Primavera Database Auditing

Controlling Security II Module (P) Page 1 of 49

1Copyright 2001 © Douglas Wentz, Inc.

Controlling SecurityControlling Security

Module Overview This module introduces advanced concepts of controlling security in the Oracle 9i database. Additional security features including enhanced password security and the assigning of profiles to users will be presented. Additionally, the concepts of auditing will be presented within this module. This module should be taken directly after the Oracle 9i Database Administration I class Controlling Security II.

Completion Time Estimated time to complete this module is one hour for presentation and one hour for the lab exercises.

Location of Presentations, Labs, & Examples

All presentations, labs, and examples are located on the Oracle Database Administration Certified Professional Training CD in the directories and file names as follows. DBAOCP\LABS\ControlSecurityII.txt Labs DBAOCP\PPTS\ ControlSecurityII.ppt PowerPoint Presentations DBAOCP\EXAMPLES\ ControlSecurityII.txt Presentation Examples DBA_OCP\DOCS\ ControlSecurityII.doc This documentation DBA_OCP\Install\DBAOCPInstall.txt Script to create the schema for this course. Scripts to create the schema required for the labs in this module and prior modules are found on the Database Administration Certified Professional training CD in the directory DBAOCP\Install\DBAOCPInstall.txt. These scripts should have been executed during the lab after completing the SQL Query Fundamentals module.

Copyright 2002 © Douglas Wentz, Inc.



ObjectivesObjectives

Administration of Passwords for UsersPassword ExpirationAccount Locking and UnLocking

Creating Operating System Authenticated UsersAssigning Users to Tablespaces and QuotasCreating Profiles and Assigning to UsersAuditing

• Introduce advanced password feature of;

o Password Expiration

o Account Locking and Unlocking

• Present the basics of operating system authentication of users.

• Identify how to assign users to tablespaces and quotas.

• Present the concept of profiles and how to assign profiles to users.

• Learn how to audit database activity.




Administration of PasswordsAdministration of Passwords

Oracle Database

Database AdministratorCreates a ed User Asks DBA To Create

An Oracle

• Overview of creating an Oracle user

User NamMarketing User

• The concepts of Users and Schemas was presented in the module

Relational Database Concepts in the Introduction to Oracle 9i SQL class.

• The term logy User and Schema are used interchangeably. A Schema is owned by the database User and has the same name as the User. Each user owns a single User Account / Schema.

• A Schema is a named collection of objects, such as tables, views, clusters, procedures, and packages. A Schema is created automatically whenever the database administrator creates a new user. That new user can create objects in their Schema.

• The database administrator is usually responsible for creating new users. When the database administrator creates a User Account a Schema is created automatically with the same name as the User Account.

• The database administrator will usually grant new users certain privileges with the option of the new user to assign those privileges to others.

• Whenever objects are created under a certain User Account / Schema that User Account / Schema owns those objects created. Those objects and associated privileges may be granted by the owner to others if desired.

• In this class, we have already created a user named Sales.




Administration of PasswordsAdministration of PasswordsCreating a New UserCreating a New User

The statement creates a new user

Example of creatinga new user

Marketing By ITSOK;arketing By ITSOK;

• CREATE USER

CREATE USER IDENTIFIEDCREATE USER M IDENTIFIED

• The CREATE USER statement is a system level privilege that creates a

new Oracle user. The user creating the new user must have CREATE USER privileges. Generally, a new user is created by the database administrator.

• The CREATE USER statement only creates a new user. The user cannot connect to the Oracle database at this time.

• The maximum user name length is 30 bytes long. User names are not case sensitive.

• Whenever creating a new user an initial password must be assigned. The maximum password length is 30 bytes long. Passwords are not case sensitive in Oracle.

• The newly created users name must be unique to other user names and roles within the Oracle database.

• The new user must be created by a person having the appropriate permission to create new user.

• The database administrator that creates a new user has many other options that are assigned to the new user. These options are database administrator specific and be addressed in detail in this module. Some of these options includes;



What tablespace the data should be stored in if the user creates tables.

What tablespace should be used for temporary sorts?

Quota space usage limitations on tablespaces.

If the user should be assigned a profile.

Leave the account locked or unlocked.

Force the user to change their password.

• At this point, a new user is created and a new schema is created at the

same time for that new user. Example of creating a new user

Example of creating a new user with other options

Note: Remember from the Controlling Security I module the database administrator must grant additional privileges to the newly created user. Many times the roles CONNECT or RESOURCE is granted to the new user.




Administration of PasswordsAdministration of PasswordsPassword Expiration and LockingPassword Expiration and Locking

Passwords can and accounts can be

Password ExpireAnd

Account UnLock

CREATE USER Marketing Identified By ITSOK;

CREATE USER Marketing Identified By ITSOK

• EXPIRE LOCKED

Password Expire Account UnLockPassword Expire Account UnLock;

• Specify the Password Expire clause whenever creating a new user to force the

new user to change their password whenever connecting for the first time. • The Password Expire extra level of protection will not even let the database

administrator know the password of a user.

• If the Password Expire option is not used whenever creating the new user that user will not be prompted for a new password.

• Specify the Account Lock option to lock the users account and not let the user

connect to the database.

• Use the Account UnLock option to allow the user to connect to the database using their UserId and Password. The default is unlocked whenever creating a new user.

Example of using the Password Expire option and Account Unlock option




Administration of PasswordsAdministration of PasswordsOperating System AuthenticationOperating System Authentication

Users can be authenticated using three methods

OracleOracle

Remote ServiceRemote Service

Operating SystemOperating System

•

Oracle Database AuthenticationMethod

• An Oracle user can be authenticated at the following three levels.

o By Oracle authentication whenever the password is verified via the Oracle Data Dictionary. This option was presented in the PowerPoint presentation slides 4 and 5 and is the most commonly method of authentication.

o By Operating System authentication whenever the operating system

UserId and Password is assumed to be the same as the Oracle UserId and Password.

o Steps for Operating System authentication.

Set the Initialization Parameter File parameter OS_AUTHENT_PREFIX to the default prefix. In prior versions of Oracle this was set to OPS$. In Oracle 9i it can be set to be a null value.

Set the Initialization Parameter File parameter

REMOTE_OS_AUTHEN to TRUE. The default is FALSE.

o Whenever implementing Operating System authentication be extremely cautious since this security method contains many loop holes.

o By Remote Service authentication. Utilizing this option the user must

be authenticated by the Enterprise Directory Service and the GLOBALLY clause is used whenever creating the user. This option is beyond the scope of this class.




Assign Users to Assign Users to Tablespaces Tablespaces

Users are assigned and blespaces

DATABASEDATABASE

DataFilesDataDataFilesFiles

Redo LogsRedo LogsRedo Logs

ControlFiles

ControlControlFilesFiles

UsersTS

SystemTS

TempTS

• DEFAULT TEMPORARY ta

• New users should be assigned a Default tablespace and a Temporary tablespace. Following are the characteristics of each tablespace assignment.

o Whenever assigning a user to a Default tablespace all objects that

the user creates will go into that Default tablespace.

If a user specifies a tablespace name whenever creating a new object that option will override the Default tablespace.

If an assignment of a Default tablespace is not given to a user, the

objects created by that user will go into the System tablespace. Objects going into the System tablespace should not be an option for obvious reasons.

A users Default tablespace can be changed to a new Default tablespace

by issuing the statement “Alter User UserName Default Tablespace TablespaceName” Examples will follow. Objects created in the old tablespace will not be moved. Only new objects will go into the newly assigned tablespace.

o Whenever assigning an user to a Temporary tablespace that

tablespace will be used for temporary space required by that users transactions. The most common usage of Temporary tablespace is for sorts as we should have learned previously.

A Temporary tablespace only needs to be defined if no default temporary

tablespace exists for the database or the database administrator wants to assign that user to a different tablespace.



A users Temporary tablespace can be changed to a new Temporary tablespace by issuing the statement “Alter User UserName Temporary Tablespace TablespaceName” Examples will follow

• New users can be assigned a quota to a tablespace including the Default

tablespace, Temporary tablespaces, or any tablespace the user may be assigned.

o Quotas are specified on tablespaces to prevent users from using

excessive space.

o Specifying a quota of 0 on a tablespace will not allow the user to create any new object in that tablespace.

o Only database administrators can change a users quota.

o A quota could be placed on a Temporary tablespace to prevent a

user query from consuming all of the Temporary tablespace they have been assigned to.

Example of assigning a user to a tablespace and quota whenever creating the user

Example of changing a users assigned default tablespace

Note: A users default quota is UNLIMITED on any tablespace they have been assigned to and not assigned a quota.




Creating ProfilesCreating Profiles

Oracle Database

Database administratorCreates a d assignsTo users

Users Require CertainResource Privileges

• Users are assigned to

profile an

PROFILES

• Profiles control the use of system resources by the Oracle 9i database in relation to users. An example of system resources would be the number of sessions a users is permitted. A session is one connection to the Oracle database.

• The database administrator creates profiles and assigns the profile to a

user or users.

• Every user is assigned to the DEFAULT profile if the database administrator does not assign that user to a profile. The DEFAULT profile has unlimited resources unless it has been changed by the database administrator.

• A user can have only one profile in effect at a given time.

• Profiles must be enabled at the database level for all users.

• Profiles can be dropped, created, altered, and assigned to users.

• Profiles are assigned resource limits that control the use of system

resource by the user.

• Not only can individual resource limits of system resources be assign to users, composite resource limits can be assigned. Composite resources are a combination of resource limits that reflect a total resource threshold.




Creating ProfilesCreating Profiles

• Available

Private_SGA

Connect_Time

Idle_Time

Logical_Reads_Per_Session

CPU_Per_Session

Sessions_Per_User

CPU_Per_Call

Logical_Reads_Per_Call

Session Level Call Level

Resource Limits

Resource Limits Resource Limits

• Following are the resource limits that can be assigned to profiles.

o Individual resurce limits at the session level.

o Sessions_Per_User - The number of individual sessions that a given user can open.

o CPU_Per_Session – Maximum permitted CPU time in 1/100

seconds that a user can use in one session.

o Logical_Reads_Per_Session – Maximum number of disk I/O block reads that can be executed in one session.

o Idle_Time – The amount of time in minutes that a suer can

issued not commands until the user is automatically disconnected.

o Connect_Time – The maximum amount of time in minutes that

a user can remain connect to the database untill they are automatically disconnected.

o Private_SGA – The amount of private memory in KB that a user

has in the SGA. This only applies to Shared Server.

o Individual resource limits at the call level

Logical_Reads_Per_Call – The maximum number of disk I/O blocks that can be executed in any operation within one session.



CPU_Per_Call – The maximum allowed CPU tome in 1/100

seconds that a user can use in any operation within one session.

• Composite limits can be included in profiles. Composite limits restrict database use by specifying a limit of how much of a host machines resources can be used per session.

o The Composite_Limit resource is set to a value just as any other

resource limits. Please see the Oracle 9i Database Administration documentation on exact details of setting composite limits.

o Once the user reaches the Composite_Limit the session is

terminated.

• Users are assigned to the DEFAULT profile if they are not assigned to any other profile. The DEFAULT profile has all resource limits set to unlimited as illustrated below in the Data Dictionary query on DBA_Profiles.

Example of the DEFAULT profile and its values




Creating Profiles Creating Profiles

Create a t

Example ofCreating a

CreateSessions_Per_User 3Idle_Time 60Connect_Time 600;

Create Sessions_Per_User 3Idle_Time 60Connect_Time 600;

• PROFILE firsProfile

Profile Support_Only LimitProfile Support_Only Limit

• The first step in assigning users to profiles is to create the profile with its associated resource limits. The second step is to assign the user to the profile that will be illustrated on the next PowerPoint presentation.

Example of creating the profile Support_Only

Note: If a resource limit is not included in the creation or modification of a profile its value will be the default value for that resource limit. Note: At this point only the profile has been created. No users have been assigned to the profile.




Creating Profiles Creating Profiles Assigning to UsersAssigning to Users

Assign the user to the

Assign User

Alter User Support;

Alter User Support

• PROFILE

Profile

Profile Support_OnlyProfile Support_Only;

• After the profile has been created then users can be assigned the profile.

• Multiple users can be assigned a profile.

• A given user can only have one profile at a given point in time.

• If a profile is taken from the user than that users profile reverts to the DEFAULT profile if not assigned another profile.

• Only database administrators can create profiles, assign users to profiles, or take profiles from user accounts.

Example of assigning a profile to a user

Note: Profiles can be assigned to users whenever the Oracle user account is created. Please refer to the Oracle 9i Database Administration documentation for details.




Creating Profiles Creating Profiles Altering ProfilesAltering Profiles

Alter

LimitSessions_Per_User 30;

LimitSessions_Per_User 30;

• PROFILES can be altered

Profile

Alter Profile Support_OnlyAlter Profile Support_Only

• Profiles can be altered.

• If a profile is altered then those changed resource limits are not reflected immediately in users sessions already connected to the database. After the user disconnects and re-connect to the Oracle database the new resource limit for the altered resource limit will be reflected.

Example altering the profile Support_Only

Note: The resource limit Sessions_Per_User is used frequently to prevent users from connecting multiple times to the Oracle database. Multiple sessions are used many times in development environments however, in production environments the number of users session should be limited.




Creating Profiles Creating Profiles Dropping ProfilesDropping Profiles

Alter

Cascade;Cascade;

• PROFILES can be dropped

Profile

Drop Profile Support_OnlyDrop Profile Support_Only

• Profiles can be dropped.

• If users have been assigned to that profile the CASCADE option must be specified whenever dropping the profile. If no users have been assigned to the profile the CASCADE option is not required.

• Whenever dropping a profile any users assigned to that profile will default to the DEFAULT profile.

Example of dropping a profile

Note: Remember the DEFAULT profile has all resource limits set to unlimited. This could be dangerous in some Oracle environments.




Creating ProfilesCreating ProfilesEnabling ProfilesEnabling Profiles

st be enabled database wide

Alter

Alter System Set ;Alter System Set

• PROFILES mu

Profile

Resource_Limit = TrueResource_Limit = True;

• Profiles must be activated database wide before they will be enforced for all users assigned to profiles.

• Profiles can be activated using the following methods.

o As a database administrator issue the command “Alter System Set

Resource_Limit = True”. To reflect the changes any users currently connected will probably have to disconnect and reconnect to the Oracle database.

o Set the Resource_Limit in the Initialization Parameter File to

TRUE. The database must be shutdown and then restarted. Example of activating resource limits




Creating ProfilesCreating ProfilesAccount ManagementAccount Management

Account management security can be increased with

Password_Verify_FunctionPassword_Grace_TimePassword_Lock_TimePassword_Reuse_MaxPassword_Reuse_TimePassword_Life_TimeFailed_Login_Attempts

•PROFILES

• Advanced password management can be implemented using profiles. These features allow greater security and prevent hacking into the Oracle database by unauthorized users. The following additional password account management options are provided.

o Failed_Login_Attempts – The number of unsuccessful logins until

the account is locked.

o Password_Life_Time – The number of days a password will remain active until the user must change the password.

o Password_Reuse_Time – The number of days before the users

password can be reused.

o Password_Reuse_Max – The number of times the users password must be changed before it can be reused.

o Password_Lock_Time – The number of days after which Oracle will

unlock a users account that has been locked by the Failed_Login_Attempts.

o Password_Grace_Time – The number of days during which an

expired password must be changed or the users account will be locked permanently.

o Password_Verify_Function – The function used for password

complexity verification.




Creating ProfilesCreating ProfilesAccount ManagementAccount Management

Account Management limits and

Alter

Alter Profile Support_Only Limit105;

Alter Profile Support_Only Limit105;

• PROFILES

Profile

Failed_Login_AttemptsPassword_Life_Time 36Failed_Login_AttemptsPassword_Life_Time 36

• Above is an example of assigning advanced password management to profiles. Advanced password management options can also be assigned to profiles whenever they are initially created.

Example of assigning advance password options to an existing profile.

Note: The script UtlPwdMg.sql can be executed to support the additional functionality of password management. This script makes some changes to the DEFAULT profile. When executed all enhanced password managements defined in the DEFULT profile are enforced. Note: The default values for the DEFAULT profile can be changed by the database administrator just as values for other profiles can be changed. This applies to all options including the enhance password features.




Using the Data Dictionary to Using the Data Dictionary to See Profiles and ResourcesSee Profiles and Resources

Data Dictionary views and profiles

Shows the profile assigned to a user.DBA_USERS

Shows system resource limits for individual users.USER_RESOURCE_LIMITS

Identifies resources in the database and their cost.RESOURCE_COST

Shows resource settings for profiles.DBA_PROFILES

•

• Oracle provides a set of Data Dictionary views to query information about profiles and resources including the following.

o DBA_Profiles – Shows resource settings for all profiles.

o Resource_Cost - Identifies resources in the database and their

cost.

o User_Resource_Limits – Shows system resource limits for individual users.

o DBA_Users – Shows the profile assigned to a user. A user can

query the Data Dictionary View User_Users to see the profile that they are assigned to.

Note: For additional information about user and profiles examine the following Data Dictionary views. DBA_Password_Limits Note: A set of Data Dictionary Views beginning with USER_ are also available in most cases.




Using the Data Dictionary to See Using the Data Dictionary to See Profiles and ResourcesProfiles and Resources

The data dictionary view shows profiles and resource usage

Select Profile, Resource_Name, Resource_Type, LimitFromOrder By Profile;

Select Profile, Resource_Name, Resource_Type, LimitFromOrder By Profile;

View

• DBA_PROFILES

DBA_PROFILES DBA_PROFILES

DBA_PROFILES

• The Data Dictionary View DBA_Profiles show profiles and resource usages assigned to each profile.

Example of querying DBA_Profiles





The data dictionary view identifies resources and costs

Select Resource_Name, Unit_CostFrom ;Select Resource_Name, Unit_CostFrom

View

• RESOURCE_COST

RESOURCE_COSTRESOURCE_COST;

RESOURCE_COST

• The Data Dictionary View Resource_Cost identifies resources and their associated costs. This is only if resource costs have been assigned to the resources.

Example of querying the Data Dictionary View Resource_Costs

Note: In our example above no resource costs have been assigned.





The data dictionary viewidentifies resource costs for individual users

Select Resource_Name, LimitFrom ;Select Resource_Name, LimitFrom

View

• USER_RESOURCE_LIMITS

USER_RESOURCE_LIMITSUSER_RESOURCE_LIMITS;

USER_RESOURCE_LIMITS

• The Data Dictionary View User_Resource_Limits identifies resource costs for individual users.

Example of performing a query on the Data Dictionary View User_Resource_Limits





The data dictionary view ows users and assigned profiles

Select UserName, ProfileFrom DBA_USERSWhere UserName = 'SUPPORT';

Select UserName, ProfileFrom DBA_USERSWhere UserName = 'SUPPORT';

View

• DBA_USERS sh

DBA_USERS

• The Data Dictionary View DBA_Users will show what user is assigned to what profiles. Remember the Data Dictionary View User_Users will show what profile the currently connected user is assigned to.

Example of performing a query on the Data Dictionary View DBA_Users




Oracle Enterprise ManagerOracle Enterprise Manager& Profiles& Profiles

Oracle Enterprise Manager can be used to manage profiles

•

•

• Oracle Enterprise Manager can be used to manage profiles. The above illustrates the first screen in managing profiles and shows the profiles.


Oracle Enterprise ManagerOracle Enterprise Manager& Profiles& Profiles

Oracle Enterprise Manager can be used to manage profiles

• Oracle Enterprise Manager can be used to manage profiles. The above illustrates assigning values to profiles.




AuditingAuditingDatabase vs. Value BasedDatabase vs. Value Based

Auditing can be classified as and auditing

DatabaseDatabase

Value BasedValue Based

Alert Log

• database auditing value based

Oracle Database

Auditing

• Auditing is the monitoring and documentation of selected user database actions and may include the following.

o Investigate suspicious activity. o Monitor and gather data about specific database activities.

• Two types of auditing are available on the Oracle 9i server including the following.

o Database Auditing pertains to audits of session activity by a user,

object access by a user, and certain database functions such as startup and shutdown of the database. We will learn how to perform database auditing in this module.

o Value Based Auditing pertains strictly to the modification of

application data in the Oracle 9i database. Value based auditing must be performed by writing triggers and PL/SQL scripts and will not be addressed in this module or class.

• Certain database administration events are automatically audited by entries in the alert files for the database. These would include the following.

o Shutdown and startup of the Oracle database. o Connections by users with database administration privileges.




AuditingAuditingClassification of OperationsClassification of Operations

Auditing can also be classified as nd

StatementStatement

ObjectObject

Auditing

PrivilegePrivilege

Accessing Tables

InsertUpdateDeletes

PerformingDDL / DML

Example

• Statement, Privilege, a Object

Oracle Database

• Database auditing can be classified into three areas including.

o Statement Auditing has to do with the selective auditing of SQL statements with respect to the type of statement, not the specific schema objects on which it operates.

o Privilege Auditing has to do with the selective auditing of the use of

system privileges to perform corresponding actions, such as CREATE INDEX or CREATE TABLE. Privilege auditing is more focused than statement auditing because it audits only the use of the targeted privilege.

o Object Auditing has to do with the selective auditing of specific

statements on a particular schema object, such as AUDIT SELECT ON EMP. Schema object auditing is very focused, auditing only a specific statement on a specific schema object. .Oracle allows audit options to be very focused or broad.




Auditing By FocusAuditing By Focus

Auditing can be by focus

By UserBy User

Whenever SucessfulWhenever Sucessful

By SessionBy Session

Whenever Not SucessfulWhenever Not Sucessful

By AccessBy Access

By StatementBy Statement

•

Oracle Database Auditing

• Auditing options can be focused or very broad including the following.

o Statement – Names the SQL statement(s) to be audited. o User – Limits auditing of SQL statements to the user(s).

o Session – Limits auditing by writing one audit record for the SQL

statement per session. It does not matter how many of the same SQL statements are processed.

o Access – Records audit information for each and every time the

SQL statement is processed.

o Whenever Successful – When a certain action is successful.

o Whenever Not Successful – When a certain action is not successful.




AuditingAuditingEnabling / DisablingEnabling / Disabling

Auditing must be enabled / disabled

@C:\oracle\ora90\rdbms\admin\cataudit@C:\oracle\ora90\rdbms\admin\cataudit

Step 1Run Script

Step 2Add

To Init

•

CatAudit Audit_Trail

• Auditing is not automatically enabled in the Oracle database. The

following actions must be performed by the database administrator to start the auditing process.

o The script CatAudit.sql must be executed as the SYS owner to

create the tables required for auditing. The script CatNoAudit.sql should be issued after the auditing is completed to remove the auditing tables.

o The Audit_Trail parameter in the Initialization Parameter File must

be set to one of the following values.

OS – Enables audit records to be written out to operating system files. The Initialization Parameter File parameter AUDIT_FILE_DEST must also be set to specify where the auditing files should be stored.

DB / TRUE – Enables audit records to be written out to the

SYS.AUD$ table. This table was created whenever the CatAudit.sql script was executed.

NONE / FALSE – Audit records are not written.

Note: Whenever setting auditing in the Initialization Parameter File the Oracle database must be shutdown and restarted. The parameter is not dynamic.




Enabling Auditing ExamplesEnabling Auditing Examples

Example of auditing

Audit Alter Any TableBy Sales By AccessWhenever Successful;

Audit Alter Any TableBy Sales By AccessWhenever Successful;

•

Example of Auditing

• The above example audits successful attempts by the user Sales to alter any table.

Example

Note: Some additional auditing options include; Audit Alter Sales.Companies By Access Whenever Successful; Audit Alter Sales.Companies By Session Whenever Not Successful; Audit Alter Sales.Companies by Session Whenever Successful;





Example of auditing

Audit ConnectBy SalesWhenever Not Successful;

Audit ConnectBy SalesWhenever Not Successful;

•

Example of Auditing

• The above example audits unsuccessful attempts by the user Sales to connect to the Oracle database.

Example

Note: Some additional auditing options include; Audit Connect Whenever Not Successful; Audit Connect Whenever Successful;





Example of auditing

Audit Update, DeleteOn Sales.CompaniesBy AccessWhenever Successful;

Audit Update, DeleteOn Sales.CompaniesBy AccessWhenever Successful;

•

Example of Auditing

• Example of auditing all updates and deletes on the Sales.Companies whenever successful. Many audit records cab be written out for each session since the audit is by access.

Example




Disabling Auditing ExamplesDisabling Auditing Examples

Example of disabling auditing

NoAudit Alter Any Table By SalesWhenever Successful;

NoAudit Alter Any Table By SalesWhenever Successful;

•

Example of Disabling Auditing

• The above example disables the auditing of Sales whenever they successfully alters any table.

Example






NoAudit Connect By SalesWhenever Not Successful;

NoAudit Connect By SalesWhenever Not Successful;

•

Example of Disabling Auditing

• The above example disables the auditing of unsuccessful connections by the user Sales.

Example






NoAudit Update, Delete on Sales.Companies;NoAudit Update, Delete on Sales.Companies;

•

Example of DisablingAuditing

• The above example disables auditing of updates and deletes on the Sales.Companies table.

Example




Managing Audit ResultsManaging Audit Results

The table must be managed

Create Table Audit_Temp as Select * From Sys.Aud$Where TimeStamp < SysDate – 30;

Delete From Sys.Aud$Where TimeStamp < SysDate – 30;

Create Table Audit_Temp as Select * From Sys.Aud$Where TimeStamp < SysDate – 30;

Delete From Sys.Aud$Where TimeStamp < SysDate – 30;

• Aud$

• Auditing records are placed in the Aud$ table in the System account. This table has the possibility of becoming quite large depending on the auditing activity initiated. Additionally, the Aud$ will probably be located in the System Tablespace which may cause additional storage issues.

• The database administrator must periodically archive / delete records in

the Aud$ table.

• The following steps offers one method of managing the Aud$ table.

o Connect to the Oracle database as SYS. This should only be one of the few circumstances that the database administrator should connect to the SYS account.

o Create another table with the records from the Aud$ table. The new table should

go into a different tablespace if possible.

o Delete the original records in the Aud$ table.

• Another method of managing the Aud$ would be to Export the table and then delete the rows in the Aud$ table. The Export / Import utility will be presented in the Oracle 9i Database Administration II class.

• Records can be deleted from the audit trail by the user SYS or any user with DELETE ANY TABLE privilege.

Note: If auditing user connections and the Aud$ table causes the System Tablespace to fill additional users connecting to the database may not be able to connect. The database administrator will probably have to add additional space to the tablespace and clear the Aud$ table.




Viewing Enabled Auditing OptionsViewing Enabled Auditing Options

Enable auditing options can be viewed

Default options for auditing objects.All_Def_Audit_Opts

Auditing options for all statements.DBA_Stmt_Audit_Opts

Auditing options for all privileges.DBA_Priv_Audit_Opts

Auditing options for database objects.DBA_Obj_Audit_Opts

•

• Auditing options enable can be viewed by utilizing several Data Dictionary Views including the following.

o DBA_Obj_Audit_Opts – Shows auditing options enabled for

database objects such as indexes and tables.

o DBA_Priv_Audit_Opts – Shows auditing options enabled for all privileges.

o DBA_Stmt_Audit_Opts – Shows auditing options enabled for all

statements.

o All_Def_Audit_Opts – Shows default options for auditing objects.




Viewing Enable Auditing OptionsViewing Enable Auditing Options

The Data Dictionary view

Select Owner, Object_Name, Object_TypeFromWhere Owner = 'SALES'

Select Owner, Object_Name, Object_TypeFrom Where Owner = 'SALES'

View

• DBA_OBJ_AUDIT_OPTS

DBA_OBJ_AUDIT_OPTSDBA_OBJ_AUDIT_OPTS

DBA_OBJ_AUDIT_OPTS

• The Data Dictionary View DBA_Obj_Audit_Options shows auditing options enabled for database objects such as indexes and tables.

Example performing a query on the Data Dictionary View DBA_Obj_Audit_Options

Note: It is recommend to perform queries on the other Data Dictionary Views that shows auditing options.




Viewing Enabled Auditing ResultsViewing Enabled Auditing Results

Enable auditing options can be viewed

All entries in the Aud$ table.DBA_Audit_Trail

Audit entries generated by statement options.DBA_Audit_Statement

Audit entries by session connects and disconnectsDBA_Audit_Session

Audit entries for object audits.DBA_Audit_Object

Audit entries by the exists option.DBA_Audit_Exists

•

• The following Data Dictionary Views can be used to view auditing results.

o DBA_Audit_Exists – Audit entries by the exists option. o DBA_Audit_Object – Audit entries for object audits such as tables

and indexes.

o DBA_Audit_Session – Audit entries by session connects and disconnects.

o DBA_Audit_Statement – Audit entries generated by statement

options.

o DBA_Audit_Trail – All entries in the Aud$ table.




Viewing Enabled Auditing ResultsViewing Enabled Auditing Results

The Data Dictionary view

Select UserName, Obj_Name, Action_Name, ReturnCodeFrom ;

Select UserName, Obj_Name, Action_Name, ReturnCodeFrom

View

• DBA_AUDIT_OBJECT

DBA_AUDIT_OBJECTDBA_AUDIT_OBJECT;

DBA_AUDIT_OBJECT

• The Data Dictionary View DBA_Audit_Object shows audit entries for object audits such as tables and indexes.

Example of querying the Data Dictionary View DBA_Audit_Objects.

Note: It is recommend to perform queries on the other Data Dictionary Views that shows audit entries.




Auditing GuidelinesAuditing Guidelines

Adhere to auditing recommendations

Evaluate purpose for auditingudit very conservatively

rchive and purge the audit trail

•

AOnly set specific actions to auditProtect the audit trailA

• The following auditing guidelines should be followed.

o Evaluate the purpose for auditing. Do not audit unless it is absolutely necessary. Auditing causes additional overhead on the Oracle database and additional work load for database administrators.

o Audit very conservatively. Do not audit just for the sake of

auditing.

o Only set specific actions to audit. Do not produce information overload in the Aud$ table. Too much auditing defeats the purpose of auditing.

o Protect the audit trail. If writing audit files to the operating system

be sure to protect the audit file. If auditing information is going to the Aud$ table it should be protected since it is in the SYS account. If copying the Aud$ to a different table be sure to protect that table.

o Archive and purge the audit trail. The Aud$ table has the potential

of becoming very large. Always purge the audit trail on a regular bases.



Oracle Certified Professional Test Questions

1. As a database administrator you just changed a resource limit that was assigned to a profile named Sales_Reps . This profile was assigned to the Oracle user account Dwentz. What should the database administrator do so the new resource limit for the changed profile Sales_Reps is reflected for the user Dwentz?

a. Shutdown and restart the Oracle database. b. Have the user Dwentz disconnect and reconnect. b. Do nothing since the new resource limit will be immediately reflected for

the user account Dwentz. c. The user account Dwentz will revert to the DEFAULT profile until the user

Dwentz disconnects and reconnects to the database.

2. If a user is not assigned a profile right after the user account was created what will the value of the resource limit Sessions_Per_User be?

a. Unlimited b. 99999999 c. The user will not be able to connect since the user account has not been

assigned a profile. d. 1

3. Which of the following is not a valid resource limit whenever creating

profiles?

a. Sessions_Per_User b. CPU_Per_Session c. Logical_Reads_Per_Session d. Password_Timeout e. Private_SGA

4. As a database administrator you wish to prevent a user from accessing

their Oracle user account. What would be the best method of preventing a user from accessing their user account?

a. Limit the number of times the user can connect to Oracle by assigning

them to a profile that has Sessions_Per_User set to 0. b. Remove the users account completely. c. Lock the users account. d. Assign the user to the DEFAULT profile.

5. To limit the total resource costs of a user session what resource limit

should be assigned to a profile that that user has been assigned to?

a. Composite_Limit b. CPU_Per_Session c. CPU_Per_Call d. Logical_Reads_Per_Session



e. Logical_Reads_Per_Call

6. As a database administrator you want to find out what profile each user is assigned to. What Data Dictionary view would you perform a query on?

a. User_Users b. DBA_Profiles c. DBA_Users d. User_Profiles

7. To see only what roles are assigned to other roles what data dictionary

view would be utilized?

a. USER_ROLE_PRIVS b. ROLE_SYS_PRIVS c. ROLE_TAB_PRIVS d. ROLE_ROLE_PRIVS e. Can not be accomplished using the data dictionary.

8. As a database administrator you are receiving calls that users are hanging

whenever attempting to connect to the database. Auditing for successful and unsuccessful connections for all user is currently active. Which of the following is a likely reason for the users problem whenever attempting to connect to the database.

a. The user has issued the incorrect userid and password. b. The users account has been locked. c. The Temp tablespace has become full d. The Aud$ tables has caused the System tablespace to become full.

9. To enable auditing to the Aud$ table the Audit_Trail Initialization

Parameter must be set to?

a. DB b. FALSE c. OS d. NONE

10. Which of the following is not a good reason to audit whenever

implementing the Aud$ table method.

a. You wish to audit every unsuccessful login attempt. b. You wish to know whenever the Oracle database was shutdown

and restarted. c. You wish to know whenever a particular table in a certain schema

was dropped. d. You wish to know whenever a user grants a table to another user.



Lab Exercises . 1. Create a new user and force that new user to change their password

whenever connecting for the first time. Be sure to grant the new user appropriate privileges so they can connect to the database.

2. Set the user created in Lab Exercise # 1 to the following tablespaces and

quotas;

Default Tablespace Users Quota 5m Temporary Tablespace Temp Quota 2m

3. Create a profile named Sales_Reps and assign the profile to the user created

in Lab Exercise #1. The profile should have the following resource limits; Sessions_Per_User 1 Connect_Time 60 Password_Resuse_Time 90 Remember that resource limits must be enabled for them to work. Attempt to connect to the user account created in Lab Exercise # 1 more than one time. What happened and why?

4. Enable auditing and audit the user created in Lab Exercise #1 for the following;

Every time the user successfully connects to the database. The first time in each session that the user attempts to create a new table. Verify that audit records was written to the Aud$ table. Be sure to disable auditing however do not remove the Aud$ table.

5. Drop the Profile Sales_Reps created in Lab Exercise # 3 above. 6. Drop the user created in Lab Exercise # 1 above. 7. Remove the Aud$ table and disable auditing.


Controlling Security II Module (P) Page 45 of 49 Oracle Certified Professional Test Questions – Answers

1. b 2. a 3. d 4. c 5. a 6. c 7. d 8. d 9. a 10. b



Lab Exercise - Answers Lab exercise 1

Lab exercise 2



Lab exercise 3

You should only be able to connect one time since the Sessions_Per_User was set to one.

Lab exercise 4 You must shutdown the Oracle database and place Audit_Trail = OS in the Initialization Parameter File. The script CatAudit.sql must be executed as SYS. This is not illustrated.


Controlling Security II Module (P) Page 48 of 49 Attempt to connect as the user created in Lab Exercise # 1 above several times.

Lab Exercise 5




Lab Exercise 6

Lab Exercise 7 Run the script CatNoAudit.sql to remove the Aud$ table Remove the Audit_Trail entry in the Initialization Parameter File or set it to NONE. Shutdown and restart the database.

Documents

Primavera Database Auditing