Oracle Sleuth: Who Did It?

Sitansu S. MittraSenior Principal Engineer &

Database Management Specialist

Computer Sciences Corporation

Session id: 36652

Topic Outline

Prevention of unauthorized user access – roles, privileges, profiles

Detection of harmful activities – AUDIT TRAIL, LogMiner

Correction of impact of activities via ‘undo’ and ‘redo’ entries – LogMiner

Roadmap for Ensuring Data Security in Oracle Databases

Bibliography

Prevention of Unauthorized User Access

•Create a user account .

•Assign one or more roles to the user .

•Assign system and object level privileges to each role

•Set up a profile for the user or use DEFAULT profile.

Relationship among users, roles, privileges, and profiles:

M:NUSER <<---------------------->> ROLE

M:NROLE <<---------------->> PRIVILEGE

M:1 USER <<--------------------> PROFILE

Role = named collection of system or object level privileges that are granted to the role

A role can be granted to a user or to another role.

Privilege = capability to perform authorized function(s) in the database

A system privilege enables a user to perform designated tasks in the database. There are 126 such privileges that can be listed by the query:

select distinct NAME from system_privilege_map order by 1;

An object privilege enables a user to perform primarily DML type tasks (INSERT, UPDATE, DELETE) on designated objects (tables, views, sequences, procedures) in the database. There are 8 such privileges

GRANT Privileges are assigned to roles or users and roles are assigned to other roles or users via the GRANT command.

Sample Session Transcript

SQL>create role A;Role created.SQL>create role B;Role created.SQL>create user X identified by *****;User created.SQL> grant select any table, execute any procedure, insert any table,delete any table, update any table to A;Grant succeeded.

Privileges granted directly to a role or a user can be displayed by querying dba_sys_privs or dba_tab_privs, as the case may be. But privileges granted indirectly to a role or a user cannot be so displayed.

Sample Session Transcript

SQL> grant create any table, insert any table, create session to B;Grant succeeded.

SQL> create role C;Role created.SQL> grant B to C;Grant succeeded.SQL> grant C to X;Grant succeeded.SQL> select grantee, privilege from dba_sys_privs where grantee in ('A', 'B', 'C', 'X')order by grantee, privilege;

GRANTEE PRIVILEGE----------------- -----------------A CREATE SESSIONA DELETE ANY TABLEA EXECUTE ANY PROCEDUREA SELECT ANY TABLEA UPDATE ANY TABLEB CREATE ANY TABLEB CREATE SESSIONB INSERT ANY TABLE

8 rows selected.

(Note that C and X are not listed since they were granted the privileges indirectly. But X does have the privileges granted to B. For example, X can create a table and insert rows into the table, as shown below.)SQL> connect x/*****Connected.SQL> create table P 2 (m number not null, 3 n varchar2 (10));Table created.SQL> insert into P values (17, 'sample');1 row created.

REVOKE

Privileges granted directly to a role or a user can be taken away from that role or user via the REVOKE command. But privileges granted indirectly to a role or a user cannot be so taken away. You must find the direct grantee from whom you can revoke the privileges.

SQL> revoke insert any table from A;Revoke succeeded.

DBA Views about Roles and Privileges

DBA_ROLES all roles that exist DBA_ROLE_PRIVS roles granted to

users/rolesROLE_ROLE_PRIVS roles granted to other

rolesDBA_SYS_PRIVS system privileges

granted to users/rolesDBA_TAB_PRIVS object privileges

granted to users/roles

GRANT WITH GRANT or ADMIN OPTION

One can grant an object privilege to a user WITH GRANT OPTION whereby the user can grant those privileges to other users or roles. These are called grantable privileges and can be assigned only to users, but not to roles.

One can grant a system privilege to a user or a role WITH ADMIN OPTION whereby the user can grant those privileges to other users or roles.

Default Role

A user can have one or more roles. By default, when a user logs in, all of his/her roles are activated. One can designate a subset of these roles as default roles. In that case, only the default roles are activated at logon time.

Profile

A profile is a collection of quotas and privileges related to the following system resource limits and password management:

System ResourceCPU time I/O operation Idle time Connect time

System Resource (Contd.) Memory space as private SQL area (MTS) Concurrent sessions

Password ManagementPassword aging and expiration Password history Password complexity verification Account locking

A user can have only one profile at a time - either Oracle provided DEFAULT profile or a profile created via CREATE PROFILE command and assigned to a user via ALTER USER command.

A CREATEd profile can be dropped, but not the DEFAULT profile.

All limits of the DEFAULT profile are UNLIMITED. But the DBA can change the values via ALTER PROFILE command so that the modified values apply to all users who are assigned the DEFAULT profile.

Query to find limits of any profile:

select * from dba_profiles order by RESOURCE_TYPE;

Changes made to a profile via ALTER PROFILE command take effect for subsequent sessions only.

A profile that has users assigned to it can be dropped only via the command DROP PROFILE profile CASCADE. In that case, Oracle assigns the DEFAULT profile to all users who had the dropped profile as their default profile.

PUBLIC as User

PUBLIC is a special user in Oracle. Any system level or object level privilege granted to PUBLIC can be used by all current and future users of the database. Ideally, privileges should not be granted to PUBLIC. Privileges granted to PUBLIC can be determined by running the following queries:

select privilege from dba_sys_privs where grantee = 'PUBLIC' order by 1;

select privilege from dba_tab_privs where grantee = 'PUBLIC' order by 1;

Detection of Harmful Activities via AUDIT TRAIL

A DBA can track the following user activities via the auditing capability:

• login attempts,

• database actions, and

•  access (retrieval and update) to database objects.

Prerequisite: set the initialization parameter AUDIT_TRAIL to the value TRUE or DB (default is FALSE or NONE).

Audit records are written to the table SYS.AUD$

DBA_ views containing auditing information:

DBA_AUDIT_EXISTS, DBA_AUDIT_OBJECT, DBA_AUDIT_SESSION, DBA_AUDIT_STATEMENT, DBA_AUDIT_TRAIL

DBA_AUDIT_TRAIL is most comprehensive

Auditing Login Attempts

Login as a DBA privileged account

Type “audit session;”

Allow users to login as needed. Run the following query to see the login and logout activities, both successful and unsuccessful: 

select username, os_username, to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Login Time", to_char (LOGOFF_TIME, 'dd-mon-yyyy hh24:mi:ss') "Logout Time", decode (returncode, 0, 'Connected', 01017, 'invalid username/password', 01005, 'null password given', returncode) "Login Status" from dba_audit_session order by 1, 3 desc;

Auditing Database Actions

DBA can audit any action affecting a database object .

Oracle allows 144 actions that can be listed with the query

select action, name from audit_actions;

Possible actions such as CREATE, ALTER, and DROP that can affect a specific object type can be grouped together during auditing;

e.g., “audit table;” will audit all actions affecting a table

With auditing activated for an object, all actions pertaining to that object are recorded in the view DBA_AUDIT_OBJECT. Run the following query to get a list of all such actions :

select username, os_username, owner, obj_name, action_name,

to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time” from dba_audit_object

order by 1, 4, 6 desc; 

DBA can analyze the result to identify users responsible for harmful activities

Access (Retrieval and Update) to Database Objects

Access includes four DML commands, SELECT, INSERT, UPDATE, and DELETE

For each table to be audited, enter the command

AUDIT ALL ON table_name BY ACCESS;

“BY ACCESS” option causes an audit record to be written to the table SYS.AUD$ once for each time the table is accessed;

e.g., if a user performs four update transactions (INSERT, UPDATE, DELETE) on a table, then four separate records are written to SYS.AUD$. They can be viewed by querying the view DBA_AUDIT_OBJECT.

Run the query:

select username, os_username, owner, obj_name, action_name,

to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time"

from dba_audit_object

order by 1, 4, 6 desc;

Sample Session Transcript

SQL> audit table;

Audit succeeded.

SQL> audit view;

Audit succeeded.

SQL> audit all on dqsmith.explore by access;

Audit succeeded.

SQL> audit all on EXPLORE_COPY by access;

Audit succeeded.

SQL> audit all on EXPLORE_ORIGINAL by access;

Audit succeeded.

SQL> select username, os_username, owner, obj_name, action_name,

to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time" from dba_audit_object order by 1, 4, 6 desc;

USERNAME OS_USERNAME OWNER OBJ_NAME ACTION_NAME

---------- ------------ ----------------Transaction Time

--------------------

DQSMITH Mittra DQSMITH EXPLORE CREATE TABLE

18-jul-2003 15:38:36

DQSMITH Mittra SEKHAR EXPLORE INSERT

17-jul-2003 09:07:26

DQSMITH Mittra SEKHAR EXPLORE_ORIGINAL SELECT

18-jul-2003 12:50:38

etc. etc. etc. ……

Storage Management for AUD$

During auditing AUD$ grows rapidly and fragments SYSTEM tablespace. Archive its rows frequently to remedy this situation:

•Determine archiving frequency based on growth rate of AUD$.

•Copy the rows of AUD$ into AUD$_COPY, say, created in a non-SYSTEM tablespace.

•Truncate AUD$.

Correction of Impact of Harmful Activities with LogMiner

LogMiner provides two additional capabilities not available with AUDIT TRAIL:

•DML commands executed and DML commands to reverse them

•Session information to identify the user

LogMiner under Oracle 8i

Allows DBA to read binary Redo Log files, online or archived

Setup

•Include initialization parameter utl_file_dir in init.ora file whose value is a directory to which Oracle can write.

•Run scripts dbmslmd.sql and dbmslm.sql located in $ORACLE_HOME/rdbms/admin.

Setup (Contd.)

•Create LogMiner dictionary.

•Include Redo Log files for LogMiner analysis.

•Start a LogMiner session.

•Always end LogMiner session with the procedure DBMS_LOGMNR.END_LOGMNR to avoid an Ora-00600 internal error.

(Appendix 1 contains all the scripts to setup LogMiner under Oracle 8i.)

LogMiner Output

Four v$ views, v$logmnr_logs, v$logmnr_contents, v$logmnr_dictionary, and v$logmnr_parameters, contain LogMiner data.

Query v$logmnr_contents on columns

•sql_redo (retrieve executed DML commands) and sql_undo (retrieve reverse of executed DML commands) to track user activities

•session_info and related columns to retrieve user identification information

LogMiner Session Transcriptsql_redo

SQL>select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", sql_redo from v$logmnr_contents

where table_space != 'SYSTEM' and timestamp > '15-JUL-2003‘ order by 1; 

Transaction Time SQL_REDO

---------------- ----------------

24-jul-2003 15:51:29

insert into "SYS"."TEST_LOG_MINER"("TEST_ID","TEST_DATE","TESTER_NAME","FINDINGS") values (856,TO_DATE('17-MAY-1966 00:00:00', 'DD-M

ON-YYYY HH24:MI:SS'),'Sakuntala Datta','All success'

LogMiner Session Transcript (Contd.)sql_undo

SQL>select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", sql_undo from v$logmnr_contents

where table_space != 'SYSTEM' and timestamp > '15-JUL-2003‘ order by 1;

Transaction Time SQL_UNDO

---------------- ------------------

24-jul-2003 15:51:29

delete from "SYS"."TEST_LOG_MINER" where "TEST_ID" = 856 and "TEST_DATE" = TO_DATE('17-MAY-1966 00:00:00', 'DD-MON-YYYY HH24:MI:SS')

and "TESTER_NAME" = 'Sakuntala Datta' and "FINDINGS" = 'All success' and ROWID = 'AAAA7NAAGAAAACPAAE';

LogMiner Session Transcript (Contd.)SESSION_INFO and Related Columns

select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time",username,

session#, serial#, operation,session_info

from v$logmnr_contents

where timestamp > '07-AUG-2003'

and seg_name = 'EXPLORE' order by 1;

Transaction Time USERNAME SESSION# SERIAL# OPERATION

-------------------- -------------------

SESSION_INFO

----------------------------------------07-aug-2003 09:00:05 TIMS 8 4975 INSERT

LoginUserName = TIMS, ClientInfo = , OsUserName = Mittra, MachineName = DTS-57\CSC-TIMS33

LogMiner Limitations

(1) LogMiner must be invoked afresh with each new session. All LogMiner session information resides in the PGA (Program Global Area) which is a component of the SGA (System Global Area). PGA is flushed when a user session ends normally or abnormally and all the session information is lost.

LogMiner Limitations (Contd.)

A session ends normally by executing the procedure dbms_logmnr.end_logmnr.

A session ends abnormally generating a silent internal Oracle error ORA-00600 when the user types “exit” or issues the command “connect username/password” without exiting.

Session Transcript

SQL> connect / as sysdba

Connected. (Session as user “SYS” starts)

SQL> show user

USER is "SYS”

(LogMiner is started successfully.)

SQL> connect tims/*******

Connected.

(Session as user “SYS” ends abnormally. PGA is flushed. LogMiner session is lost)

SQL> select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", username, sql_redo, sql_undo from v$logmnr_contents where TABLE_SPACE = 'TIMSDATA' order by 1 desc;

sql_redo, sql_undo from v$logmnr_contents

*

ERROR at line 2:

ORA-01306: dbms_logmnr.start_logmnr() must be invoked before selecting from v$logmnr_contents

LogMiner Limitations (Contd.)

(2) All LogMiner tables are created in the SYSTEM tablespace, which may get fragmented over time due to the growth of these tables. So, Oracle recommends that a separate tablespace be created to store the tables created and used by LogMiner. The procedure dbms_logmnr_d.set_tablespace can be used to create such a tablespace.

Session Transcript

SQL> create tablespace logmnr_tblspc

datafile '/tims1/ssmittra/dev01/monami_instance/logminer/LOGMNR_TBLSPC01.dbf'

size 200M;

Tablespace created.

SQL> EXEC DBMS_LOGMNR_D.SET_TABLESPACE ('logmnr_tblspc');

 PL/SQL procedure successfully completed.

LogMiner Limitations (Contd.)

(3) LogMiner dictionary is static under 8i, but dynamic under 9i. This means that DML actions made after the dictionary is created are not recorded there under 8i. But this limitation has been removed in 9i.

LogMiner under Oracle 9i

Setup is same as under Oracle 8i except that there is no need to run dbmslmd.sql to create a static dictionary, because the LogMiner dictionary is dynamically updated continuously from the online data dictionary.

Appendix 2 contains all the scripts to setup

LogMiner under Oracle 9i.

LogMiner under Oracle 9i (Contd.)

•Columns of v$logmnr_contents (e.g., sql_redo, sql_undo, session_info) return the same information as under Oracle 8i

•Other three LogMiner v$ views are identical under 8i and 9i

LogMiner dictionary is dynamic under 9iSample Session Transcript

09:25:42 SQL> select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", username,sql_redo from v$logmnr_contentswhere TABLE_SPACE = 'TIMSDATA’ and to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') > '04-aug-2003 11:24:27'order by 1;

Transaction Time USERNAME-------------------- ---------------SQL_REDO-----------------------------------------04-aug-2003 11:25:06 SYSinsert into "TIMS"."EXPLORE"("COL01","COL02","COL03","COL04") values ('35128','avav',TO_DATE('02-AUG-03', 'DD-MON-RR'),'17');

(ENTER ONE INSERT AND ONE DELETE)

09:40:48 SQL> INSERT into tims.explore values (6513, 'Indumati', sysdate - 3, 16);

1 row created.09:43:31 SQL> DELETE from tims.explore_copy where col02 = 'cxxc';

1 row deleted.

09:44:14 SQL> select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", username,sql_redo from v$logmnr_contentswhere TABLE_SPACE = 'TIMSDATA’ and to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') > '04-aug-2003 11:24:27'order by 1;

Transaction Time USERNAME-------------------- ---------------SQL_REDO----------------------------------------04-aug-2003 11:25:06 SYSinsert into "TIMS"."EXPLORE"("COL01","COL02","COL03","COL04") values ('35128','avav',TO_DATE('02-AUG-03', 'DD-MON-RR'),'17');

05-aug-2003 09:41:11 SYSINSERT into “TIMS"."EXPLORE"("COL01","COL02","COL03","COL04") values ('6513','Indumati',TO_DATE('02-AUG-03', 'DD-MON-RR'),'16');

05-aug-2003 09:44:16 SYSDELETE from "TIMS"."EXPLORE_COPY" where "COL01" = '2013' and "COL02" = 'cxxc' and "COL03" = TO_DATE('04-AUG-03', 'DD-MON-RR') and "COL04" = '11' and ROWID = 'AAAHxBAMgAAASOUAAB';

(INSERT AND DELETE COMMANDS HAVE BEEN RECORDED IN THE DICTIONARY DYNAMICALLY)

Roadmap for Ensuring Data Security in Oracle Databases

•Follow the principle of prevention, detection, and correction of harmful user activities, intentional or unintentional.

•Restore database to an instant prior to the occurrence of a harmful event.

•Avoid PUBLIC as user as far as possible.

•Review and update security management plan.

Bibliography•Kevin Loney and Marlene Theriault – Oracle 9i DBA Handbook, Chapters. 10 and 11, Oracle Press, 2002.

•Sitansu S. Mittra – Database Performance Tuning and Optimization Using Oracle, Chapter 5, Springer-Verlag, 2003.

•Oracle MetaLink – papers on LogMiner; e.g., Notes 62508.1, 111886.1, etc.

•Marlene Theriault and Aaron Newman - Oracle Security Handbook, Chapters 16 and 17, Oracle Press, 2001.