auditing the dba: what non-technical managers and auditors should know
DESCRIPTION
Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner President Absolute Technologies, Inc. January 17, 2007 Version 1. Intro. You are a manager or project lead You need to secure E-Biz Suite for SOX compliance purposes - PowerPoint PPT PresentationTRANSCRIPT
11
Auditing the DBA:Auditing the DBA:What non-technical managers What non-technical managers
and auditors should know.and auditors should know.
Presented ByPresented By Cam LarnerCam Larner PresidentPresidentAbsolute Technologies, Inc.Absolute Technologies, Inc.January 17, 2007 Version 1January 17, 2007 Version 1
22
IntroIntro
You are a manager or project leadYou are a manager or project lead You need to secure E-Biz Suite for SOX You need to secure E-Biz Suite for SOX
compliance purposescompliance purposes You have or are implementing controls You have or are implementing controls
for application end usersfor application end users Your DBA has the access and power to Your DBA has the access and power to
overcome or tamper with these overcome or tamper with these controls without detectioncontrols without detection
You need to mitigate DBA riskYou need to mitigate DBA risk
33
BackgroundBackground
In the context of SOX, external In the context of SOX, external auditors are beginning to scrutinize auditors are beginning to scrutinize DBA access and requesting controls DBA access and requesting controls and systematic proof of such to attain and systematic proof of such to attain compliance.compliance.
After all, the systematic controls you After all, the systematic controls you have established for application end have established for application end users will have little impact on your users will have little impact on your DBA’s ability to overcome them.DBA’s ability to overcome them.
44
OutlineOutline
Database BasicsDatabase Basics Auditing the DBAAuditing the DBA IssuesIssues RecommendationsRecommendations
55
DBA & Database DBA & Database BasicsBasics
1.1. DBA’s Primary FunctionsDBA’s Primary Functions
2.2. Database ObjectsDatabase Objects
3.3. Database AccessDatabase Access
4.4. Database OperationsDatabase Operations
5.5. DBA Access in Oracle 9i / E Biz SuiteDBA Access in Oracle 9i / E Biz Suite
Next
66
DBA’s Primary DBA’s Primary Functions Functions
– Database Creation, Startup and Database Creation, Startup and ShutdownShutdown
– Application Implementation/UpgradeApplication Implementation/Upgrade– Maintenance, Backup & RecoveryMaintenance, Backup & Recovery– Performance OptimizationPerformance Optimization– Security/User ManagementSecurity/User Management– Trouble ShootingTrouble Shooting
Return
77
Database ObjectsDatabase Objects
Return
Tables
ViewsProcedures
Functions
Users
Triggers
Database Links
Packages
Indexes
Sequences
Synonyms
Roles
88
Database AccessDatabase Access
– Users Users Connect to the databaseConnect to the database
– PrivilegesPrivilegesProvide access to specific data or objectsProvide access to specific data or objects
– RolesRolesBundle privileges for easy assignment to usersBundle privileges for easy assignment to users
User
Privilege
Role
Privilege
User User vs vs
Schema?Schema?
Return
99
Database OperationsDatabase Operations
– Select Data from Tables and ViewsSelect Data from Tables and Views– DML: Insert, Update and Delete RecordsDML: Insert, Update and Delete Records– DDL: Create, Alter and Drop ObjectsDDL: Create, Alter and Drop Objects– Startup and Shutdown DatabaseStartup and Shutdown Database
Return
1010
DBA Access in Oracle DBA Access in Oracle 9i / E Biz Suite 9i / E Biz Suite
a.a. Default Database Users/Schemas Default Database Users/Schemas
b.b. Administrative PrivilegesAdministrative Privileges
c.c. Administrative RolesAdministrative Roles
d.d. Connection Authentication Connection Authentication
e.e. File System Entry Points to the DatabaseFile System Entry Points to the Database
f.f. Application AccessApplication Access
NextThe DBA has the keys to the kingdom!
1111
Default Database Default Database Users/SchemasUsers/Schemas
– SYSSYS
……The master account. Owns the Data Dictionary.The master account. Owns the Data Dictionary.
– PUBLICPUBLIC
……All users have access to this Schema.All users have access to this Schema.
– SYSTEMSYSTEM
……Has all DB privs, but can’t alter SYS objects.Has all DB privs, but can’t alter SYS objects.
– APPSAPPS
……The E Business Suite Master AccountThe E Business Suite Master Account– APPLSYSAPPLSYS
……The Application Object Library Master AccountThe Application Object Library Master Account
Return
1212
Administrative Administrative PrivilegesPrivileges
– SYSDBA (Default schema is SYS)SYSDBA (Default schema is SYS) Database creationDatabase creation Instance startup and shutdownInstance startup and shutdown Archive and RecoveryArchive and Recovery Can Access any User’s DataCan Access any User’s Data
– SYSOPER (Default schema is PUBLIC)SYSOPER (Default schema is PUBLIC) Same as above, but…Same as above, but… Can’t Access other User’s DataCan’t Access other User’s Data Return
1313
Administrative RolesAdministrative Roles
– DBA DBA (All system privileges WITH ADMIN OPTION)(All system privileges WITH ADMIN OPTION)
– SELECT_CATALOG_ROLESELECT_CATALOG_ROLE(Data Dictionary Views)(Data Dictionary Views)
– EXECUTE_CATALOG_ROLE EXECUTE_CATALOG_ROLE (Data Dictionary Packages and Procedures)(Data Dictionary Packages and Procedures)
– DELETE_CATALOG_ROLEDELETE_CATALOG_ROLE(AUD$ Table)(AUD$ Table) Return
1414
Connection Connection AuthenticationAuthentication
– Oracle Operating System Account GroupsOracle Operating System Account Groups OSDBA (dba in unix)OSDBA (dba in unix) OSOPER (oper in unix)OSOPER (oper in unix)
– REMOTE_LOGIN_PASSWORDFILEREMOTE_LOGIN_PASSWORDFILE NoneNone ExclusiveExclusive SharedShared
– O7_DICTIONARY_ACCESSIBILITY = TRUEO7_DICTIONARY_ACCESSIBILITY = TRUE Users may be granted access to SYSUsers may be granted access to SYS Users may logon to SYS remotely and without Users may logon to SYS remotely and without
OS authenticationOS authenticationReturn
1515
File System Entry File System Entry Points to the Points to the DatabaseDatabase
– FNDCPASS file executableFNDCPASS file executable
(Change an application user’s password (Change an application user’s password as changed by the FND “anonymous” as changed by the FND “anonymous” user)user)
– $ORACLE_HOME/reports60/server/$ORACLE_HOME/reports60/server/CGIcmd.dat (Contains APPS password)CGIcmd.dat (Contains APPS password)
Return
1616
Application AccessApplication Access
– SYSADMIN via APPS UserSYSADMIN via APPS User– EXAMINE via APPS UserEXAMINE via APPS User– All underlying tables of E-Biz SuiteAll underlying tables of E-Biz Suite
Return
1717
Approaches to Approaches to Auditing the DBAAuditing the DBA
SQL Audit (AUDIT_TRAIL = TRUE)SQL Audit (AUDIT_TRAIL = TRUE)Database Initialization ParameterDatabase Initialization Parameter
– SessionSession
When a user logs in or out of the database.When a user logs in or out of the database.
– StatementStatement
When a user tries to delete any tableWhen a user tries to delete any table..– PrivilegePrivilege
When a user tries to delete a table using an assigned When a user tries to delete a table using an assigned privilege.privilege.
– ObjectObject
When a user tries to delete a specific table.When a user tries to delete a specific table.
But…the SYS user owns the
audit trail!
1818
Approaches to Approaches to Auditing the DBAAuditing the DBA
Database Triggers Database Triggers (Application (Application Auditor)Auditor)
– Table Level (DML)Table Level (DML)– System LevelSystem Level
DDLDDL Session connectionSession connection Server errorsServer errors Database startupDatabase startup
But…the SYS user can
Disable the triggers!
1919
Approaches to Approaches to Auditing the DBAAuditing the DBA
Log MinerLog Miner– Redo and Archive LogsRedo and Archive Logs– DMLDML– DDLDDL
Fine Grained Auditing (FGA)Fine Grained Auditing (FGA)Monitor select statements at the row level.Monitor select statements at the row level.
AUDIT_SYS_OPERATIONS = TRUEAUDIT_SYS_OPERATIONS = TRUE Database Initialization ParameterDatabase Initialization Parameter
But…the SYS user can Disable
Log Miner, FGA,or any init parameter.
2020
Issues / DiscussionIssues / Discussion
Common MisconceptionCommon MisconceptionShould we audit at the Application or Should we audit at the Application or Database level?Database level?
Application
Database
Operating System
End User
DBA
Data is not stored in the application layer, but in the database layer.
On Commit
2121
Issues / DiscussionIssues / Discussion
When is SYSDBA access necessary?When is SYSDBA access necessary?SYSDBA has control over SYS objects, AUD$ (the SYSDBA has control over SYS objects, AUD$ (the SQL Audit table) and Initialization ParametersSQL Audit table) and Initialization Parameters
Alternatives to Support DBA roleAlternatives to Support DBA role– SYSOPER (Startup and Shutdown)SYSOPER (Startup and Shutdown)– SYSTEM (Maintenance, Security)SYSTEM (Maintenance, Security)– NAMED ACCOUNT w/ DBA Role NAMED ACCOUNT w/ DBA Role
(Maintenance, Security)(Maintenance, Security)
2222
Issues / DiscussionIssues / Discussion
Securing audit mechanisms from the Securing audit mechanisms from the DBADBA
– TriggersTriggers– Logminer views, redo and archive logsLogminer views, redo and archive logs– SYS.AUD$ audit trail tableSYS.AUD$ audit trail table– File system audit directoriesFile system audit directories– Database initialization parametersDatabase initialization parameters
AUDIT_FILE_DESTAUDIT_FILE_DEST AUDIT_SYS_OPERATIONS AUDIT_SYS_OPERATIONS AUDIT_TRAILAUDIT_TRAIL
2323
Issues / DiscussionIssues / Discussion
““Operating system authentication takes Operating system authentication takes precedence over password file precedence over password file authentication. Specifically, if you are a authentication. Specifically, if you are a member of the OSDBA or OSOPER group for member of the OSDBA or OSOPER group for the operating system, and you connect as the operating system, and you connect as SYSDBA or SYSOPER, you will be connected SYSDBA or SYSOPER, you will be connected with associated administrative privileges with associated administrative privileges regardless of the regardless of the username/passwordusername/password that that you specify.” you specify.” Oracle9Oracle9ii Database Administrator's Guide Database Administrator's Guide
2424
RecommendationsRecommendations
Segregate DBA duties and accessSegregate DBA duties and access– Database and Application SupportDatabase and Application Support– Security, Access and AuditingSecurity, Access and Auditing
Limit use of SYSDBALimit use of SYSDBA Limit OS user assignment of the Limit OS user assignment of the
“dba” group“dba” group Utilize named accounts when Utilize named accounts when
possiblepossible
2525
RecommendationsRecommendations
Audit DBA activity on Key Application Audit DBA activity on Key Application ObjectsObjects
– Triggers Triggers (Application Auditor)(Application Auditor)– Log MinerLog Miner– SQL AuditSQL Audit
Activate AUDIT_SYS_OPERATIONSActivate AUDIT_SYS_OPERATIONSInitialization ParameterInitialization Parameter
Protect the AUDIT_FILE_DEST log directory Protect the AUDIT_FILE_DEST log directory from the DBAfrom the DBA
– Copy audit log files to secure directoriesCopy audit log files to secure directories Rsync (unix)Rsync (unix) Unison (unix)Unison (unix)
Ask how App Auditor can help you secure the
audit trail.
2626
RecommendationsRecommendations
““It is suggested that you create at least one It is suggested that you create at least one additional administrator user, and grant additional administrator user, and grant that user the DBA role, to use when that user the DBA role, to use when performing daily administrative tasks. It is performing daily administrative tasks. It is recommended that you do not use SYS and recommended that you do not use SYS and SYSTEM for these purposes.” SYSTEM for these purposes.”
Oracle9Oracle9ii Database Administrator's Guide Database Administrator's Guide
2727
RecommendationsRecommendations
““To maintain the integrity of the data To maintain the integrity of the data dictionary, tables in the SYS schema are dictionary, tables in the SYS schema are manipulated only by Oracle. They should manipulated only by Oracle. They should never be modified by any user or database never be modified by any user or database administrator, and no one should create administrator, and no one should create any tables in the schema of user SYS.” any tables in the schema of user SYS.”
Oracle9Oracle9ii Database Administrator's Guide Database Administrator's Guide
2828
CommentaryCommentary
It may be said by many DBAs that the DBA role is a It may be said by many DBAs that the DBA role is a trusted role, or that a good DBA could overcome almost trusted role, or that a good DBA could overcome almost any restrictions or audit trail deployed for control and any restrictions or audit trail deployed for control and compliance purposes. compliance purposes.
Whether that is true or not, is not the point. Whether that is true or not, is not the point.
The reality is that external auditors are starting to The reality is that external auditors are starting to scrutinize DBA access and requesting controls and scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. Any systematic proof of such to attain compliance. Any particular approach may not be ‘bullet proof’, but each particular approach may not be ‘bullet proof’, but each hurdle or preventive measure deployed reduces the hurdle or preventive measure deployed reduces the overall risk as assessed by the auditor. overall risk as assessed by the auditor.
2929
Hurdles to Mitigate Hurdles to Mitigate RiskRisk
DBA Fraud
UseNamed
Accounts
AuditAccess
AuditTransactions
SecureAudit Trail
LimitSYSDBA
Usage
3030
Application AuditorApplication Auditor
Audit/Alert/Prevent Audit/Alert/Prevent – DML transactionsDML transactions– DDL operationsDDL operations– DBA activityDBA activity– IT Staff activityIT Staff activity– Application user activity Application user activity
Audit Session ConnectionsAudit Session Connections Audit Server ErrorsAudit Server Errors Secure the Audit Schema from the DBASecure the Audit Schema from the DBA
Visit Visit www.absolute-tech.comwww.absolute-tech.com to lean more. to lean more.
3131
ReferencesReferences
Oracle9Oracle9ii Database Administrator's Database Administrator's Guide Release 2 (9.2)Guide Release 2 (9.2)
Oracle Privacy Security AuditingOracle Privacy Security Auditing
by Arup Nanda & Donald K. Burlesonby Arup Nanda & Donald K. Burleson
3232
Thank You!
www.absolute-tech.com
3333
User Vs. SchemaUser Vs. Schema
User Schema
ViewsTables ProceduresConnects to the database
A user which owns objects
Return
3434
E- Biz Suite Schema E- Biz Suite Schema MapMap
SYS
APGLSYSTEM
APPS
APPLSYS AR
SCOTT PUBLIC
EndUser