Scribd Logo
Upload

Welcome to Scribd!

  • 05 Les 04 Audit

    Uploaded by

    Ashok Thiyagarajan
    64 views22 pages
    The audit tools in Oracle Database include: - database auditing - audit privileged user operations - Fine-grained auditing (FGA) you can create custom value-based auditing. Copyright (c) 2009, Oracle. All rights reserved.

    Original Description:

    Original Title

    05_les_04_Audit

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The audit tools in Oracle Database include: - database auditing - audit privileged user operations - Fine-grained auditing (FGA) you can create custom value-based auditing. Copyright (c) 2009, Oracle. All rights reserved.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    64 views22 pages

    05 Les 04 Audit

    Uploaded by

    Ashok Thiyagarajan
    The audit tools in Oracle Database include: - database auditing - audit privileged user operations - Fine-grained auditing (FGA) you can create custom value-based auditing. Copyright (c) 2009, Oracle. All rights reserved.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Auditing Database Users, Privileges, and Objects

    Copyright 2009, Oracle. All rights reserved.

    Objectives
    After completing this lesson, you should be able to do the following: Implement basic database auditing Implement auditing of the privileged user Implement data manipulation language (DML) and data definition language (DDL) auditing Send audit records to the operating system (OS) files

    4-2

    Copyright 2009, Oracle. All rights reserved.

    Monitoring for Suspicious Activity


    Monitoring or auditing should be an integral part of your security procedures. The audit tools in Oracle Database include:
    Database auditing Audit privileged user operations Fine-grained auditing (FGA)

    You can create custom value-based auditing.

    4-3

    Copyright 2009, Oracle. All rights reserved.

    Audit Tool Comparisons

    Type of Audit

    What Is Audited?

    What Can Be in the Audit Trail?


    Fixed set of data, including the SQL statement and bind
    Fixed set of data

    Standard database auditing


    Privileged user auditing Fine-grained auditing (FGA)

    Privilege use, including object access


    Connections by default When enabled, all the statements that are issued SQL statements (INSERT, UPDATE, DELETE, and SELECT) based on content

    Fixed set of data, including the SQL statement and bind; extensible through event handlers

    4-5

    Copyright 2009, Oracle. All rights reserved.

    Standard Database Auditing


    Is enabled through the AUDIT_TRAIL parameter Can audit:
    Login events Exercise of system privileges Exercise of object privileges Use of SQL statements

    4-6

    Copyright 2009, Oracle. All rights reserved.

    Setting the AUDIT_TRAIL Parameter


    The parameter values can be: NONE: Disables collection of audit records DB: Enables auditing with records stored in the database DB,EXTENDED: Populates SQLBIND and SQLTEXT columns XML: Enables auditing with records stored in XML format OS files XML,EXTENDED: Includes SQLBIND and SQLTEXT information OS: Enables auditing with records stored in the OS audit trail

    4-7

    Copyright 2009, Oracle. All rights reserved.

    Audit Log Location Options


    Who has access? The database audit table is accessible to:
    SYSDBA The DBA role Anyone with the * ANY TABLE privileges

    Optionally, Database Vault can protect database audit tables from the privileged users. OS audit files are accessible to:
    The root user on the repository machine Any user depending on directory permissions

    Audit Vault records are accessible to:


    Configured users Records protected by Database Vault

    4-8

    Copyright 2009, Oracle. All rights reserved.

    Specifying Audit Options


    SQL statement auditing (nonfocused and focused):

    AUDIT table; AUDIT SELECT TABLE BY SCOTT BY ACCESS

    System-privilege auditing (nonfocused and focused):

    AUDIT select any table, create any trigger; AUDIT select any table BY hr BY ACCESS;

    Object-privilege auditing (nonfocused and focused):

    AUDIT ALL on hr.employees; AUDIT UPDATE,DELETE on hr.employees BY ACCESS;

    4-9

    Copyright 2009, Oracle. All rights reserved.

    Auditing Sessions
    Audit unsuccessful attempts to connect:

    AUDIT CREATE SESSION BY ACCESS WHENEVER NOT SUCCESSFUL;

    Monitor DBA_AUDIT_SESSION:
    ACTION_NAME RETURNCODE LOGOFF -------------------- ---------LOGON 1017 LOGOFF 0 0829 22:39 LOGOFF BY CLEANUP 0 0829 22:40 LOGON 0

    USERNA -----FRED FRED FRED FRED

    Check DBA_AUDIT_TRAIL.COMMENT_TEXT.

    4 - 11

    Copyright 2009, Oracle. All rights reserved.

    Viewing Auditing Options

    Data Dictionary View


    ALL_DEF_AUDIT_OPTS DBA_STMT_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS DBA_OBJ_AUDIT_OPTS

    Description
    Default audit options Statement auditing options Privilege auditing options Schema object auditing options

    4 - 13

    Copyright 2009, Oracle. All rights reserved.

    Standard Database Auditing


    Enable database auditing.

    DBA

    Parameter file

    Specify audit options. Database

    User executes command.

    SYSLOG files

    Audit options

    Server process
    Generate audit trail.

    syslog

    Audit trail Review audit information.

    OS audit trail

    4 - 14

    Copyright 2009, Oracle. All rights reserved.

    Viewing Auditing Results

    Audit Trail View


    DBA_AUDIT_TRAIL DBA_AUDIT_EXISTS DBA_AUDIT_OBJECT DBA_AUDIT_SESSION DBA_AUDIT_STATEMENT

    Description
    All audit trail entries Records produced by the NOT EXISTS audit Records concerning the schema objects All connect and disconnect entries Auditing records at the statement level

    4 - 16

    Copyright 2009, Oracle. All rights reserved.

    Auditing the SYSDBA and SYSOPER Users


    Control auditing of privileged users with the following parameters: audit_sys_operations enables additional auditing of the SYSDBA or SYSOPER actions. audit_file_dest controls the location of the audit trail. The default is:
    (UNIX or Linux)

    First: $ORACLE_BASE/admin/<ORACLE_SID>/adump Second: $ORACLE_HOME/rdbms/audit

    On Windows: Windows Application Event Log

    4 - 17

    Copyright 2009, Oracle. All rights reserved.

    Viewing the SYSDBA Audit Trails

    4 - 18

    Copyright 2009, Oracle. All rights reserved.

    Audit to XML Files


    Audit records can be sent to XML format files.
    Standard audit SYS operations audit records

    Fine-grained audit (FGA) records

    XML files can be read with a variety of readers. XML files can be protected by the OS.

    4 - 20

    Copyright 2009, Oracle. All rights reserved.

    Writing Audit Records to syslog


    Audit records sent to syslog can be written to:
    Files owned by root Another machine

    Configuring syslog
    The audit_syslog_level initialization parameter sets facility.priority of the messages. The syslog.conf file determines where syslog writes the message.

    Note: syslog is available for *NIX only.

    4 - 21

    Copyright 2009, Oracle. All rights reserved.

    Configuring Auditing to syslog


    Set the parameters:
    AUDIT_TRAIL = OS AUDIT_SYSLOG_LEVEL = facility.priority
    *.AUDIT_TRAIL=OS *.AUDIT_SYSLOG_LEVEL='local1.info'

    Modify the syslog.conf file.


    Add configuration lines.

    # Capture Oracle audit records local1.info /var/log/oracle_audit.log local1.info

    @edrsr5p1

    4 - 22

    Configure the services file on remote machines.


    Copyright 2009, Oracle. All rights reserved.

    syslog Limitations
    syslog limitations: Fine-grained audit records are not captured. Oracle Label Security audit records are not captured. Oracle Database Vault audit records are not captured. Message limited to 1,024 bytes on some machines. Remote messages are sent by user datagram protocol (UDP)

    4 - 23

    Copyright 2009, Oracle. All rights reserved.

    Value-Based Auditing

    A user makes a change.

    Trigger fires.

    An audit record is created by the trigger.

    The users change is made.

    A record is inserted into an audit trail table.

    4 - 25

    Copyright 2009, Oracle. All rights reserved.

    Triggers and Autonomous Transactions


    Further enhance and protect the auditing by: Capturing DML changes to the shadow table Replicating audit records to another table Capturing attempts to change audit records

    4 - 27

    Copyright 2009, Oracle. All rights reserved.

    Practice 4 Overview: Implementing Basic Auditing


    This practice covers the following topics: Applying database auditing Enabling auditing of the SYS user Capturing audit records with syslog

    4 - 29

    Copyright 2009, Oracle. All rights reserved.

    Summary
    In this lesson, you should have learned how to: Implement basic database auditing Implement auditing of the privileged user Implement DML and DDL auditing Send audit records to the OS files

    4 - 30

    Copyright 2009, Oracle. All rights reserved.

    You might also like