integirgy ioug 2009 real world database auditing
TRANSCRIPT
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
1/33
StephenKost
IntegrigyCorporation
Session# 602
RealWorldDatabaseAuditing
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
2/33
Introduction
Stephen
Kost
ChiefTechnologyOfficerofIntegrigyCorporation
14yearsexperiencewithOracletechnologyas
databaseadministrator,
architect,
and
application
administrator
Foundmorethan40securitybugsfixedinCPUs
IntegrigyCorporation
DedicatedtoOracleSecurity
Services OracleSecurityAssessments
Products AppSentryandAppDefend
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
3/33
Agenda
Overview Managing
Protecting Spoofing
Thirdparty
Tools
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
4/33
Some
auditing is
alwaysbetterthannone
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
5/33
Designedauditing is
always
better
than
some
auditing
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
6/33
thatIcancatchsomeonedoingsomethingbad
Reasonable Assurance
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
7/33
Effort
5%
Designing5%
Enabling
10% Archiving&
Purging
80%
Monitoring,Alerting,
Reporting,
Reviewing
Task
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
8/33
Inside
Native
Finegrained
Triggers
Outside
Networkbased
Agentbased
Logbased
Native
Protective
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
9/33
ALWAYS* enablenativeauditing
AUDIT_TRAILinitialization parameter
os db db_extended
xml xml_extended
*Noperformanceimpactifjustenabled
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
10/33
Managing
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
11/33
MovingSYS.AUD$
Supported
by
Oracle?
Recommended?
MetalinkNoteID72460.1
NotSupported,
but
heres
how
BackupsandUpgrades
Movingmaycauseproblems
11.1Security
Guide
Considermovingit
9.2.0.8AdminGuide
Shouldnotbemoved
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
12/33
WhyMove
SYS.AUD$?
Iftheaudittrailbecomescompletelyfullandnomoreauditrecordscanbeinserted,auditedstatementscannotbesuccessfullyexecuteduntiltheaudittrailispurged.Warningsarereturnedtoallusersthatissueauditedstatements.
Abletocauseadenialofserviceifcanfillup
theaudit
trail
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
13/33
IntroducingDBMS_AUDIT_MGMT
10.2.0.3,
10.2.0.4,
11.1.0.x
support
for
movingAUD$andFGA_LOG$tonewtablespace
Only
currently
available
for
most
popular
platforms
GrantedtoEXECUTE_CATALOG_ROLE
SeeAuditVaultdocumentationformostdetailedinformation
SeeMetalink
Note
ID
731908.1
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
14/33
DBMS_AUDIT_MGMT
SET_AUDIT_TRAIL_LOCATION MoveAUD$/FGA_LOG$toanewtablespace
SQL> begin
2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
3 audit_trail_type =>
DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,4 audit_trail_location_value => 'AUDIT_TS');
5 end;
6 /
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
15/33
DBMS_AUDIT_MGMT
CLEAN_AUDIT_TRAIL Manuallypurgeaudittrail
SQL> begin DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
2 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_AUD,
3 USE_LAST_ARCH_TIMESTAMP => TRUE );4 end;
5 /
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
16/33
DBMS_AUDIT_MGMT
PurgeJobs
Schedulejobstopurgeaudittablesusing
INIT_CLEANUP,
CREATE_PURGE_JOB,
SET_PURGE_JOB_STATUS
ManageOSAuditingFiles
CancontrolsizeorageofOSlevelaudittrail
files
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
17/33
Protecting
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
18/33
AuditTrail
Destination
Options
OracleVersion AUDIT_TRAIL SYSDBA FGA
8.0.x OS/DB
8.1.xOS/DB
9.0.x OS/DB DB
9.2.xOS/DB
OS DB
10.1.x OS/DB OS DB
10.2.xOS/DB/XML/
SYSLOGOS/XML DB/XML
11.1.xOS/DB/XML/
SYSLOGOS/XML DB/XML
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
19/33
AuditTrail
Destination
Database
AUD$and
FGA_LOG$
Checkprivilegesonthesetablesandany
views
such
as
DBA_AUDIT_*
and
DBA_FGA_AUDIT_TRAIL
DefaultprivilegeisDELETEfor
DELETE_CATALOG_ROLE
DatabaseVaultcanbeused
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
20/33
AuditTrail
Destination
OS
Files
must
be
owned
by
Oracle
owner
AnyOracleprocessstillcanaccessthefiles,includingUTL_FILE
Alwaysset
AUDIT_FILE_DEST
Otherwisefilesgoto
$ORACLE_HOME/rdbms/audit CheckpermissionsonAUDIT_FILE_DEST
Check
privileges
on
V$XML_AUDIT_TRAIL
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
21/33
AuditTrail
Destination
SYSLOG
AUDIT_SYSLOG_LEVEL=facility.priority Availablein10.2and11.1
SetAUDIT_TRAIL=OS
Audit
trail
and
SYS
audit
trail
written
to
standardUnix/LinuxSyslog
Can
only
be
modified
by
root
and
completely
protectedfromDBA,exceptdisablingauditing
Canbesenttoexternalloggingsystem
Does
not
include
database
SID
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
22/33
Spoofing
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
23/33
SessionValue V$SESSION
ViewSYS_CONTEXT
FunctionSYS.AUD$
DBA_AUDIT_*FGA_LOG$
AUDIT_TRAILAuditVault
DBUserName
SchemaName
OSUserName
Machine
Terminal
Program
IPAddress
ClientProcessID
Module
Action
ClientInfo
ClientID
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
24/33
AuditingSession
Data
DatabaseUserName
OSUser
Name Schema
Name
IPAddress
Machine/
Userhost Terminal
Program Client
Process
ID Module
Action ClientInfo ClientID
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
25/33
AuditingSession
Data
Spoofable
DatabaseUserName
OSUser
Name Schema
Name
IPAddress
Machine/
Userhost Terminal
Program Client
Process
ID Module
Action ClientInfo ClientID
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
26/33
SpoofingAudit
Session
Data
Easyto
spoof
client
supplied
session
valuesusingacustomprogram
Java/JDBC
is
easiest,
but
possible
using
any
Oracleclient
Onlytimestamp,IPaddress,DBuser
name,andSQLarereliable
LookatV$SESSION oftengrantedtoPUBLIC
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
27/33
JavaCode
to
Spoof
Session
Values
java.util.Properties info = new java.util.Properties();
info.put("v$session.osuser", "dummy-osuser");
info.put("v$session.terminal", "dummy-terminal");
info.put("v$session.machine
", "dummy-machine");
info.put("v$session.program", "dummy-program");
info.put("v$session.process", "123456");
info.put("v$session.module", "dummy-module");
conn.setClientIdentifier("dummy-clientidentifier");
java.sql.Connection conn =
(new oracle.jdbc.OracleDriver()).connect(url,info);
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
28/33
Thirdparty
AuditingSolutions
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
29/33
ThirdParty
Auditing
Solutions
Defineyour
STRATEGY first
Databasesecurityandauditingstrategyis
critical
to
successful
implementation DefineresponsibilitiesforDBsecurityand
auditing difficultinmostorganizations
Thestrategywilldrivetherequirements
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
30/33
ThirdParty
Auditing
Solutions
Application Security
AppRadar
Embarcadero
DSAuditor
Guardium
SQLGuard
ImpervaDB Monitoring
Fortinet*IPLocks
LumignetAudit DB
NitroSecurity
NitroGuard DBM
Secerno
DataWall
Sentrigo
Hedgehog
Symantec
DatabaseSecurity Tizor*Mantra OracleAuditVault
Therearefundamental differencesamongthevendors
Database
activity
capture
vs.
intrusion
detection
DataCaptureTechniques=network,agent,log,native
Architecture=appliancevs.software
Bellsandwhistles =connectionpooling,blocking,assessment,etc.
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
31/33
MyOther
Sessions
IOUGCriticalPatchUpdates:InsightandUnderstanding Database
Wednesday,8:30amto9:30am
Room222B
OAUG
CriticalPatch
Updates
Unwrapped
Oracle
EBusiness
Suite
Wednesday,9:45amto9:30am
Room
304G
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
32/33
Questions?
-
8/14/2019 Integirgy IOUG 2009 Real World Database Auditing
33/33
Copyright 2009 Integrigy Corporation All rights reserved
ContactInformation
www.integrigy.com
Forinformationon
Oracle
Database
Security OracleEBusinessSuiteSecurity
OracleCriticalPatchUpdates
OracleSecurityBlog
StephenKost
ChiefTechnologyOfficer
IntegrigyCorporation
email:[email protected]
blog:integrigy.com/oraclesecurityblog