auditing 20180220 doag chu · 20/02/18& 14...

20/02/18

1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Oracle Unified AudiCng 20. Februar 2018

Claudia Hüffer Principal Sales Consultant Oracle Architects for Cloud & IT Technologies

20/02/18

2


Safe Harbor Statement The following is intended to outline our general product direcCon. It is intended for informaCon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcConality, and should not be relied upon in making purchasing decisions. The development, release, and Cming of any features or funcConality described for Oracle’s products remains at the sole discreCon of Oracle.

3


Agenda

AudiCng – Gründe und Methoden

Möglichkeiten mit Oracle 12c

Unified AudiCng – Konzept, Rechte, Rollen

Unified AudiCng – AkCvieren, Einrichten

Unified AudiCng – Housekeeping

Zusammenfassung

1

2

3

4

4

5

6

20/02/18

3


Agenda






Zusammenfassung

1

2

3

4

5

5

6



• Database Security Guide: • h`p://docs.oracle.com/database/121/DBSEG/audiCng.htm#DBSEG340 • AudiCng is the monitoring and recording of configured database acCons, from both database users and nondatabase users.

• Oracle recommends that you audit your databases. • AudiCng is an effecCve method of enforcing strong internal controls so that your site can meet its regulatory compliance requirements.

6

Was ist Audi7ng?

20/02/18

4

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7

GDPR’s Key Security Principles

Assess

Processes, Profiles,

Data SensiCvity, Risks

Detect

AudiCng, AcCvity Monitoring,

AlerCng, ReporCng

Prevent

EncrypCon, PseudonymizaCon, AnonymizaCon,

Fine Grained Access Control,

Privileged Access Control,

SeparaCon of DuCes

Oracle Public



9

Audi7ng -‐ Eigenscha?en

20/02/18

5



• As a general rule, design your audiCng strategy to collect the amount of informaCon that you need to meet compliance requirements, but focus on acCviCes that cause the greatest security concerns

• Periodically archive and purge the audit trail data

11

Umfang und Best Prac7ces



• Unified AudiCng •  Standard AudiCng •  Fine Grained AudiCng • Custom audiCng using table triggers • GeneraCng SQL traces via logon triggers • Oracle Logminer

12

Methoden

20/02/18

6


Agenda






Zusammenfassung

1

2

3

4

13

5

6


AudiCng in Oracle 12c

17

Unified Audi7ng – Single Unified Database Audit Trail

AUD$ FGA_LOG$

DVSYS AUDIT_TRAIL$

OS, XML, EXTENDED

Unified Audit Trail

UNIFIED_AUDIT_TRAIL

Audit Viewer Role •  View Audit Data

Audit Admin Role •  Manage Policies •  Manage Audit Data

20/02/18

7


Agenda






Zusammenfassung

1

2

3

4

19

5

6



20

Unified Audi7ng Architecture – Oracle 12cR1

Ac7ons audited •  select * from hr.employees •  create Database Vault realm •  expdp , impdp •  backup, restore, recover Audit records generated

1

View SYS.UNIFIED_AUDIT_TRAIL 4 Read-Only AUDSYS Table

GEN0

3 Background process

SQL> EXEC SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL

Manual flush 3

2 Audit records in SGA in-memory queues

20/02/18

8



• Defaultmäßig werden Audit Records erst in SGA Queues und dann periodisch in die Audit Tabelle im AUDSYS Schema im SYSAUX Tablespace geschrieben. è bei einem Crash oder Shutdown Abort könnten Records verloren gehen!

• Verfügbare Modi: – Immediate-‐write mode – Queued-‐write mode (Default) – Einstellen mit DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY Procedure

•  Init.ora-‐Parameter UNIFIED_AUDIT_SGA_QUEUE_SIZE, 1-‐30MB

21

Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1



22

Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 •  Einstellen des immediate-‐write Mode mit: BEGIN

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(

DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,

DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,

DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);

END;

/

20/02/18

9



23

Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 •  Einstellen des queued-‐write Mode mit: BEGIN

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(

DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,

DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,

DBMS_AUDIT_MGMT.AUDIT_TRAIL_QUEUED_WRITE);

END;

/



24

Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 • Manuelles Flush der Audit Records in den Audit Trail bei Queued Mode: • Aktuelle Instanz: EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL(DBMS_AUDIT_MGMT.FLUSH_CURRENT_INSTANCE); • Alle Instanzen in RAC Umgebung: EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL(DBMS_AUDIT_MGMT.FLUSH_ALL_INSTANCES);

•  In MulCtenant Umgebungen: CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT oder DBMS_AUDIT_MGMT.CONTAINER_ALL

20/02/18

10



•  To improve read performance of the unified audit trail, the unified audit records are wrièn immediately to disk to an internal relaConal table in the AUDSYS schema. In the previous release, the unified audit records were wrièn to the common logging infrastructure (CLI) SGA queues.

•  If the version of the database that you are using supports parCConed tables, then this internal table is a parCConed table.

• By default, audit trail records are wrièn to the AUDSYS schema in the SYSAUX tablespace. You can designate a different tablespace, including one that is encrypted, by using the built-‐in PL/SQL procedure DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION

26

Unified Audi7ng Architecture – Oracle 12cR2 – kein Queuing mehr



• Neu installierte Oracle 12c Datenbank ist im sogenannten Mixed Mode •  TradiConelles und Unified AudiCng können parallel genutzt werden • Dient dazu mit dem Unified AudiCng vertraut zu werden und alte Audit-‐Einstellungen nach und nach ins Unified AudiCng zu überführen

• Datenbank zeigt im Mixed Mode (Default für neue DB mit 12c) SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; VALUE ---------------------------------------------------------------- FALSE

27

Welche Audit-‐Modi hat Oracle 12c?

20/02/18

11



Mode Features How to enable Mixed mode audiCng Has both tradiConal and unified

audiCng Enable any unified audit policy. There is no need to restart the database.

Pure unified audiCng Has only unified audiCng Link the oracle binary with uniaud_on and restart the database.

28

Unterschiede zwischen Mixed Mode Audi7ng und Pure Unified Audi7ng


Unified AudiCng

• AudiCng SQL Statements, Privileges, and Other General AcCviCes – Anlegen einer Policy mit CREATE AUDIT POLICY – Einschalten mit AUDIT POLICY – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL

• AudiCng Commonly Used Security-‐Relevant AcCviCes – Zuweisen einer vordefinierten Policy – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL

• AudiCng Specific, Fine-‐Grained AcCviCes – Verwendung von DBMS_FGA PL/SQL Package – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL

30

Was kann audi7ert werden?

20/02/18

12


Unified AudiCng

•  Oracle provides two roles for users who perform audiCng: AUDIT_ADMIN and AUDIT_VIEWER

•  To perform any kind of audiCng, you must be granted the AUDIT_ADMIN role. This role enables you to create unified and fine-‐grained audit policies, use the AUDIT and NOAUDIT SQL statements, view audit data, and manage the audit trail administraCon.

•  An auditor can view audit data awer being granted the AUDIT_VIEWER role. This role enables users to view and analyze audit data.

•  In previous releases, users were allowed to add and remove audit configuraCon to objects in their own schemas without any addiConal privileges. This ability is no longer allowed.

ConfidenCal – Oracle Internal/Restricted/Highly Restricted 31

Rechte und Rollen


Agenda






Zusammenfassung

1

2

3

4

32

5

6

20/02/18

13



• Dazu muss das oracle Executable neu gelinkt werden •  1) Datenbank runterfahren mit SQL> shutdown immediate

•  2) Oracle executable neu linken cd $ORACLE_HOME/rdbms/lib

make -f ins_rdbms.mk uniaud_on ioracle

•  3) Datenbank wieder starten SQL > STARTUP

33

Umstellen auf Pure Unified Audi7ng Mode



SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

VALUE

----------------------------------------------------------------

FALSE ç Mixed Mode = Default nach Neu-‐InstallaCon oder Zustand nach Relinken mit Schalter uniaud_off

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

VALUE

----------------------------------------------------------------

TRUE ç Pure Unified AudiCng Mode, Zustand nach Relinken mit Schalter uniaud_on

34

Welcher Mode ist eingestellt?

20/02/18

14


Unified AudiCng

35

Informa7onen in den Audit Records BASIC AUDIT INFORMATION Record Database Session: •  Username, Database Client •  Terminal, IP Address •  Instance Number, DBID Database OperaCon: •  AcCon executed •  SCN •  Object accessed, SQL statement EXTENDED AUDIT INFORMATION columns For component-‐specific informaCon: FGA: FGA_POLICY_NAME Data Pump operaCons: DP_XXX RMAN operaCons: RMAN_XXX OLS operaCons: OLS_XXX DV violaCons/changes: DV_XXX RAS operaCons: XS_XXX

BAI in view SYS.UNIFIED_AUDIT_TRAIL

EAI in view SYS.UNIFIED_AUDIT_TRAIL

New columns

Basic Audit InformaCon

Extended Audit InformaCon


Unified AudiCng

•  The UNIFIED_AUDIT_TRAIL data dicConary view captures acCviCes from administraCve users such as SYSDBA, SYSBACKUP, and SYSKM

•  The following audit-‐related acCviCes are mandatorily audited: • CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, NOAUDIT, EXECUTE of the DBMS_FGA PL/SQL package, EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package, ALTER TABLE a`empts on the AUDSYS audit trail table (not possible), Top level statements by the administraCve users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM, unCl the database opens, All user-‐issued DML statements on the SYS.AUD$ and SYS.FGA_LOG$ dicConary tables, ...

36

Mandatory Audi7ng

Jede Änderung an den AUDIT-‐Einstellungen und auch das Löschen von AUDIT-‐Einträgen wird protokolliert! Jede Admin-‐TäCgkeit hinterlässt

Spuren! WichCg für Auditoren!

20/02/18

15


Unified AudiCng

37

CREATE AUDIT POLICY -‐ SYNTAX


Unified AudiCng

38

AUDIT POLICY -‐ SYNTAX

20/02/18

16


AudiCng SQL Statements, Privileges, and Other General AcCviCes

39

Unified and Condi7onal Audi7ng

my-‐audit-‐policy PRIVILEGES ACTIONS

WHEN IP_ADDRESS != ''10.288.241.88''

Except HR

Policy Name What When ExcepCons



• When you audit a role, Oracle Database audits all system privileges that are directly granted to the role.

•  Syntax: – CREATE AUDIT POLICY policy_name ROLES role1 [, role2];

• Beispiel 1: – CREATE AUDIT POLICY audit_roles_pol ROLES IMP_FULL_DATABASE, EXP_FULL_DATABASE;

• Beispiel 2: – CREATE AUDIT POLICY role_dba_audit_pol ROLES DBA CONTAINER = ALL;

•  Einschalten z.B. mit: AUDIT POLICY role_dba_audit_pol; 40

Audi7ng Roles

20/02/18

17



•  System privilege audiCng audits acCviCes that use a system privilege, such as SELECT ANY TABLE.

•  list of auditable system privileges: SYSTEM_PRIVILEGE_MAP table (>250) •  Syntax:

– CREATE AUDIT POLICY policy_name PRIVILEGES privilege1 [, privilege2];

• Beispiel: – CREATE AUDIT POLICY my_simple_priv_policy PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY;

41

Audi7ng System Privileges



• Beispiel mit Bedingung: – CREATE AUDIT POLICY os_users_priv_pol PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY WHEN 'SYS_CONTEXT (''USERENV'', ''OS_USER'') IN (''psmith'', ''jrawlins'')' EVALUATE PER SESSION;

•  Einschalten mit: – AUDIT POLICY os_users_priv_pol;

• Abfragen z.B. mit: – SELECT SYSTEM_PRIVILEGE_USED FROM UNIFIED_AUDIT_TRAIL WHERE OS_USERNAME = 'PSMITH' AND UNIFIED_AUDIT_POLICIES = 'OS_USERS_PRIV_POL';

42

Audi7ng System Privileges

20/02/18

18



•  Syntax: – CREATE AUDIT POLICY policy_name ACTIONS acCon1 [, acCon2 ON object1] [, acCon3 ON object2];

• Beispiele: – CREATE AUDIT POLICY my_simple_obj_policy ACTIONS SELECT ON OE.ORDERS, UPDATE ON HR.EMPLOYEES; AkConen auf mehreren Objekten

– CREATE AUDIT POLICY select_user_dicConary_table_pol ACTIONS SELECT ON SYS.USER$; AkConen auf SYS Objekt

– CREATE AUDIT POLICY acCons_on_hr_emp_pol1 ACTIONS EXECUTE, GRANT ON app_lib; mehrere AkConen auf einem Objekt

47

Audi7ng Object Ac7ons



• Weitere Beispiele: – CREATE AUDIT POLICY all_acCons_on_hr_emp_pol ACTIONS ALL ON HR.EMPLOYEES; alle AkConen auf einer Tabelle

– CREATE AUDIT POLICY acCons_on_hr_emp_pol2 PRIVILEGES CREATE LIBRARY ACTIONS EXECUTE, GRANT ON app_lib; KombinaCon System Privilege und

Objekt-‐AkCon

•  In allen Beispielen muss die Policy danach mit AUDIT POLICY... akCviert werden!

48

Audi7ng Object Ac7ons

20/02/18

19



•  The UNIFIED_AUDIT_TRAIL data dicConary view automaCcally stores Oracle Recovery Manager audit events in the RMAN_column.

• Unlike other Oracle Database components, you do not create a unified audit policy for Oracle Recovery Manager events.

• Relevant columns in UNIFIED_AUDIT_TRAIL:

52

Audi7ng Oracle Recovery Manager Events

RMAN_SESSION_RECID Recovery Manager session idenCfier RMAN_SESSION_STAMP Timestamp for the session RMAN_OPERATION The Recovery Manager operaCon executed by the job RMAN_OBJECT_TYPE Type of objects involved in a Recovery Manager session RMAN_DEVICE_TYPE Device associated with a Recovery Manager session



•  You can audit Data Pump export (expdp) and import (impdp) operaCons. •  Syntax:

– CREATE AUDIT POLICY policy_name ACTIONS COMPONENT=DATAPUMP { EXPORT | IMPORT | ALL };

• Beispiele: – CREATE AUDIT POLICY audit_dp_export_pol ACTIONS COMPONENT=DATAPUMP EXPORT;

– CREATE AUDIT POLICY audit_dp_import_pol ACTIONS COMPONENT=DATAPUMP IMPORT;

– CREATE AUDIT POLICY audit_dp_all_pol ACTIONS COMPONENT=DATAPUMP ALL;

55

Audi7ng Oracle Data Pump Events

20/02/18

20



The DP_* columns of the UNIFIED_AUDIT_TRAIL view show Oracle Data Pump-‐specific audit data

56

Audi7ng Oracle Data Pump Events


Unified AudiCng und MulCtenant

• Beipiel Common Unified Audit Policy – CREATE AUDIT POLICY dict_updates ACTIONS UPDATE ON SYS.USER$, DELETE ON SYS.USER$, UPDATE ON SYS.LINK$, DELETE ON SYS.LINK$ CONTAINER = ALL; ç muss in root eingegeben werden

• Beispiel Local Unified Audit Policy – CREATE AUDIT POLICY table_privs PRIVILEGES CREATE ANY TABLE, DROP ANY TABLE CONTAINER = CURRENT; ç eingegeben in PDB

58

Local Unified Audit Policy versus Common Unified Audit Policy

20/02/18

21


Unified AudiCng

61

Policy zuweisen mit: AUDIT POLICY ...


Unified AudiCng

•  Zuweisen an besCmmte User: – AUDIT POLICY role_connect_audit_pol BY SYS, SYSTEM;

•  Zuweisen an User mit besCmmten Rollen: – AUDIT POLICY admin_audit_pol BY USERS WITH GRANTED ROLES DBA, CDB_DBA;

• Ausschließen von besCmmten Usern beim Zuweisen: – AUDIT POLICY role_connect_audit_pol EXCEPT rlee, jrandolph;

• Audit-‐Eintrag nur bei Nicht-‐Erfolg – AUDIT POLICY role_connect_audit_pol WHENEVER NOT SUCCESSFUL;

62

Zuweisen einer Audit Policy mit AUDIT POLICY -‐ Beispiele

20/02/18

22


AudiCng Commonly Used Security-‐Relevant AcCviCes

Logon Failures Predefined Unified Audit Policy The ORA_LOGON_FAILURES unified audit policy tracks failed logons only, but not any other kinds of logons.

Secure OpCons Predefined Unified Audit Policy The ORA_SECURECONFIG unified audit policy provides all the secure configuraCon audit opCons.

Oracle Database Parameter Changes Predefined Unified Audit Policy

The ORA_DATABASE_PARAMETER policy audits commonly used Oracle Database parameter se�ngs.

User Account and Privilege Management Predefined Unified Audit Policy

The ORA_ACCOUNT_MGMT policy audits commonly used user account and privilege se�ngs.

Center for Internet Security RecommendaCons Predefined Unified Audit Policy

The ORA_CIS_RECOMMENDATIONS policy performs audits that the Center for Internet Security (CIS) recommends.

Oracle Database Real ApplicaCon Security Predfined Audit Policies

You can use predefined unified audit policies for Oracle Database Real ApplicaCon Security events.

Oracle Database Vault Predefined Unified Audit Policy

The ORA_DV_AUDPOL predefined unified audit policy audits Oracle Database Vault schema objects.

65

Verwendung vordefinierter Policies


AudiCng Commonly Used Security-‐Relevant AcCviCes

66

Verwendung vordefinierter Policies

20/02/18

23


Agenda






Zusammenfassung

1

2

3

4

67

5

6


Unified AudiCng

• Archiving the Unified and TradiConal Database Audit Trails – To archive the unified, tradiConal standard, and tradiConal fine-‐grained audit records, copy the relevant records to a normal database table

INSERT INTO table SELECT ... FROM UNIFIED_AUDIT_TRAIL ...; INSERT INTO table SELECT ... FROM SYS.AUD$ ...;

INSERT INTO table SELECT ... FROM SYS.FGA_LOG$ ...;

• Purging Audit Trail Records – You can use the DBMS_AUDIT_MGMT PL/SQL package to schedule automaCc purge jobs, manually purge audit records, and perform other audit trail operaCons.

68

Housekeeping

20/02/18

24


Unified AudiCng

•  To perform the audit trail purge tasks, in most cases, you use the DBMS_AUDIT_MGMT PL/SQL package.

•  You must have the AUDIT_ADMIN role before you can use the DBMS_AUDIT_MGMT package.

• Oracle Database mandatorily audits all execuCons of the DBMS_AUDIT_MGMT PL/SQL package procedures.

• Manually Purge or create job to regularly purge Audit Trail

70

Purging Audit Trail Informa7on


Unified AudiCng

• Vorgehen: •  1) Plan a Cmestamp and archive strategy •  2) OpConally set an archive Cmestamp for audit records •  3) Create and schedule purge job •  4) Enable (oder disable) Purge Job

71

Purging the Audit Trail on a Regularly Scheduled Basis

20/02/18

25


Unified AudiCng -‐ Purging on regularly scheduled basis

BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, LAST_ARCHIVE_TIME => '12-OCT-2017 06:30:00.00', RAC_INSTANCE_NUMBER => 1, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; / AUDIT_TRAIL_TYPE: DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED

DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML

CONTAINER: DBMS_AUDIT_MGMT.CONTAINER_CURRENT DBMS_AUDIT_MGMT.CONTAINER_ALL (nur von root)

LAST_ARCHIVE_TIME: DD-MON-YYYY HH:MI:SS.FF oder z.B. sysdate-14

73

Set an archive 7mestamp for audit records -‐ Beispiel



BEGIN DBMS_AUDIT_MGMT.CREATE_PURGE_JOB ( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, AUDIT_TRAIL_PURGE_INTERVAL => 12, AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_PJ', USE_LAST_ARCH_TIMESTAMP => TRUE, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; /

AUDIT_TRAIL_PURGE_INTERVAL: In hours Later on, if you want to update this value, run the DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL procedure.

74

Create and Schedule the Purge Job -‐ Beispiel

20/02/18

26



BEGIN DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS( AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_PJ', AUDIT_TRAIL_STATUS_VALUE => DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE); END; /

AUDIT_TRAIL_STATUS_VALUE: DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE DBMS_AUDIT_MGMT.PURGE_JOB_DISABLE

75

Enable / Disable Purge Job -‐ Beispiel


Unified AudiCng

• Vorgehen: •  1) Plan a Cmestamp and archive strategy •  2) OpConally set an archive Cmestamp for audit records •  3) Purge audit records with DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL

79

Manually Purging the Audit Trail

20/02/18

27


Unified AudiCng -‐ Manually Purging the Audit Trail

BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, LAST_ARCHIVE_TIME => '12-OCT-2013 06:30:00.00', RAC_INSTANCE_NUMBER => 1, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; / AUDIT_TRAIL_TYPE: DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED

DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML

CONTAINER: DBMS_AUDIT_MGMT.CONTAINER_CURRENT DBMS_AUDIT_MGMT.CONTAINER_ALL (nur von root)

LAST_ARCHIVE_TIME: DD-MON-YYYY HH:MI:SS.FF oder z.B. sysdate-14

81

Set an archive 7mestamp for audit records -‐ Beispiel


Unified AudiCng -‐ Manually Purging the Audit Trail

BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, USE_LAST_ARCH_TIMESTAMP => TRUE, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT ); END; /

82

Manually Purge Audit Trail -‐ Beispiel

20/02/18

28


Unified AudiCng

AUDIT_UNIFIED_POLICIES Describes all unified audit policies created in the database AUDIT_UNIFIED_ENABLED_POLICIES Describes all unified audit policies that are enabled in the database AUDITABLE_SYSTEM_ACTIONS Maps the auditable system acCon numbers to the acCon names

SYSTEM_PRIVILEGE_MAP (table) Describes privilege (audiCng opCon) type codes. This table can be used to map privilege (audiCng opCon) type numbers to type names.

UNIFIED_AUDIT_TRAIL Displays all audit records

V$OPTION You can query the PARAMETER column for Unified AudiCng to find if unified audiCng is enabled

83

Data Dic7onary Views


Unified AudiCng

DBA_AUDIT_MGMT_CLEAN_EVENTS Displays the history of purge events of the tradiConal (that is, non-‐unified) audit trails This view applies to read-‐write databases only. For read-‐only databases, a history of purge events is in the alert log. (*)

DBA_AUDIT_MGMT_CLEANUP_JOBS Displays the currently configured audit trail purge jobs DBA_AUDIT_MGMT_CONFIG_PARAMS

Displays the currently configured audit trail properCes that are used by the DBMS_AUDIT_MGMT PL/SQL package

DBA_AUDIT_MGMT_LAST_ARCH_TS Displays the last archive Cmestamps that have set for audit trail purges

84

Audit Trail Management Data Dic7onary Views

(*) For unified audiCng, you can find a history of purged events by querying the UNIFIED_AUDIT_TRAIL data dicConary view, using the following criteria: OBJECT_NAME is DBMS_AUDIT_MGMT, OBJECT_SCHEMA is SYS, and SQL_TEXT is set to LIKE %DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL%

20/02/18

29


Agenda






Zusammenfassung

1

2

3

4

87

5

6


DetecCon is much more important than prevenCon ... everything we know about complex systems tells us that we cannot find and fix every vulnerability. –  Bruce Schneier, Secrets and Lies, 2004, Kapitel 24

20/02/18

30


Datenbank AudiCng mit Oracle 12c

• Unified Audit Trail – Policies steuern das AudiCng, nicht IniCalisierungsparameter

• AUDSYS ist Eigentümer des Audit Trail – Nur eine Tabelle im Tablespace SYSAUX

•  Zugriff auf den Audit Trail nur für Rollen AUDIT_ADMIN und AUDIT_VIEWER

• Unterstützt RMAN, Data Pump und Direct Path Loader • Bessere Performance

89

Unified Audi7ng


Unified AudiCng mit Oracle 12c

•  Vergleichbar mit dem Einrichten des FGA (Policies)

91

Konfigurieren

CREATE AUDIT POLICY zumbeispiel PRIVILEGES SELECT ANY TABLE ACTIONS CREATE USER, ALTER USER,

SELECT ON SCOTT.EMP ROLES RESOURCE WHEN 'SYS_CONTEXT(''USERENV'', ''MODULE'') <> (''PERSVERW'')' EVALUATE PER STATEMENT CONTAINER = CURRENT; -- nur in einer PDB

20/02/18

31



Oracle Audit Vault and Database Firewall

Vorgefer7gte und eigene Berichte

Alerts !

Firewall Events

Benutzer Anwendungen

Database Firewall Erlauben

Protokollieren

Alarmieren

Ersetzen

Blocken

Audit Daten

Audit Vault Repository

BS, Directory, Dateisystem & beliebige Audit Logs Policies

(Baselines)

Security Analyst

Auditor

SOC

Oracle Audit Vault: •  Umfassendes AudiCng vieler Systeme •  Ablage von Audit-‐Daten in einem gehärteten System •  Trennung von Zuständigkeiten (Auditor, Security-‐Admin,...) •  Umfangreiche Standard-‐Berichte

20/02/18

32


Maintain Control and Visibility on Cloud Databases


Customer Premise

Keys, Wallets, Audit Data, Masked Data

Audit Vault Key Vault Data Masking & Subse�ng

xxxxxxx xxxxxxx xxxxxxx

Database Cloud Services (DBCS)

Encrypt data by default using TDE Restrict admin access by Database Vault


Infoquellen •  Produkt-‐DokumentaCon 12cR1

–  h`p://docs.oracle.com/database/121/DBSEG/part_6.htm

•  Produkt-‐DokumentaCon 12cR2 –  h`p://docs.oracle.com/database/122/DBSEG/part_6.htm

•  Tutorial –  h`p://www.oracle.com/webfolder/technetwork/tutorials/obe/db/12c/r1/security/sec_uni_audit/sec_uni_audit.html

•  Blogs –  h`ps://blogs.oracle.com/imc/oracle-‐database-‐12c-‐security:-‐new-‐unified-‐audiCng –  h`ps://uhesse.com/2015/07/31/less-‐performance-‐impact-‐with-‐unified-‐audiCng-‐in-‐oracle-‐12c/ –  h`p://oracle.ninja/unified-‐audiCng-‐some-‐gotchas-‐to-‐be-‐aware-‐of/


20/02/18

33


Q & A


Safe Harbor Statement The preceding is intended to outline our general product direcCon. It is intended for informaCon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcConality, and should not be relied upon in making purchasing decisions. The development, release, and Cming of any features or funcConality described for Oracle’s products remains at the sole discreCon of Oracle.

97

auditing 20180220 doag chu · 20/02/18& 14...

Documents