$ whoami. Oracle Audit. Agenda. Learning objectives. Overview of Oracle Architecture Oracle audit types Operating system audit Database audit

Transcription

1 $ whoami Oracle Audit ISACA Charlotte 2019 Currently - Audit Analytics Leader - Wells Fargo Formerly - Information Security Officer/ Security Engineer, DBA, software engineer Ethical hacker Python hacker 1 2 Agenda Overview of Oracle Architecture Oracle audit types Operating system audit Database audit Learning objectives Oracle architecture Oracle operating system audit Inventory Installation Permissions Networking Grid infrastructure fundamentals Oracle database audit Accounts System privileges Roles Data access Initialization parameters Audit logging 3 4

2 Oracle audits Aren t necessarily easy Technical in nature Need for a common way of speaking Need to understand architecture Caveats Always get permission to run any scripts in your environment Always test scripts in a non-production environment before using them in production Vet the scripts with your IT DBA and/or risk team The testing methodology is my own The scripts used in the presentation are working in a test environment (I have used them in my previous positions to execute audit testing) 5 6 My testing environment Red Hat Enterprise Linux 7.2 Oracle 12c (12.1.0) VirtualBox Pre-built virtual machines server.111/b28310/ ds_admin005.htm#admin Oracle Architecture 7 8

3 Oracle is Oracle database is not just a data store Job schedulers Kernel interrupts and instrumentation Structured and unstructured data Shared memory and memory pools Interprocess communication (IPC) and threading Large object storage and processing Encryption support at the data storage and network layers (strong algorithms, SSL support) Multiple authentication methods (database, Kerberos, LDAP, etc.) Complex system - like an operating system Networking services (FIFO pipes, etc.) and support for many protocols (TCP, etc.) File subsystem (space allocation, deletion, reuse, recovery, corruption detection, etc.) 9 10 Data flow in an Oracle database instance Data flow in an Oracle database instance Data is not static within an Oracle database instance The data dictionary is composed of Fixed tables Dynamic views These structures expose data at all points throughout the system 11 Copyright 2014, Ron Reidy 12 Copyright 2014, Ron Reidy

4 Data flow Data flow User Application Application Server User Application Application Server User enters data User enters data User data turned into SQL statements The User Enters some data in an application interface The data is turned into SQL statements 13 Copyright 2014, Ron Reidy 14 Copyright 2014, Ron Reidy Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index User enters data User data turned into SQL statements Table Index The data is inserted into the database table; indexes can be also updated Is the data just in the table? (CREDIT_CARD in this case) 15 Copyright 2014, Ron Reidy 16 Copyright 2014, Ron Reidy

5 Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index User enters data User data turned into SQL statements Table Index SGA No! The SQL Statement is The data parsed blocks and required the SQL are and written the to shared data memory bound pools to the (either statement fetched for reads are written or created into the for shared writes if necessary) memory 17 Copyright 2014, Ron Reidy 18 Copyright 2014, Ron Reidy Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index User enters data User data turned into SQL statements Table Index Datafiles SGA PGA SGA PGA The data is in the PGA if sorts are in memory (sometimes in the SGA) The data is also held on disk in files (use strings (UNIX) or hex dumps to read) table data and index data; also internal dumps 19 Copyright 2014, Ron Reidy 20 Copyright 2014, Ron Reidy

6 Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA SGA PGA Archivelogs Redo is generated in memory on disk Archivelogs are generated in memory on disk 21 Copyright 2014, Ron Reidy 22 Copyright 2014, Ron Reidy Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA Archivelogs UNDO SGA PGA Archivelogs UNDO Temp Undo segments are generated in memory on disk Temporary tablespaces can also contain the data 23 Copyright 2014, Ron Reidy 24 Copyright 2014, Ron Reidy

7 Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA Archivelogs UNDO SGA PGA Archivelogs UNDO Temp Temp Flashback Flashback Audit Flash back contains the data in memory on disk Audit trails can contain the data (because these can be written as SQL all of the above are duplicated!!) 25 Copyright 2014, Ron Reidy 26 Copyright 2014, Ron Reidy Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA Archivelogs UNDO SGA PGA Archivelogs UNDO Temp Temp Flashback Flashback Audit Audit Logs Logs Log files generated by the database server can contain data Oracle allows a huge amount of trace to be generated 10046, 10053, 10925, dumps, events Trace 27 Copyright 2014, Ron Reidy 28 Copyright 2014, Ron Reidy

8 Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA Archivelogs UNDO SGA PGA Archivelogs UNDO Temp Temp At all stages inside the database, the data is exposed Flashback Audit Logs Trace Backups remove data from the database to tape to disk Flashback Audit Logs Trace Backups, exports, dumps, traces, etc. 29 Copyright 2014, Ron Reidy 30 Copyright 2014, Ron Reidy Data flow Data flow User Application Application Server Database Server User Application Application Server Database Server User enters data User data turned into SQL statements Table Index Datafiles REDO User enters data User data turned into SQL statements Table Index Datafiles REDO SGA PGA Archivelogs UNDO SGA PGA Archivelogs UNDO Data sent in real / semi-real time to standby Disaster recovery Temp Flashback Audit Logs Trace At all stages outside the database, the data is exposed - on the network, operating system, or backup devices. Disaster recovery Temp Flashback Audit Logs Trace Backups, exports, dumps, traces, etc. Backups, exports, dumps, traces, etc. 31 Copyright 2014, Ron Reidy 32 Copyright 2014, Ron Reidy

9 Data dictionary The Oracle data dictionary Everything we need to discover is within the data dictionary Where is the meta data stored How is the meta data exposed The DBA_% views provide this information 33 Copyright 2014, Ron Reidy 34 Copyright 2014, Ron Reidy Data dictionary composition Built in layers Physical data Tables that expose C language data structures X$ tables (usually) Views built on the physical model DBA_% ALL_% USER_% Dynamic data mapping V_$% GV_$% (RAC) Base dictionary tables USER_% views ALL_% views $ tables Shared memory DBA_% views X$ fixed tables V_$ views GV_$ views 35 Copyright 2014, Ron Reidy 36 Copyright 2014, Ron Reidy

10 Source code Code stored in the database PL/SQL Java (if the JVM is installed) Dictionary sources SYS.SOURCE$, DBA_SOURCE, ALL_SOURCE, USER_SOURCE SYS.VIEW$, DBA_VIEWS, ALL_VIEWS, USER_VIEWS SYS.TRIGGER$, DBA_TRIGGERS, ALL_TRIGGERS, USER_TRIGGERS DBA_JAVA_CLASSES, etc. PUBLIC 37 Copyright 2014, Ron Reidy 38 Copyright 2014, Ron Reidy What is it? A role that every DB account assumes Anything granted to PUBLIC is granted to all accounts PUBLIC access growth Access to objects by the PUBLIC role gets bigger 9iR2 12,132 10gR2 21, % 11gR1 27,461 11gR2 28,160 12cR1-36,866 increase over 9iR2 27.5% increase over 10gR2 1% increase over 11gR1 24% increase over 11gR2 39 Copyright 2014, Ron Reidy 40 Copyright 2014, Ron Reidy

11 PUBLIC growth Importance PUBLIC grants 40,000 30,000 20,000 10,000 Pay attention to anything granted to PUBLIC Object access (especially application objects) System privileges Roles (especially application roles!) 0 9i 10g 11gR1 11gR2 12cR1 Database version 41 Copyright 2014, Ron Reidy 42 Copyright 2014, Ron Reidy System privileges granted to PUBLIC Built-in roles granted to PUBLIC Database External OS LDAP Network Authentication methods 43 44

12 Database authentication Username and password stored in the database SYS.USER$ (username exposed in many views; password hash not exposed) Prior to Oracle 11g, password hash was displayed in the view DBA_USERS.PASSWORD SYS.USER_HISTORY$ - password change history The $ tables cannot be audited easily (and usually are not) No accounts or roles aside from DBA should have access to any password hashes External authentication Authenticated from external source OS authentication Implied trust because of operating system authentication OS password controls are important Network authentication SSL Kerberos Directory services PKI SSL authentication Client-server authentication (server to server) Kerberos authentication Assumes 3rd party is secure Uses Kerberos authentication server to provide Single sign-on Centralized password storage Database link authentication 47 48

13 Directory services authentication Central directory to authenticate Oracle internet directory LDAP protocol Enterprise use details Oracle Enterprise Security Manager Centralized privilege management Store and retrieve roles from Oracle Internet Directory PKI authentication Digital certificates to user clients Authenticate directly to servers Clusters Database links Database triggers Dimensions External procedure libraries Indexes and index types Java classes, Java resources, and Java sources Views Schema Collection of logical data structures Materialized views and materialized view logs Object tables, object types, and object views Operators Sequences Stored functions, procedures, and packages Synonyms Tables and index-organized tables Owned by a database account Each account owns a single schema Schema usage Applications are contained within schemas Permissions are granted to objects within the schema by the schema owner (or SYS or DBA role holders) Stored code (procedures, functions, packages) can execute within the context of the schema owner - permissions - more later 51 52

14 Grid infrastructure Provides system support for an Oracle database including Volume management File system Automatic restart capabilities When using Grid infrastructure Listener is started from the software installation Listener and connections made using configuraton files in this software installation Oracle audit types Operating system audit Database audit Operating system audit File system permissions on installation directory and data file locations, audit trail Compiled operating system groups External procedures Cryptography configuration Networking configuration DB patches root group membership Database datafiles Grid infrastructure audit File system audit 55 56

15 User mask Default file permissions mask All files created will have these default permissions (unless modified before files are created) Locations of software Oracle central inventory Location (Linux) specified in /etc/orainst.loc Value Example inventory file ORACLE_BASE permissions Root of the Oracle software installation directory tree Get permissions of all files in each HOME Identify any files or directories with UNIX others write access (there shouldn t be any!) 59 60

16 ORACLE_HOME permissions Location of instance-specific operating system executable, library, etc. files A server can host multiple ORACLE_HOMES Each ORACLE_HOME runs one or more database instances Managed by the Oracle Universal Installer (OUI) File permissions Get a listing of each ORACLE_HOME Identify any files or directories with UNIX others write access ORACLE_HOME/lib permissions Shared libraries for the database instance Directories Oracle exposes default directories on the file system to use within the database These can be used for reading or writing No files should be group or world writable Dangerous! Invalid path Symbolic linked files are OK Demos 63 64

17 Compiled operating system groups Special UNIX groups specified before software installation OUI prompts for the names of these groups Typically "dba", "oper", asm, bkp, dgd, kmt During the install process, a configuration file (config.c) is created Used during the link phase during install and patching activities Identify groups Linux defines the groups in config.c Any operating system accounts assigned to these groups are administrative accounts to the database Identify all accounts in groups Look in the UNIX /etc/group file Find accounts in /etc/passwd with group number These accounts are administrators of the database Controls Identify ownership of these accounts service accounts) Identify who has access to these accounts (if Identify the business need for any account which is not the Oracle software owner to be in these groups Identify operating system password policy implementation for these accounts Identify operating system logging and monitoring controls for these accounts 67 68

18 External procedures Shared library or operating system commands that can be executed from within the database Must be executable by the account that starts the database (file system permissions) Executes under the permissions of this account Access to run these commands is controlled by the database listener Configuration External procedure listener is defined in the listener.ora file Default location: $ORACLE_HOME/network/admin Can be overridden by using an environment variable $TNS_ADMIN Can be a hidden file in any account s $HOME directory - /u01/rreidy/.listener.ora Example extproc configuration Cryptography configuration Cryptography is configured in the sqlnet.ora file Default server location: $ORACLE_HOME/network/admin Can be overridden by using a server environment variable $TNS_ADMIN Can be a hidden file in the account s $HOME directory - /u01/rreidy/.sqlnet.ora 71 72

19 Example sqlnet.ora file Wallets Used to store PKI keys If wallets are used Get permissions of the directory (ls -ld) If any account but the oracle software owner has access, identify why the access is needed Document in the security plan Ensure they are part of the backups with the database Ensure they are part of the DR plan Ensure they are not duplicated to non-production environments Other networking configuration tests Required to connect to a database Account name Password Network path to the listener Controlled by the tnsnames.ora file File is located on the server and any client needing to connect to the database tnsnames.ora file Default location: $ORACLE_HOME/network/admin Can be overridden by using an environment variable $TNS_ADMIN Can be a hidden file in the account s $HOME directory - /u01/rreidy/.tnsnames.ora 75 76

20 Example tnsnames.ora The HOST parameter should be an IP address The service name is the database service Only databases in production environment should be specified in the tnsnames.ora file Default listener port Finding the database instance Use the tnsping command Database links How they work A database link is a schema object in one database that enables you to access objects on another (remote) database The address of the database link is resolved in the tnsnames.ora file; network path resolved through listener.ora DB links can be private to a schema or PUBLIC (available to all database accounts) 79 80

21 Controls DB patches Ensure all DB links resolve to production databases Ensure DB links respect system security levels (no write up) Ensure all PUBLIC DB links are identified in the system security plan Database patches are applied to each ORACLE_HOME List patches applied to each ORACLE_HOME Check the latest patch applied is the last patch issued by Oracle Corp. Check the date of patch application was applied per your policies root group membership The oracle software owner should not be a member of the root group The root account should not be a member of the dba group Escalation of privileges for anyone connecting to the database Who else has root? Any UNIX account which is in the root group or can become root, can also become oracle Ensure all accounts that are in the root group or can become root are documented in the security plan Ensure the access of these accounts is certified periodically Ensure use of these accounts is logged and monitored 83 84

22 Database datafiles Get a listing of the permissions of all database datafiles Locations found in data dictionary UNIX group ownership should only be r (or less); others should have no permissions Grid infrastructure The grid infrastructure is used when Oracle Real Application Clustering (RAC) is used on the server Disk storage administration - volume management Network administration All configuration files used by this installation Location is specified in the inventory file Database audit Account management Roles System privileges Database job schedulers Defaults Audit trail Account management Account analysis Identify accounts and account types Identify system privileges and roles Identify access Password policy Database audit 87 88

23 All database accounts List all database accounts Identify built-in accounts Identify service accounts Identify power users Built-in database accounts There are many built in accounts in Oracle Administrative - 18 Non-administrative - 6 Used to implement database features and options Very powerful (usually) Best practice - start with nothing installed Only install options if a documented need Demo accounts - 9 Should never be installed in any database with production or sensitive data All other accounts need to be investigated Copyright 2014, Ron Reidy Administrative accounts 18 accounts Not all of them will be present Verify the need and use of these accounts Verify ownership Built-in administrators Two built in administrator accounts SYS Owns the internal data dictionary Analogous to the root account on UNIX Can bypass all controls; modify audit trail, etc. SYSTEM Can perform all administrative functions EXCEPT Backup and recovery Database upgrade Accounts are owned by Oracle Corp. Use should be restricted All use documented in the system security plan All use logged and monitored 91 92

24 Non-administrative accounts 9 accounts Not all will be installed Demo accounts 7 accounts Should not be installed in any database with production data Verify the need and use of these accounts Verify ownership Anything left is End user accounts Application service accounts Identify ownership and purpose of all accounts Get listing of all system privileges, roles, and object access for each of these accounts Application service accounts Establish ownership Identify powerful privileges Account should be locked Privileges should be only what is necessary to operations 95 96

25 End user accounts Identify privileges Identify need of access Identify logging and monitoring controls Identify account certification Other administrators Identify the administrative accounts Schema owners Application administrators Ask the business partner Identify them in the security plan Identify account certification cadence Identify ownership of the account and use Logging and monitoring of account use Other administrators Access control issues Accounts with the DBA role (discussed later) Other system privileges CREATE USER ALTER USER Create/alter objects Schema owners can Create objects (with CREATE privileges) Alter objects they own SYS has access to the database audit trail and all data in all schemas Accounts with DBA role have access to the audit trail Accounts with DBA can access all data in all schemas SYS cannot be audited using the database audit trail The oracle install account has access to the file system-based audit trail Accounts with DELETE_CATALOG_ROLE can delete most internal audit trail records Accounts with DELETE on SYS.AUD$ can delete most internal audit trail records

26 Controls Identify ownership of these accounts Identify job duties Title Job description Identify certification cadence Identify password policies for these accounts Identify monitoring controls for these accounts Account analysis Database accounts High risk system privileges Database role analysis Finding accounts with the DBA role Copyright 2014, Ron Reidy

27 Identify power users Users with detailed in-depth knowledge of the application Can act as administrators DBA-like privileges CREATE/ALTER USER CREATE ANY (TABLE, VIEW, TRIGGER, etc.) SELECT/UPDATE/INSERT/DELETE ANY EXECUTE ANY Example Accounts with all system privileges Beware of any accounts with all system privileges 237 system privileges (12cR1) Password controls All database-authenticated accounts are assigned to a resource profile when created Password parameters DEFAULT profile

28 Default passwords Identify accounts with default passwords No accounts should have default passwords Profiles Profiles are used to implement Password controls Resource limits DEFAULT profile Created when the database instance is created Password control parameters Every account has a database profile An account can have only one database profile If no profile is specified when account created, the DEFAULT profile is used Parameter Default Setting Description FAILED_LOGIN_ATTEMPTS 10 Sets the maximum times a user try to log in and to fail before locking the account. PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his or her password before it expires. PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his or her current password. The DEFAULT profile is not suitable for use in production systems PASSWORD_LOCK_TIME 1 Sets the number of days an account will be locked after the specified number of consecutive failed login attempts. After the time passes, then the account becomes unlocked. PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused. PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused. Not secure in any way! Copyright 2014, Ron Reidy

29 Database profiles List all profiles and their password settings We are interested in the PASSWORD settings (resource_type = PASSWORD ) List all accounts and Password profile settings 113 Copyright 2014, Ron Reidy 114 Copyright 2014, Ron Reidy Special profile values UNLIMITED No value set for the parameter DEFAULT If a resource_name is omitted from the profile, the value from the DEFAULT profile is used Default settings Password control parameters can reference the DEFAULT profile Check all password parameters implement password policy The DEFAULT profile must always be the most restrictive profile 115 Copyright 2014, Ron Reidy 116

30 Who can change password controls Many accounts can change password controls SYS SYSTEM Accounts with CREATE PROFILE Accounts with ALTER PROFILE Accounts with DROP PROFILE Accounts with CREATE/ALTER USER Accounts with DBA role Testing High risk system privileges Administrative privileges Privileges with the modifier ANY GRANT ANY PRIVILEGE/ROLE Some others Privilege model Privileges can be granted to Directly to an account To roles (roles granted to accounts) Object privileges SELECT UPDATE DELETE ALTER EXECUTE COMPILE

31 Administrative privileges Oracle 12cR1 237 system privileges All are needed for operation of the database Connect to the database Create, alter, drop, and access objects Manage transactions ADMINISTER ANY SQL TUNING SET ADMINISTER DATABASE TRIGGER (database level trigger) ADMINISTER RESOURCE MANAGER ADMINISTER SQL MANAGEMENT OBJECT ADMINISTER SQL TUNING SET FLASHBACK ARCHIVE ADMINISTRATOR GRANT ANY OBJECT PRIVILEGE GRANT ANY PRIVILEGE GRANT ANY ROLE MANAGE SCHEDULER MANAGE TABLESPACE Many others Testing Identify all accounts with these privileges Ensure the privilege is authorized for the accounts Privileges with the ANY modifier Holders can impersonate any schema (account) in the database 145 privileges Testing Identify all accounts with these privileges Ensure the privilege is authorized for use by the account Privileges can be granted to both accounts and roles

32 GRANT ANY PRIVILEGE/ROLE Very powerful privileges in the database No one except DBAs should have this privilege BECOME USER Used by built-in database roles Undocumented

33 UNLIMITED TABLESPACE Bypasses storage space quotas on all tablespaces Including the SYSTEM tablespace Can cause a DoS of the database Tablespace fills up and does not/cannot extend Testing All accounts should be assigned a space quote for each tablespace Application schemas should never share tablespaces No schemas (except builtins) should ever have any access to the SYSTEM or SYSAUD tablespaces Table access Sweeping data access SELECT ANY TABLE UPDATE ANY TABLE DELETE ANY TABLE INSERT ANY TABLE EXECUTE ANY PROCEDURE

34 Definer vs. Invoker rights There are two modes for stored procedures (packages, functions, procedures) execution Definer rights Default method Executes within the same permissions content as the owner of the code Invoker rights Requires the invoker of the code have explicit permissions granted to all objects referenced within the code

35 EXECUTE ANY PROCEDURE Administrative roles SYSDBA SYSOPER SYSASM - only present in ASM controlled databases SYSBACKUP SYSDG SYSKM DBA Roles with all system privileges/roles SYSDBA, SYSOPER, SYSASM Identifiable in the database password file These accounts are administrators to the database For RAC instances use V$GVPWFILE_USERS SYSDBA Any account with SYSDBA becomes SYS when logging into the database Permissions Perform STARTUP and SHUTDOWN operations ALTER DATABASE: open, mount, back up, or change character set CREATE DATABASE DROP DATABASE CREATE SPFILE ALTER DATABASE ARCHIVELOG ALTER DATABASE RECOVER CREATE/ALTER/DROP USER CREATE/ALTER/DROP ROLE Includes the RESTRICTED SESSION privilege Access to all data in all schemas

36 SYSOPER Any account with SYSOPER becomes PUBLIC when logging into the database SYSASM Used to administer the ASM database ASM database does not contain application data, EVER Permissions Perform STARTUP and SHUTDOWN operations CREATE SPFILE ALTER DATABASE OPEN/MOUNT/BACKUP ALTER DATABASE ARCHIVELOG ALTER DATABASE RECOVER (Complete recovery only. Any form of incomplete recovery, such as UNTIL TIME CHANGE CANCEL CONTROLFILE requires connecting as SYSDBA.) Includes the RESTRICTED SESSION privilege This privilege allows a user to perform basic operational tasks, but without the ability to look at user data DBA Built-in role Granted all system privileges WITH ADMIN OPTION Granted 8 system privileges WITH GRANT OPTION Granted 23 built-in roles Includes the system privilege GRANT ANY ROLE Access to many tables in the data dictionary through roles (owned by SYS) Roles with all system privileges/roles

37 Built-in roles Application roles Role analysis Role basics Roles are containers representing access System privileges Object privileges Roles Built-in roles Predefined and installed in every database High risk roles Catalog roles Import/export roles Provide sweeping access

38 Catalog roles Give access to the data dictionary SELECT_CATALOG_ROLE Provides READ access to objects in the data dictionary objects (MDSYS, OLAPSYS, OUTLN, SYS, WMSYS) Grants the role HS_ADMIN_SELECT_ROLE SELECT to 14 heterogeneous tables (SYS) EXECUTE_CATALOG_ROLE EXECUTE access to on objects in the data dictionary - 97 PL/SQL packages owned by SYS Grants the role HS_ADMIN_SELECT_ROLE EXECUTE to 1 PL/SQL package owned by SYS DELETE_CATALOG_ROLE DELETE access to 2 tables owned by SYS AUD$ Internal database audit FGA_LOG$ trails

39 Import role IMP_FULL_DATABASE Perform full database imports SELECT and EXECUTE catalog roles EXECUTE on 116 objects (SYS, WMSYS) READ and WRITE to file system directories Import role DATAPUMP_IMP_FULL_DATABASE Perform full database imports EXP_FULL_DATABASE IMP_FULL_DATABASE EXECUTE on 229 PL/SQL packages (SYS, WMSYS) READ and WRITE to file system directories Export role EXP_FULL_DATABASE Perform full database export EXECUTE on 111 PL/SQL objects owned by SYS SELECT and EXECUTE catalog roles READ and WRITE to file system directories Export role DATAPUMP_EXP_FULL_DATABASE Perform full database export EXP_FULL_DATABASE SELECT and EXECUTE catalog roles READ and WRITE to file system directories EXECUTE on 111 PL/SQL objects owned by SYS

40 Import/export role vulnerabilities Access to password hashes Application roles Any roles which are not built-in Job schedulers There are two job schedulers built into the database Oracle Scheduler DBMS_JOB Deprecated - should not be used Can run Oracle Scheduler Stored procedure PL/SQL block SQL script External script Executable programs System privileges needed CREATE JOB CREATE ANY JOB CREATE EXTERNAL JOB

41 Scheduling PL/SQL package DBMS_SCHEDULER Create schedules, jobs Drop schedules Controls Identify all jobs that run in the database Identify the owners Identify the jobs are in the security plan Identify change control procedures on jobs

42 DBMS_JOB All jobs should be identified in the security plan Initialization parameters Settings used when the database is started Important to security operations Database auditing Overview Default audit Finding audit events Why audit Compliance Change monitoring Track risk Leading practice

43 Challenges Control audit volume System performance Central management of audit policies Audit trail monitoring Audit trail Types of audit Out of the box auditing Types of audit Default (out of the box) auditing Mandatory audit Standard audit Fine-grained audit Auditing SYS Unified audit Out of the box auditing From 11g on, some audit is enabled by default If the database was created with the DBCA (database creation assistant)

44 Privileges audited SQL statements which use the following privileges ALTER ANY PROCEDURE CREATE ANY LIBRARY DROP ANY TABLE ALTER ANY TABLE CREATE ANY PROCEDURE DROP PROFILE ALTER DATABASE CREATE ANY TABLE DROP USER ALTER PROFILE CREATE EXTERNAL JOB EXEMPT ACCESS POLICY ALTER SYSTEM CREATE PUBLIC DATABASE LINK GRANT ANY OBJECT PRIVILEGE ALTER USER CREATE SESSION GRANT ANY PRIVILEGE AUDIT SYSTEM CREATE USER GRANT ANY ROLE CREATE ANY JOB DROP ANY PROCEDURE View the audit trail DBA_PRIV_AUDIT_OPTS - current system privileges being audited across the system View the audit trail DBA_STMT_AUDIT_OPTS - current statements being audited across the system View the audit trail DBA_OBJ_AUDIT_OPTS - auditing options for all objects

45 Mandatory audit Always enabled Startup/shutdown events SYSDBA/SYSOPER login/logout events Written to the file system AUDIT_FILE_DEST Standard audit Controlled via the AUDIT_TRAIL parameter none - audit is not enabled os - audit trail is written to the file system (value of parameter ) db [,extended] - audit trail is written to the internal audit trail AUD$ (extended writes SQL bind and SQL text CLOB values) xml [,extended] - audit trail is written as XML to the file system (extended writes SQL bind and SQL text CLOB values) Fine-grained audit Example audit operations Accessing data outside of normal business hours Logging in from specific IP addresses Accessing tables and columns of a table Auditing SYS Controlled by the AUDIT_SYS_OPERATIONS parameter Should always be set to true Audit SQL statements issues by SYSDBA and SYSOPER (no statements from PL/SQL blocks) Written to OS files AUDIT_FILE_DEST

46 Unified audit Enable a unified audit policy for all users or for specified users audited event fails, succeeds, or both Specify application context attributes, whose values will be recorded in audit records Policy based Specify whether an audit record is created if the Default policy ORA_SECURE_CONFIG Unified audit Policy based Default policies covering many classes of system privileges Questions? 183