Understanding Oracle Auditing 106607

  • View
    41

  • Download
    2

Embed Size (px)

Text of Understanding Oracle Auditing 106607

Use offense to inform defense. Find flaws before the bad guys do.

Copyright SANS Institute Author Retains Full RightsThis paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.

Interested in learning more?Check out the list of upcoming events offering "Hacker Techniques, Exploits & Incident Handling (SEC504)" at https://pen-testing.sans.org/events/

Understanding Oracle AuditingGIAC Security Essentials Certification (GSEC) Practical Assignment Version 1.4b

Option 1 - Research on Topics

SANS Institute 2004,

SA

NS

In

sti

tu

As part of GIAC practical repository.

te

20

04

Location: SANS Baltimore, 2004 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

,A

Sep 21, 2004

ut

Submitted by: Wayne Reeser

ho

rr

in Information Security

eta

ins

fu ll r igh ts.Author retains full rights.

Wayne Reeser

Table of Contents

Table of ContentsAbstract.................................................................................................................1 Introduction ...........................................................................................................1 Requirement for Auditing ......................................................................................1 Where is the audit trail? .................................................................................................. 3 DB audit trail............................................................................................................... 3 OS audit trail ............................................................................................................... 3 How to choose between audit trail locations .............................................................. 4 Mandatory OS auditing............................................................................................... 4 The Basics (SQL AUDIT command) .....................................................................6 Audit options relevant to all auditing.............................................................................. 6 AUDIT option BY SESSION ..................................................................................... 6 AUDIT WHENEVER SUCCESSFUL or NOT SUCCESSFUL ............................... 7 Key fingerprint =Privilege Auditing ................................................................................... 7 Statement and AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Object Auditing............................................................................................................... 8 Default Auditing ........................................................................................................... 10 Common mistakes when testing ................................................................................... 10 Auditing Create Session................................................................................................ 11 Auditing SYSDBA........................................................................................................ 13 Protecting the audit trail................................................................................................ 13 Object Auditing tips...................................................................................................... 17 What if the desired audit option does not exist? ........................................................... 17 AUDIT NOT EXISTS .................................................................................................. 17 Issues when modifying existing auditing...................................................................... 17 Audit return codes......................................................................................................... 18 Removing the ANY CLIENT audit option ............................................................... 19 Managing the audit trail for performance ..................................................................... 15 Tips and Lessons Learned..................................................................................10 AUDIT option BY ACCESS ...................................................................................... 6 A first audit ..................................................................................................................... 4 Where to start? .....................................................................................................2

SANS Institute 2004,

SA

NS

In

sti

tu

As part of GIAC practical repository.

te

20

04

,A

ut

ho

rr

eta

ins

fu ll r igh ts.

Author retains full rights.

Other Auditing Options........................................................................................19 Auditing and Oracle Label Security ............................................................................. 19 Oracle Fine-Grained Auditing ...................................................................................... 20 Selective Audit tool ................................................................................................... 20 N-tier ............................................................................................................................. 21 Auditing Enhancements in 10G .................................................................................... 21 What Should be Audited? ............................................................................................. 21 Conclusions ........................................................................................................22 References ...........................................................................................................1 Appendix A: Miscellaneous Figures .....................................................................1 Figure A- 2 DBA_AUDIT TRAIL example of a LOGON record ............................ 1 Figure A- 3 DBA_AUDIT TRAIL example, part 2 ................................................. 2 Appendix B: Useful Auditing Scripts.....................................................................1 Figure B- 1 Privileges needed to run audit scripts..................................................... 1 Figure B- 3: noaudits.sql: A script to remove most audits ....................................... 4 Figure A- 1 DBA_AUDIT_TRAIL table definition.................................................. 1

SA

NS

In

sti

tu

te

20

04

Figure B- 4: audtr.sql: Audit trail quick look ........................................................... 5 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

,A

SANS Institute 2004,

As part of GIAC practical repository.

utii

Figure B- 2 audopts.sql: a script to show enabled standard auditing......................... 2

ho

rr

eta

ins

fu ll r igh ts.

Author retains full rights.

Wayne Reeser

GSEC 1.4B Practical

AbstractUnderstanding Oracle Auditing is critical for comprehensive application security, but it is perceived as difficult and complex. While the typical DBA can probably configure and enable auditing, especially given recommended auditing options by the latest DB security scanner, it is unlikely that the auditing design will be as efficient and effective as it could be. This paper will address basic Oracle auditing and will explain some of the common features of audit which can confuse or mystify even experienced DBAs. A strong grasp of the basics will provide a good foundation for later forays into advanced auditing and understanding of the results generated by enabling the auditing options required by Oracle security guides.

Introduction

Requirement for AuditingAuditing serves as a deterrent to misuse, a tool for detection and damage assessment after an incident, and an option for accepting risk if a cost effective safeguard is not available. Kewley and Lowry (2001) documented a DARPA study to determine if additional layers of security always resulted in greater overall security. They found that depending upon the objective of the attacker, additional layers sometimes added no additional security, and often made it easier to complete the attack. The more complex the system, the more likely that vulnerabilities will exist. Despite Defense in Depth, most internet connected

SA

NS

All examples have been worked in Oracle version 9.2. While most of the examples will work in earlier as well as later versions, results may vary.

In

The first auditing question asked of DBAs is usually How much will auditing hurt performance? This is an incomplete question that cant be answered effectively without a lot more information. Appropriate information includes the requirements for auditing and consideration of the role auditing will play in the overall security architecture. An effective audit strategy aims to collect the minimum amount that is necessary to meet requirements, and may be dynamic in that certain incidents trigger increased levels of auditing. Maximum value auditing is thus achieved with minimum impact. This can best be accomplished when auditing is approached as a system design problem and consideration is given to the best audit methods. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Standard Oracle auditing is complex, but with the right foundation, it is possible to approach it with confidence. Once standard audit is u