You are on page 1of 22

Auditing Database Users, Privileges, and Objects

Copyright 2009, Oracle. All rights reserved.

Objectives
After completing this lesson, you should be able to do the following: Implement basic database auditing Implement auditing of the privileged user Implement data manipulation language (DML) and data definition language (DDL) auditing Send audit records to the operating system (OS) files

4-2

Copyright 2009, Oracle. All rights reserved.

Monitoring for Suspicious Activity


Monitoring or auditing should be an integral part of your security procedures. The audit tools in Oracle Database include:
Database auditing Audit privileged user operations Fine-grained auditing (FGA)

You can create custom value-based auditing.

4-3

Copyright 2009, Oracle. All rights reserved.

Audit Tool Comparisons

Type of Audit

What Is Audited?

What Can Be in the Audit Trail?


Fixed set of data, including the SQL statement and bind
Fixed set of data

Standard database auditing


Privileged user auditing Fine-grained auditing (FGA)

Privilege use, including object access


Connections by default When enabled, all the statements that are issued SQL statements (INSERT, UPDATE, DELETE, and SELECT) based on content

Fixed set of data, including the SQL statement and bind; extensible through event handlers

4-5

Copyright 2009, Oracle. All rights reserved.

Standard Database Auditing


Is enabled through the AUDIT_TRAIL parameter Can audit:
Login events Exercise of system privileges Exercise of object privileges Use of SQL statements

4-6

Copyright 2009, Oracle. All rights reserved.

Setting the AUDIT_TRAIL Parameter


The parameter values can be: NONE: Disables collection of audit records DB: Enables auditing with records stored in the database DB,EXTENDED: Populates SQLBIND and SQLTEXT columns XML: Enables auditing with records stored in XML format OS files XML,EXTENDED: Includes SQLBIND and SQLTEXT information OS: Enables auditing with records stored in the OS audit trail

4-7

Copyright 2009, Oracle. All rights reserved.

Audit Log Location Options


Who has access? The database audit table is accessible to:
SYSDBA The DBA role Anyone with the * ANY TABLE privileges

Optionally, Database Vault can protect database audit tables from the privileged users. OS audit files are accessible to:
The root user on the repository machine Any user depending on directory permissions

Audit Vault records are accessible to:


Configured users Records protected by Database Vault

4-8

Copyright 2009, Oracle. All rights reserved.

Specifying Audit Options


SQL statement auditing (nonfocused and focused):

AUDIT table; AUDIT SELECT TABLE BY SCOTT BY ACCESS

System-privilege auditing (nonfocused and focused):

AUDIT select any table, create any trigger; AUDIT select any table BY hr BY ACCESS;

Object-privilege auditing (nonfocused and focused):

AUDIT ALL on hr.employees; AUDIT UPDATE,DELETE on hr.employees BY ACCESS;

4-9

Copyright 2009, Oracle. All rights reserved.

Auditing Sessions
Audit unsuccessful attempts to connect:

AUDIT CREATE SESSION BY ACCESS WHENEVER NOT SUCCESSFUL;

Monitor DBA_AUDIT_SESSION:
ACTION_NAME RETURNCODE LOGOFF -------------------- ---------LOGON 1017 LOGOFF 0 0829 22:39 LOGOFF BY CLEANUP 0 0829 22:40 LOGON 0

USERNA -----FRED FRED FRED FRED

Check DBA_AUDIT_TRAIL.COMMENT_TEXT.

4 - 11

Copyright 2009, Oracle. All rights reserved.

Viewing Auditing Options

Data Dictionary View


ALL_DEF_AUDIT_OPTS DBA_STMT_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS DBA_OBJ_AUDIT_OPTS

Description
Default audit options Statement auditing options Privilege auditing options Schema object auditing options

4 - 13

Copyright 2009, Oracle. All rights reserved.

Standard Database Auditing


Enable database auditing.

DBA

Parameter file

Specify audit options. Database

User executes command.

SYSLOG files

Audit options

Server process
Generate audit trail.

syslog

Audit trail Review audit information.

OS audit trail

4 - 14

Copyright 2009, Oracle. All rights reserved.

Viewing Auditing Results

Audit Trail View


DBA_AUDIT_TRAIL DBA_AUDIT_EXISTS DBA_AUDIT_OBJECT DBA_AUDIT_SESSION DBA_AUDIT_STATEMENT

Description
All audit trail entries Records produced by the NOT EXISTS audit Records concerning the schema objects All connect and disconnect entries Auditing records at the statement level

4 - 16

Copyright 2009, Oracle. All rights reserved.

Auditing the SYSDBA and SYSOPER Users


Control auditing of privileged users with the following parameters: audit_sys_operations enables additional auditing of the SYSDBA or SYSOPER actions. audit_file_dest controls the location of the audit trail. The default is:
(UNIX or Linux)

First: $ORACLE_BASE/admin/<ORACLE_SID>/adump Second: $ORACLE_HOME/rdbms/audit

On Windows: Windows Application Event Log

4 - 17

Copyright 2009, Oracle. All rights reserved.

Viewing the SYSDBA Audit Trails

4 - 18

Copyright 2009, Oracle. All rights reserved.

Audit to XML Files


Audit records can be sent to XML format files.
Standard audit SYS operations audit records

Fine-grained audit (FGA) records

XML files can be read with a variety of readers. XML files can be protected by the OS.

4 - 20

Copyright 2009, Oracle. All rights reserved.

Writing Audit Records to syslog


Audit records sent to syslog can be written to:
Files owned by root Another machine

Configuring syslog
The audit_syslog_level initialization parameter sets facility.priority of the messages. The syslog.conf file determines where syslog writes the message.

Note: syslog is available for *NIX only.

4 - 21

Copyright 2009, Oracle. All rights reserved.

Configuring Auditing to syslog


Set the parameters:
AUDIT_TRAIL = OS AUDIT_SYSLOG_LEVEL = facility.priority
*.AUDIT_TRAIL=OS *.AUDIT_SYSLOG_LEVEL='local1.info'

Modify the syslog.conf file.


Add configuration lines.

# Capture Oracle audit records local1.info /var/log/oracle_audit.log local1.info

@edrsr5p1

4 - 22

Configure the services file on remote machines.


Copyright 2009, Oracle. All rights reserved.

syslog Limitations
syslog limitations: Fine-grained audit records are not captured. Oracle Label Security audit records are not captured. Oracle Database Vault audit records are not captured. Message limited to 1,024 bytes on some machines. Remote messages are sent by user datagram protocol (UDP)

4 - 23

Copyright 2009, Oracle. All rights reserved.

Value-Based Auditing

A user makes a change.

Trigger fires.

An audit record is created by the trigger.

The users change is made.

A record is inserted into an audit trail table.

4 - 25

Copyright 2009, Oracle. All rights reserved.

Triggers and Autonomous Transactions


Further enhance and protect the auditing by: Capturing DML changes to the shadow table Replicating audit records to another table Capturing attempts to change audit records

4 - 27

Copyright 2009, Oracle. All rights reserved.

Practice 4 Overview: Implementing Basic Auditing


This practice covers the following topics: Applying database auditing Enabling auditing of the SYS user Capturing audit records with syslog

4 - 29

Copyright 2009, Oracle. All rights reserved.

Summary
In this lesson, you should have learned how to: Implement basic database auditing Implement auditing of the privileged user Implement DML and DDL auditing Send audit records to the OS files

4 - 30

Copyright 2009, Oracle. All rights reserved.