Oracle Auditing Nroshak

Oracle Auditing
Natalka Roshak
Presented to ABCD-Oracle
4 March 2004
About me
• Oracle and Sybase Database Administrator,
Analyst and Architect
• Experienced database programmer
• Oracle Certified Professional (OCP)
• Regular columnist for Oracle trade magazine,
orafaq.com, and other trade publications
• Oracle consultant, serving customers across
North America
• Available for consulting engagements
• http://rdbms-insight.com
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

About this presentation
• Presentedto Oracle users’ group at
Harvard University, ABCD-Oracle
• 4 March 2004

Auditing
2 main types of auditing:

• Oracle-supplied auditing using AUD$
• Trigger-based DML auditing

Oracle vs. Trigger-based Auditing
Different scope & application:

• AUD$ does not record any of the data values
involved in a DML change; need to use trigger-
based auditing to capture this info
• Obviously, Oracle auditing allows auditing of
non-DML statements, eg. ALTER ROLE

Oracle Auditing
I. Overview of Oracle Auditing

II. Fun with AUDIT SESSION
III. Security considerations & AUD$ size

I. Overview of Oracle Auditing
Enabling Oracle Auditing
First step: set static initialization parameter

AUDIT_TRAIL in INIT.ORA
Values:
• DB/TRUE
• OS
• NONE/FALSE
OS Audit Trail
Even if OS audit trail is not enabled, Oracle

will still write default actions to OS audit
trail:
• instance startup
• instance shutdown
• connections to the database as SYSOPER
or SYSDBA

OS Audit Trail

DB trail
• Writes all audit information to

SYS.AUD$
• AUD$ installed by catalog.sql
• Create auditing data dictionary views by
running
$oracle_home\rdbms\admin\cataudit.sql
• Remove these views using catnoaud.sql

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SQL> desc aud$
Name
-----------------------------------------
SESSIONID
ENTRYID
STATEMENT
TIMESTAMP#
USERID
USERHOST
TERMINAL
ACTION#
RETURNCODE
OBJ$CREATOR
OBJ$NAME
AUTH$PRIVILEGES
AUTH$GRANTEE
Null? Type
-------- --------------
NOT NULL NUMBER
NOT NULL NUMBER
NOT NULL NUMBER
NOT NULL DATE
VARCHAR2(30)
VARCHAR2(128)
VARCHAR2(255)
NOT NULL NUMBER
NOT NULL NUMBER
VARCHAR2(30)
VARCHAR2(128)
VARCHAR2(16)
VARCHAR2(30)
SYS.AUD$
• NEW$OWNER VARCHAR2(30)
• NEW$NAME VARCHAR2(128)
• SES$ACTIONS VARCHAR2(19)
• SES$TID NUMBER
• LOGOFF$LREAD NUMBER
• LOGOFF$PREAD NUMBER
• LOGOFF$LWRITE NUMBER
• LOGOFF$DEAD NUMBER
• LOGOFF$TIME DATE
• COMMENT$TEXT VARCHAR2(4000)
• SPARE1 VARCHAR2(255)
• SPARE2 NUMBER
• OBJ$LABEL RAW(255)
• SES$LABEL RAW(255)
• PRIV$USED NUMBER

Audit Views
STMT_AUDIT_OPTION_MAP
Contains information about auditing option type codes.
AUDIT_ACTIONS
Contains descriptions for audit trail action type codes.
ALL_DEF_AUDIT_OPTS
Contains default object-auditing options that will be applied when objects are created.
DBA_STMT_AUDIT_OPTS
Describes current system auditing options across the system and by user.
DBA_PRIV_AUDIT_OPTS
Describes current system privileges being audited across the system and by user.
DBA_OBJ_AUDIT_OPTS, USER_OBJ_AUDIT_OPTS
Describes auditing options on all objects. USER view describes auditing options on all objects owned by the current user.
DBA_AUDIT_TRAIL, USER_AUDIT_TRAIL
Lists all audit trail entries. USER view shows audit trail entries relating to current user.
DBA_AUDIT_OBJECT,USER_AUDIT_OBJECT
Contains audit trail records for all objects in the system. USER view lists audit trail records for statements concerning objects that are
accessible to the current user.
DBA_AUDIT_SESSION, USER_AUDIT_SESSION
Lists all audit trail records concerning CONNECT and DISCONNECT. USER view lists all audit trail records concerning connections and
disconnections for the current user.
DBA_AUDIT_STATEMENT, USER_AUDIT_STATEMENT
Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the
USER view, issued by the user.
DBA_AUDIT_EXISTS
Lists audit trail entries produced by AUDIT EXISTS and AUDIT NOT EXISTS.

3 levels of audit options
Statement
• Audits on the type of SQL statement used, such as any
SQL statement on a table (which records each
CREATE, TRUNCATE, and DROP TABLE statement)
Object
• Audits specific statements on specific objects, such as
ALTER TABLE on the EMP table
Privilege
• Audits use of a particular system privilege, such as
CREATE TABLE

Statement Auditing
• Eg. AUDIT SELECT BY SCOTT

audits all select statements performed by
SCOTT
• AUDIT SELECT TABLE, UPDATE
TABLE BY SCOTT, BLAKE;

Object Auditing
• Eg. AUDIT SELECT ON scott.emp;

• AUDIT SELECT ON scott.emp WHENEVER
NOT SUCCESSFUL;
• AUDIT SELECT ON scott.emp WHENEVER
SUCCESSFUL;
• AUDIT ALL ON scott.emp ;

Privilege Auditing
eg. AUDIT GRANT SEQUENCE audits any

statements of the type:
• GRANT privilege ON sequence ;
• REVOKE privilege ON sequence ;
AUDIT EXECUTE PROCEDURE audits
• CALL of any procedure
AUDIT SELECT TABLE audits
• SELECT FROM table/view/materialized view;

Privilege auditing, con’t
AUDIT INDEX audits any statements of the type:

• CREATE INDEX
• ALTER INDEX
• DROP INDEX
AUDIT NOT EXISTS audits all SQL stmts that fail
because an object doesn’t exist
AUDIT SYSTEM AUDIT audits all
AUDIT/NOAUDIT statments
*AUDIT SESSION audits logon/logoff

BY SESSION/ACCESS
• BY SESSION: One audit record is inserted for

one session, regardless of the number of times
the statement is executed
• BY ACCESS: One audit record is inserted
each time the statement is executed
• Default is BY SESSION

Further examples
• AUDIT SESSION BY JOHN, ALEX

WHENEVER NOT SUCCESSFUL;
• AUDIT UPDATE, DELETE ON
scott.emp BY ACCESS;
• NOAUDIT UPDATE, DELETE ON
scott.emp;

II. Fun with AUDIT SESSION
Fun with AUDIT SESSION
• Underappreciated fact: AUD$ records IP when
session auditing is enabled
• SQL> select timestamp#, userid, machine, action#, returncode, logoff$time, comment$text from
aud$ where action# in (100,101);
• TIMESTAMP USERID MACHINE ACTION# RETURNCODE LOGOFF$TI
COMMENT$TEXT
• --------- ---------- --------------- ------- ---------- -------
• 02-FEB-04 EREQ_USER GYPSY 101 0 02-FEB-04 Authenticated by: DATABASE;
Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.232.23)(PORT=3406))
• 02-FEB-04 EREQ_USER GYPSY 100 0 Authenticated by: DATABASE;
Client address:
• (ADDRESS=(PROTOCOL=tcp)(HOST=140.247.232.23)(PORT=3427))
• 02-FEB-04 EREQ_USER GYPSY 101 0 02-FEB-04 Authenticated by: DATABASE;
• 02-FEB-04 BULKLOAD SHALLOT 100 0 Authenticated by: DATABASE;

AUD$ fields
For 100/101 events (ACTION# IN (100,101)):

• col SPARE1 = OS username
• col RETURNCODE = ora-xxxx returncode
• col TERMINAL = terminal name (eg. ttyp3 in
UNIX, machine name in Windows)
• col COMMENT$TEXT = IP and port of client
-- very useful!

Extracting the IP
select userid, terminal, spare1, substr(s1,1,instr(s1,')')-1)

IP,
returncode, timestamp#
from
(select A.*,
substr(comment$text,instr(comment$text,'HOST=')
+5,100) s1
from aud$ a where action# in (100,101) )
order by IP;

Sample output
USERID TERMINAL SPARE1 IP RETURNCODE TIMESTAMP#
-------------------------------------------------------------------------------------------
HERS MARS apacheco 128.103.231.86 0 02/24/2004 3:08:36 PM
HERS oracle 128.103.231.86 0 01/25/2004 11:14:11 AM
EREQ_USER MRUTENBUR mrutenburg 140.247.10.130 0 01/30/2004 4:42:52 PM
BULKLOAD CJTRU cjtru 140.247.10.132 0 02/05/2004 4:26:41 PM
BULKLOAD ttyp3 oracle 140.247.10.132 0 02/09/2004 10:42:13 AM
SYS ttyp3 oracle 140.247.10.132 0 02/09/2004 11:55:56 AM
BULKLOAD ROBIN michael 140.247.10.135 0 01/29/2004 7:59:49 AM
SYSTEM JB Jen?Braster 140.247.10.135 0 01/28/2004 8:34:31 PM
EREQ_USER JB Jen?Braster 140.247.10.135 0 01/28/2004 8:39:07 PM

Returncodes
• Indicates ora-XXXX if logon failed

• Common returncodes:
• 0 – successful
• 1017 – invalid username/password
• 1005 – null password given
• 1035 – RESTRICTED SESSION enabled
• Eg. Add “where” clause to query to filter on
ora-1017s
Other possibilities
• Create table of known IPs expected to connect,

query for other IPs
• Alert when there’s a connection attempt from a
new or non-Harvard IP
• Create table of known terminals expected to
connect over VPN (140.247.10/11.0/255),
query for other terminals (or terminal &
username combo) connecting over VPN

Filtering on known IPs/terminals
select * from (
select userid, terminal, spare1, substr(s1,1,instr(s1,')')-1) IP,
k.hostname, str.returncode, count(*) from
(select A.*, substr(comment$text,instr(comment$text,'HOST=')+5,100) s1
from aud$ a
) str, system.known_ips k
where 1=1
and (substr(s1,1,instr(s1,')')-1) not in (select ip from system.known_ips)
and NOT ( (substr(s1,1,instr(s1,')')-1) like '140.247.10%'
OR substr(s1,1,instr(s1,')')-1) like '140.247.11%' )
AND str.terminal in (select terminal from system.known_terminals)
)
)
and str.terminal NOT in (select terminal from system.known_terminals)
and substr(s1,1,instr(s1,')')-1)=k.ip(+)
and timestamp# > sysdate-20
group by userid, terminal, spare1, substr(s1,1,instr(s1,')')-1), hostname, returncode
) where IP not like '140.247.164.%' and IP not in ('140.247.232.22','140.247.232.23')
order by IP

Filtering on known IPs/terminals
USERID TERMINAL SPARE1 IP RETURNCOD COUNT(*)

------------------------------------------------------------------------------
SYS unknown n_user 140.247.10.149 0 1
UTILITY LOKI dfaux 140.247.10.150 0 1
BULKLOAD CLIENT1 kyu 140.247.11.20 0 3
SYS ttyp2 oracle 140.247.11.20 0 1
SYS ttyp2 oracle 140.247.11.20 1017 1
ASPERIN CLIENT1 kyu 140.247.11.9 0 5
HR_DATA CLIENT1 kyu 140.247.11.9 0 8
FIN_OFFIC UHALL-TEMP5 hadass 140.247.70.24 0 7
FIN_OFFIC IBM-5F0826A1BDE nasson 140.247.70.28 0 5
FIN_OFFIC IBM-5F0826A1BDE nasson 140.247.70.28 1017 4

III. Security Considerations
Too Much AUD$
• Problem: AUD$ is located in SYSTEM

tablespace
• If AUDIT SESSION is enabled, DOS attack
can fill up SYSTEM tablespace, bringing
database to a complete halt
• An untended AUD$ can do the same thing over
time
• Solution: Monitor size of AUD$
MANAGE_AUD$ package
• Job to check size of AUD$ and move rows out

of SYS tablespace if AUD$ too large
• Write to alert log if AUD$ has to be cleaned
out
• Procedures for quarterly log rotation

Create tables to archive AUD$
• SYSTEM.AUD$_BU
• SYSTEM.AUD$_PREV_QUARTER
drop table system.aud$_bu;
create table system.aud$_bu

tablespace tools
as (select * from sys.aud$ where 1=2);
drop table system.aud$_prev_quarter;
create table system.aud$_prev_quarter

tablespace tools
as (select * from sys.aud$ where 1=2);

Rotate AUD$ quarterly
procedure quarterly_rotation
is
/* Procedure quarterly_rotation
* Cleans out table system.aud$_prev_quarter
* and repopulates it with the previous quarter's worth of audit info
* Should be scheduled to run every quarter
*/
begin
commit;
set transaction use rollback segment rbs_bulk;
delete from system.aud$_prev_quarter;
insert into system.aud$_prev_quarter
( select * from sys.aud$ au
where au.timestamp# < trunc(sysdate,'Q'));
delete from sys.aud$ where timestamp# < trunc(sysdate,'Q') ;
commit;
end quarterly_rotation;

Use dbms_system.kdswrt() to log
…
delete from sys.aud$ where timestamp# < trunc(sysdate,'Q') ;
commit;
sys.dbms_system.ksdwrt(3,'ORA-AUDIT
TRAIL: Quarterly rotation COMPLETE');
sys.dbms_system.ksdwrt(3,'ORA-AUDIT
TRAIL: This message brought to you by
sys.manage_aud$');
end quarterly_rotation ;

Check AUD$ size
procedure
keep_size_in_check
is
rowCount number;
begin
select count(*) into rowCount from sys.aud$ ;
if rowCount > 50000
then
commit;
set transaction use rollback segment rbs_bulk;
insert into system.aud$_bu (select * from sys.aud$);
delete from sys.aud$ ;
commit;
sys.dbms_system.ksdwrt (3,'ORA-AUDIT TRAIL: POSSIBLE DOS
ATTACK!!!! AUD$ rows moved to AUD$_BU');
end if;
end keep_size_in_check;

Poll AUD$ table regularly
declare
myjob number;
begin
dbms_job.submit(myjob,
what => ‘manage_aud$.keep_size_in_check;’,
interval => ‘trunc(sysdate)+1/96’);
End;

Summary
• Oracle Auditing is good for auditing non-DDL

events, and auditing DDL where a record of the
data changed is not important
• AUDIT SESSION lets you track connections
by IP, OS username, & terminal
• If DB audit trail is enabled, the size of AUD$
must be managed

Natalka Roshak
Oracle and Sybase Database
Administrator, Architect and Analyst
http://rdbms-insight.com
http://toolkit.rdbms-insight.com

Oracle Auditing Nroshak

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Auditing Nroshak

Uploaded by

Copyright:

Available Formats

Oracle Auditing

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

2 main types of auditing:

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Different scope & application:

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

I. Overview of Oracle Auditing

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

First step: set static initialization parameter

Even if OS audit trail is not enabled, Oracle

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Writes all audit information to

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Eg. AUDIT SELECT BY SCOTT

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Eg. AUDIT SELECT ON scott.emp;

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

eg. AUDIT GRANT SEQUENCE audits any

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

AUDIT INDEX audits any statements of the type:

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• BY SESSION: One audit record is inserted for

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• AUDIT SESSION BY JOHN, ALEX

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

For 100/101 events (ACTION# IN (100,101)):

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

select userid, terminal, spare1, substr(s1,1,instr(s1,')')-1)

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Indicates ora-XXXX if logon failed

• Create table of known IPs expected to connect,

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

USERID TERMINAL SPARE1 IP RETURNCOD COUNT(*)

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Problem: AUD$ is located in SYSTEM

• Job to check size of AUD$ and move rows out

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

drop table system.aud$_bu;

create table system.aud$_bu

drop table system.aud$_prev_quarter;

create table system.aud$_prev_quarter

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

• Oracle Auditing is good for auditing non-DDL

Oracle Auditing - Natalka Roshak - http://rdbms-insight.com

You might also like