GOLD SILVER BRONZE Oracle Auditing COUG Presentation – June 19, 2014 Ray Smith June 2014 © CGI Group Inc. 2014 Oracle Auditing Objective : • What is available to the DBA with regard to auditing • How do you configure the various options • What are the impacts of setting up the various options Caveats: • Based on personal experience • Tests are performed on Oracle Virtualbox (Linux) with RDBMS 12c • Not real data in examples. 3 Oracle Auditing: Scope During this presentation I would like to cover • Mandatory Auditing • Standard Database Auditing • Audit SYS operations • Fine Grained Auditing And now in 12c….. • The Unified Audit Trail Excludes : Oracle Database Vault Audit. 4 Oracle Auditing : Presentation References • Oracle Database Security Guide (11G) – E36292-05 • Oracle Database Security Guide (12C) – E17607-25 • SQL Language Reference (12C) – E17209-15 5 Oracle Auditing – Mandatory Auditing What is always on: • Database Startup / Shutdown • Sysdba / Sysoper logons And now in 12c – (if unified auditing is switched on) : • Auditing changes – changes made to auditing • Create/Alter/Drop audit policies • Audit/Noaudit actions • Execution of FGA / DBMS_AUDIT_MGMT packages • Alter table statements run on the AUDSYS table • ‘Top level statements by the administrative users ..until the database is opened’. • Database vault changes 6 Oracle Auditing – Mandatory Auditing (12c) • Quick peek - Demo 7 Oracle Auditing – Standard Database Auditing Henceforth known as Traditional Auditing • Oracle includes the Traditional Auditing for backwards compatibility • Oracle Recommends you plan to move away from this type of auditing. • Requires the database parameter set to something other than ‘none’ • 12c – default setting none (in documentation) but it was set to DB when I installed using DBCA (custom installation). • Options available : • none | os | db [, extended] | xml [, extended] • Turn on : AUDIT command • Turn off : NOAUDIT command • Data stored in SYS.AUD$ 8 Oracle Auditing – Standard Database Auditing 9 Oracle Auditing – Standard Database Auditing Audit examples • Audit create session; -- will record all log on and log off actions • Audit create session by rsmith; -- will record all rsmith’s log on/off • Audit select on hr.employee by access; -- will capture who/what is querying the hr.employee table (every time) • Audit select on hr.employee by session ; -- will capture who/what is querying the hr.employee table (grouped per session) 10 Oracle Auditing – Standard Database Auditing How to query what objects are being audited? • DBA_OBJ_AUDIT_OPTS 11 Oracle Auditing – Standard Database Auditing How to query what statements are being audited? • DBA_STMT_AUDIT_OPTS 12 Oracle Auditing – Standard Database Auditing How to query what privileges are being audited? • DBA_PRIV_AUDIT_OPTS 13 Oracle Auditing – Standard Database Auditing What can be audited? • STMT_AUDIT_OPTION_MAP 14 Oracle Auditing – Standard Database Auditing What can be audited? • SYSTEM_PRIVILEGE_MAP 15 Oracle Auditing – Standard Database Auditing Views to query • • • • • • DBA_AUDIT_TRAIL - complete audit list DBA_AUDIT_STATEMENT – audit system changes DBA_AUDIT_SESSION - audit sessions DBA_AUDIT_OBJECT - audit objects V$XML_AUDIT_TRAIL – complete audit if XML is used DBA_AUDIT_EXISTS - audit failure 16 Oracle Auditing – Standard Database Auditing Demo – Traditional Auditing 17 Oracle Auditing – Standard Database Auditing Performance testing Database : 12c Test – 10,000 individual connections & queries Action Average time noaudit 9:31 Audit create session (DB) 9:40 Audit create session (OS) 10:06 Audi Select by Access (DB) 9:40 Audit create session + Select by Access 9:40 18 Oracle Auditing – Audit SYS operations Record operations performed by SYS / SYSOPER 19 Oracle Auditing – Audit SYS operations Auditing records created in the audit directory (OS) Contents : 20 Oracle Auditing - FGA Points to note • Traditional auditing is object based. • FGA auditing has a more granular approach • Can be column specific • Can be column value specific • Can be time specific (disabled/enabled by trigger) • Managed by policies which can be queried in DBA_AUDIT_POLICIES • Data Stored in SYS.FGA_LOG$ • View: DBA_FGA_AUDIT_TRAIL • Configured using DBMS_FGA package 21 Oracle Auditing - FGA Interesting notes • If you audit a table which is accessed via a view, then the OBJECT_NAME in the Audit Trail will be the table being audited, but the sql text will be the query against the view • There’s a handler_module that can trigger events, for example – send alert to the DBA if a particular audited activity occurs. 22 Oracle Auditing - FGA DBA_AUDIT_POLICIES 23 Oracle Auditing - FGA Demo - FGA 24 Oracle Auditing – Unified Audit Trail (12c) Basic concept SYS.AUD$ (traditional) SYS.FGA_LOG$ (fga) V$XML_AUDIT_TRAIL (XML) OS FILES (SYS / MANDATORY) ORACLE VAULT AUDIT SYS.UNIFIED_AUDIT_TRAIL 25 Oracle Auditing – Unified Audit Trail (12c) To setup you have to build the appropriate libraries (with all databases / listener in the $HOME shut down) cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle To turn off you have to rebuild with the option turned off cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_off ioracle 26 Oracle Auditing – Unified Audit Trail (12c) Banner changed when enabled 27 Oracle Auditing – Unified Audit Trail (12c) Points to note • Mixed modes are supported • Policy managed by ‘Create Audit Policy’ commands • Supposed to be faster than previous auditing because it utilizes SGA for auditing with periodic ‘flushes’. • Data stored in Read-only area • Managed by AUDSYS user, which cannot connect to oracle directly • Two roles for auditing : Audit_Admin & Audit_viewer 28 Oracle Auditing – Unified Audit Trail (12c) Different write modes • Immediate write mode • Audit records are immediately written to disk • May have a performance impact • Queued write mode • Audit written to SGA • Flushed manually / automatically at intervals • Possible risk of audit loss after crash 29 Oracle Auditing – Unified Audit Trail (12c) Switching write modes: 30 Oracle Auditing – Unified Audit Trail (12c) Flushing the audit trail: 31 Oracle Auditing – Unified Audit Trail (12c) Mandatory auditing on • Create/Alter/Drop audit policies • Audit/Noaudit actions • Execution of FGA / DBMS_AUDIT_MGMT packages • Alter table statements run on the AUDSYS table • ‘Top level statements by the administrative users ..until the database is opened’. • Database vault changes 32 Oracle Auditing – Unified Audit Trail (12c) Demo 33 Oracle Auditing – Unified Audit Trail (12c) Performance testing Database : 12c Test – 10,000 individual connections & queries Action Average time noaudit 9:31 Audit create session (DB) 9:40 Audit create session (OS) 10:06 Audi Select by Access (DB) 9:40 Audit create session + Select by Access 9:40 Audit create session (UNIFIED) queue mode 10:01 34 Oracle Auditing Thank you for listening 35
© Copyright 2024