CS780

April 29, 2010

Cassidy Heeyeon Roh

Oracle 10g R2 Auditing Features:Fine-Grained Auditing

Auditing Monitoring and recording of selected user database

actions

SQL statements

User name

Application

Time, etc

Security policies can trigger auditing when specified elements in an Oracle database are accessed or altered, including the contents within a specified object

Auditing Purpose

Enable future accountability for current actions taken in particular schema, table, or row, or affecting specific content

Deter users (or others) from inappropriate actions based on that accountability

Investigate suspicious activity Deletion of rows from tables

Auditing Purpose

Notify an auditor that an unauthorized user is manipulating or deleting data and that the user has more privileges than expected which can lead to reassessing user authorizations

Monitor and gather data about specific database activities Updates, number of concurrent users at peak times

Detect problems with authorization or access control implementation Create audit policies to track them

Audit Records Audit records

Successful statement execution, unsuccessful statement execution, or both

Statement execution once in each user session or once every time the statement is executed

Activities of all users or of a specified user

Audit record storage

Contains audited operation, user of operation, time and date of operation

Data dictionary table database audit trail

Operating system files operating system audit trail

Audit Types Types of Audits

Statement Auditing AUDIT TABLE

Audit SQL statements by type of statement

Broad

Audit on selected user or every user

Privilege Auditing AUDIT CREATE TABLE

Statement auditing, auditing particular type of action

Audit on selected user or every user

Audit Types Types of Audits

Schema Object Auditing AUDIT SELECT ON <employees>

Audit specific statements on particular schema objects

Focused

Specified type of statement on a specified schema object

Always applies to all users of the database

Fine-Grained Auditing Audit at the most granular level

Data access and actions based on content using any Boolean measure

Audit on access to or change in a column

FGA vs Triggers Triggers PS/SQL call for every row processed

Create record only when relevant information changed by DML statement

FGA

No additional cost per row process

Audit only once for every policy

Audit when specified relevant column occur Specific type of DML statement

Changed by statement/selection

Combination criteria statement

Supports tables and views

Fine-Grained Auditing Implement security policies and associate security

policies with tables, views or synonyms

Automatic enforcement of security policies regardless of data access method (e.g. through application by ad hoc queries)

Application context with fined-grained access control is called Virtual Private Database (VPD)

Fine-Grained Auditing Advantages

Simple user-defined SQL predicates on objects as conditions for selective auditing

Query is auditing during fetch When policy conditions are met for a returning row

Able to run a user-defined event handler, if specified in policy

Implement using DBMS_FGA package or triggers

Fine-Grained Access Control (VPD) Capabilities

Limit access at row levels SELECT, INSERT, UPDATE, DELETE

Use security policies when you need them

Invoke a policy only if a particular column is referenced

Restrict access using a combination of row-level and column-level controls, by applying a VPD policy to a view

Fine-Grained Access Control (VPD) Capabilities

Have some policies that are always applied, called static policies, and others that can change during execution, called dynamic policies

Use more than one policy for each table, including building on top of base policies in packaged applications

Distinguish policies between different applications by using policy groups. Each policy group is a set of policies that belong to an application

Fine-Grained Access Control (VPD) Capabilities

Distinguish and control the use of INDEX in row level security policies

Designate an application context, called a driving context, to indicate the policy group in effect. When tables, views, or synonyms are accessed, the fine-grained access control engine looks up the driving context to determine the policy group in effect and enforces all the associate policies that belong to that policy group

Fine-Grained Auditing PL/SQL package

Administer security policies/policy groups Add, drop, enable, refresh

DBMS_RLS for VPD (fine-grained access control)

DBMS_FGA for Fine-Grained Auditing

Audit record storage

SYS.FGA_LOG$ table

Access through DBA_FGA_AUDIT_TRAIL view

Fine-Grained Auditing Minimize false or unhelpful audits with

specifications

Audit INSERT, UPDATE, MERGE, SELECT, DELETE

No need to enable AUDIT_TRAIL

Add/remove policies as necessary

Require EXECUTE privilege on DBMS_FGA package

Ability to temporarily enable/disable FGA policies

No loss of metadata

DBMS_FGA.ENABLE_POLICY

DBMS_FGA.DISABLE_POLICY

Fine-Grained Auditing Policies

Monitor data accessed based on content

Specify columns and conditions E.g. specific types of DML statements in connection with

columns specified

Specify name of routine performed when audit event occurs Notify

Alert administrator

Handle errors and anomalies

Fine-Grained Auditing Policies

Example Limiting logical access to

Specifications

Test results for product under developement

Salary

Audit Action type

Area of action

Time of action

User of action

FGA – ADD_POLICY ParametersParameter Description Default Value

object_schema The schema of the object to be audited. (If NULL, then the current login user schema is assumed.)

NULL

object_name The name of the object to be audited. -

policy_name The unique name of the policy. -

audit_condition A condition in a row that indicates a monitoring condition. NULL is allowed and acts as TRUE.

NULL

audit_column The columns to be checked for access. These can include hidden columns. The default, NULL, causes audit if any column is accessed or affected.

NULL

handler_schema The schema that contains the event handler. The default, NULL, causes the current schema to be used.

NULL

handler_module The function name of the event handler includes the package name if necessary. This function is called only after the first row that matches the audit condition in the query is processed. If the procedure fails with an exception, then the user SQL statement will fail as well.

NULL

enable Whether the policy is to be enabled: TRUE means enable it. TRUE

statement_types The SQL statement types to which this policy is applicable: INSERT, UPDATE, DELETE, or SELECT only.

TRUE

audit_trail Both where to write the fine-grained audit trail and whether or not to populate LSQLTEXT and LSQLBIND.

DB+EXTENDED

audit_column_opts Whether a statement is audited when the query references any column specified in the audit_column parameter or only when all such columns are referenced.

ANY_COLUMNS

Fine-Grained Auditing Event handler Flexible event handler (handler_module)

Notify administrator when triggering event occursPROCEDURE <procedure name>

(object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2 )

AS ...

Audit trail record audit_trail

DBMS_FGA.DB + DBMS_FGA.EXTENDED

SQLBIND and SQLTEXT values are recorded

DBMS_FGA.XML

Audit records written to XML-formatted OS files

Fine-Grained Auditing DBMS_FGA.ADD_POLICY Syntax

DBMS_FGA.ADD_POLICY(

object_schema VARCHAR2,

object_name VARCHAR2,

policy_name VARCHAR2,

audit_condition VARCHAR2,

audit_column VARCHAR2,

handler_schema VARCHAR2,

handler_module VARCHAR2,

enable BOOLEAN,

statement_types VARCHAR2,

audit_trail BINARY_INTEGER IN DEFAULT,

audit_column_opts BINARY_INTEGER IN DEFAULT);

Fine-Grained Auditing DBMS_FGA.ADD_POLICY Example

begin

DBMS_FGA.ADD_POLICY (

object_schema => 'scott',

object_name => 'emp',

policy_name => 'mypolicy1',

audit_condition => 'sal < 100', -- audit when sal < 100

audit_column => 'comm, sal',

handler_schema => NULL,

handler_module => NULL,

enable => TRUE,

statement_types => 'INSERT, UPDATE',

audit_trail => DBMS_FGA.XML + DBMS_FGA.EXTENDED,

audit_column_opts => DBMS_FGA.ANY_COLUMNS);

end;

/

Fine-Grained Auditing DBMS_FGA.ADD_POLICY Example

begin

DBMS_FGA.ADD_POLICY (

object_schema => 'HR',

object_name => 'EMPLOYEES',

policy_name => 'POLICY_EMP_SAL_COMM',

audit_condition => 'NULL', -- record all

audit_column => 'SALARY, COMMISSION_PCT',

statement_types => 'SELECT, UPDATE',

audit_column_opts => DBMS_FGA.ALL_COLUMNS

-- audit when all audit_column specified are in statement_types);

end;

/

PL/SQL procedure successfully completed.

Fine-Grained Auditing Example executions as HR:

UPDATE hr.employees

SET SALARY = SALARY+ 4000

WHERE employee_id =197;

UPDATE hr.employees

SET SALARY = SALARY+ 4000,

COMMISSION_PCT = COMMISSION_PCT+ 0.5

WHERE COMMISSION_PCT > 0;

SELECT employee_id, salary FROM hr.employees;

DELETE hr.employees WHERE employee_id = 110;

SELECT * FROM hr.employees;

Fine-Grained Auditing Example executions before enabled:

UPDATE hr.employees

SET SALARY = SALARY+ 4000

WHERE employee_id =197; 1 row updated.

UPDATE hr.employees

SET SALARY = SALARY+ 4000,

COMMISSION_PCT = COMMISSION_PCT+ 0.5

WHERE COMMISSION_PCT > 0; 35 rows updated.

SELECT employee_id, salary FROM hr.employees; 107 rows selected.

DELETE hr.employees WHERE employee_id = 110; 1 row deleted.

SELECT * FROM hr.employees; 106 rows selected.

Fine-Grained Auditing DBMS_FGA.ENABLE_POLICY Example

DBMS_FGA.ENABLE_POLICY(

object_schema VARCHAR2,

object_name VARCHAR2,

policy_name VARCHAR2,

enable BOOLEAN);

BEGIN

DBMS_FGA.ENABLE_POLICY (

object_schema => 'HR',

object_name => 'EMPLOYEES',

policy_name => 'POLICY3_EMP_SAL_COMM',

enable => TRUE);

END;

/

PL/SQL procedure successfully completed.

Fine-Grained Auditing DBMS_FGA.ENABLE_POLICY Example

DBMS_FGA.DISABLE_POLICY(

object_schema VARCHAR2,

object_name VARCHAR2,

policy_name VARCHAR2,

enable BOOLEAN);

DBMS_FGA.DROP_POLICY(

object_schema VARCHAR2,

object_name VARCHAR2,

policy_name VARCHAR2,

enable BOOLEAN);

Fine-Grained Auditing Example executions when enabled:

UPDATE hr.employees

SET SALARY = SALARY+ 4000

WHERE employee_id =197; 1 row updated.

-- NOT audited as only UPDATE on SALARY (no COMMISION_PCT)

UPDATE hr.employees

SET SALARY = SALARY+ 4000,

COMMISSION_PCT = COMMISSION_PCT+ 0.5

WHERE COMMISSION_PCT > 0; 35 rows updated.

UPDATE hr.employees

*

ERROR at line 1:

ORA-28138: Error in Policy Predicate

-- audited when UPDATE/SELECT on SALARY AND COMMISION_PCT

Fine-Grained Auditing Example executions when enabled:

SELECT employee_id, salary FROM hr.employees; 107 rows selected.

-- NOT audited as require SALARY and COMMISSION_PCT

DELETE hr.employees WHERE employee_id = 110; 1 row deleted.

-- NOT audited as DELETE action not specified

SELECT * FROM hr.employees; 106 rows selected.

SELECT * FROM hr.employees

*

ERROR at line 1:

ORA-28112: failed to execute policy function

Fine-Grained Auditing Audit trails:

SELECT * FROM SYS.FGA_LOG$;

SELECT/DELETE * FROM DBA_FGA_AUDIT_TRAIL;

847

20-APR-10 HR MET-VS\CS780

WORKGROUP\MET-VS MET-VS\CS780

HR EMPLOYEES

POLICY_EMP_SAL_COMM 698725

UPDATE hr.employees

SET SALARY = SALARY+ 4000

WHERE employee_id =197

UPDATE 20-APR-10 03.39.32.544000 PM -04:00

Audit trails as stored in OSElement Type

AUDIT_TYPE NUMBER

CLIENT_ID VARCHAR2(64)

COMMENT_TEXT VARCHAR2(4000)

DB_USER VARCHAR2(30)

ENTRYID NUMBER

EXTENDED_TIMESTAMP TIMESTAMP(6) WITH TIME ZONE

GLOBAL_UID VARCHAR2(32)

INSTANCE_NUMBER NUMBER

OBJECT_NAME VARCHAR2(128)

OBJECT_SCHEMA VARCHAR2(30)

POLICY_NAME VARCHAR2(30)

PROXY_SESSIONID NUMBER

SESSION_ID NUMBER

SQL_BIND VARCHAR2(4000)

SQL_TEXT VARCHAR2(4000)

STATEMENT_TYPE VARCHAR2(28)

STATEMENTID NUMBER

TERMINAL VARCHAR2(255)

TRANSACTIONID RAW(8)

Audit Trails ViewsView Description

STMT_AUDIT_OPTION_MAP Contains information about auditing option type codes. Created by the SQL.BSQ script at CREATE DATABASE time.

AUDIT_ACTIONS Contains descriptions for audit trail action type codes.

ALL_DEF_AUDIT_OPTS Contains default object-auditing options that will be applied when objects are created.

DBA_STMT_AUDIT_OPTS Describes current system auditing options across the system and by user.

DBA_PRIV_AUDIT_OPTS Describes current system privileges being audited across the system and by user.

DBA_OBJ_AUDIT_OPTS

USER_OBJ_AUDIT_OPTS

Describes auditing options on all objects. The USER view describes auditing options on all objects owned by the current user.

DBA_AUDIT_TRAIL

USER_AUDIT_TRAIL

Lists all audit trail entries. The USER view shows audit trail entries relating to current user.

DBA_AUDIT_OBJECT

USER_AUDIT_OBJECT

Contains audit trail records for all objects in the system. The USER view lists audit trail records for statements concerning objects that are accessible to the current user.

DBA_AUDIT_SESSION

USER_AUDIT_SESSION

Lists all audit trail records concerning CONNECT and DISCONNECT. The USER view lists all audit trail records concerning connections and disconnections for the current user.

DBA_AUDIT_STATEMENT

USER_AUDIT_STATEMENT

Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user.

DBA_AUDIT_EXISTS Lists audit trail entries produced BY AUDIT NOT EXISTS.

DBA_AUDIT_POLICIES Shows all the auditing policies on the system.

DBA_FGA_AUDIT_TRAIL Lists audit trail records for value-based auditing.

DBA_COMMON_AUDIT_TRAIL Combines standard and fine-grained audit log records, and includes SYS and mandatory audit records written in XML format.

Audit Trails Combining regular auditing (AUDIT command)

and FGA audit policies Query the DBA_COMMON_AUDIT_TRAILS data

dictionary view Union of DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL

data dictionary views

DBA_AUDIT_TRAIL view provides audit trail entries

DBA_FGA_AUDIT_TRAIL displays all audit records for FGA

Questions/Comments?