIT_OPTS Contains default object-auditing options that will be applied when objects are created. DBA_STMT_AUDIT_OPTS Describes current system auditing options across the system and by user. DBA_PRIV_AUDIT_OPTS Describes current system privileges being audited across the system and by user. DBA_OBJ_AUDIT_OPTS, USER_OBJ_AUDIT_OPTS Describes auditing options on all objects. USER view describes auditing options on all objects owned by the current user. DBA_AUDIT_TRAIL, USER_AUDIT_TRAIL Lists all audit trail entries. USER view shows audit trail entries relating to current user. DBA_AUDIT_OBJECT,USER_AUDIT_OBJECT Contains audit trail records for all objects in the system. USER view lists audit trail records for statements concerning objects that are accessible to the current user. DBA_AUDIT_SESSION, USER_AUDIT_SESSION Lists all audit trail records concerning CONNECT and DISCONNECT. USER view lists all audit trail records concerning connections and disconnections for the current user. DBA_AUDIT_STATEMENT, USER_AUDIT_STATEMENT Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user. DBA_AUDIT_EXISTS Lists audit trail entries produced by AUDIT EXISTS and AUDIT NOT EXISTS.
  • Slide 14
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com 3 levels of audit options Statement Audits on the type of SQL statement used, such as any SQL statement on a table (which records each CREATE, TRUNCATE, and DROP TABLE statement) Object Audits specific statements on specific objects, such as ALTER TABLE on the EMP table Privilege Audits use of a particular system privilege, such as CREATE TABLE
  • Slide 15
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Statement Auditing Eg. AUDIT SELECT BY SCOTT audits all select statements performed by SCOTT AUDIT SELECT TABLE, UPDATE TABLE BY SCOTT, BLAKE;
  • Slide 16
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Object Auditing Eg. AUDIT SELECT ON scott.emp; AUDIT SELECT ON scott.emp WHENEVER NOT SUCCESSFUL; AUDIT SELECT ON scott.emp WHENEVER SUCCESSFUL; AUDIT ALL ON scott.emp ;
  • Slide 17
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Privilege Auditing eg. AUDIT GRANT SEQUENCE audits any statements of the type: GRANT privilege ON sequence ; REVOKE privilege ON sequence ; AUDIT EXECUTE PROCEDURE audits CALL of any procedure AUDIT SELECT TABLE audits SELECT FROM table/view/materialized view;
  • Slide 18
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Privilege auditing, cont AUDIT INDEX audits any statements of the type: CREATE INDEX ALTER INDEX DROP INDEX AUDIT NOT EXISTS audits all SQL stmts that fail because an object doesnt exist AUDIT SYSTEM AUDIT audits all AUDIT/NOAUDIT statments *AUDIT SESSION audits logon/logoff
  • Slide 19
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com BY SESSION/ACCESS BY SESSION: One audit record is inserted for one session, regardless of the number of times the statement is executed BY ACCESS: One audit record is inserted each time the statement is executed Default is BY SESSION
  • Slide 20
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Further examples AUDIT SESSION BY JOHN, ALEX WHENEVER NOT SUCCESSFUL; AUDIT UPDATE, DELETE ON scott.emp BY ACCESS; NOAUDIT UPDATE, DELETE ON scott.emp;
  • Slide 21
  • II. Fun with AUDIT SESSION
  • Slide 22
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Fun with AUDIT SESSION Underappreciated fact: AUD$ records IP when session auditing is enabled SQL> select timestamp#, userid, machine, action#, returncode, logoff$time, comment$text from aud$ where action# in (100,101); TIMESTAMP USERID MACHINE ACTION# RETURNCODE LOGOFF$TI COMMENT$TEXT --------- ---------- --------------- ------- ---------- ------- 02-FEB-04 EREQ_USER GYPSY 101 0 02-FEB-04 Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.232.23)(PORT=3406)) 02-FEB-04 EREQ_USER GYPSY 100 0 Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.232.23)(PORT=3427)) 02-FEB-04 EREQ_USER GYPSY 101 0 02-FEB-04 Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.232.23)(PORT=3432)) 02-FEB-04 BULKLOAD SHALLOT 100 0 Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.164.242)(PORT=2544))
  • Slide 23
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com AUD$ fields For 100/101 events (ACTION# IN (100,101)): col SPARE1 = OS username col RETURNCODE = ora-xxxx returncode col TERMINAL = terminal name (eg. ttyp3 in UNIX, machine name in Windows) col COMMENT$TEXT = IP and port of client -- very useful!
  • Slide 24
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Extracting the IP select userid, terminal, spare1, substr(s1,1,instr(s1,')')-1) IP, returncode, timestamp# from (select A.*, substr(comment$text,instr(comment$text,'HOST=')+5, 100) s1 from aud$ a where action# in (100,101) ) order by IP;
  • Slide 25
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Sample output USERIDTERMINALSPARE1IPRETURNCODETIMESTAMP# ------------------------------------------------------------------------------------------- HERSMARSapacheco128.103.231.860 02/24/2004 3:08:36 PM HERSoracle128.103.231.860 01/25/2004 11:14:11 AM EREQ_USERMRUTENBURmrutenburg140.247.10.1300 01/30/2004 4:42:52 PM BULKLOADCJTRUcjtru140.247.10.1320 02/05/2004 4:26:41 PM BULKLOADttyp3oracle140.247.10.1320 02/09/2004 10:42:13 AM SYSttyp3oracle140.247.10.1320 02/09/2004 11:55:56 AM BULKLOADROBINmichael140.247.10.1350 01/29/2004 7:59:49 AM SYSTEMJBJen?Braster140.247.10.1350 01/28/2004 8:34:31 PM EREQ_USERJBJen?Braster140.247.10.1350 01/28/2004 8:39:07 PM
  • Slide 26
  • Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Returncodes Indicates ora-XXXX if logon failed C

Search related