Professional Documents
Culture Documents
25
C H A P T E R
In This Chapter
Understanding Oracle8i auditing concepts Implementing Oracle8i auditing Managing the Oracle8i audit trail Using Triggers to implement auditing
n todays high-data-transaction environments, there is always a requirement to monitor what is going on within a system. You must know more than who is connected, and from which host. You may need to gather statistics, monitor data access, or watch for potentially suspicious activity. You can do all of these things using Oracle8is auditing features. Oracle8is auditing features allow you to track access to tables, the use of privileges, and the use of specific SQL statements. In addition, because the Internet has become a popular method of implementing a three-tier system, Oracle8i now provides a way to track middle-tier connections made on behalf of end users. This chapter provides a detailed exploration of Oracle8is auditing concepts and audit implementation techniques.
668
Statement Auditing
Statement auditing allows you to audit specific SQL statements executed by users. It offers no provision for tracking the schema objects referenced by those statements. The basic syntax for this kind of auditing command follows:
AUDIT option, option, [BY [ username | proxy_name [ ON BEHALF OF [ ANY | username ] ] ] ] [BY [ SESSION | ACCESS]] [WHENEVER [NOT] SUCCESSFUL]
Use statement auditing on these two groups of SQL statements: DDL statements, with respect to specific database object types, not specific objects. For example, the following audit command audits all CREATE TABLE and DROP TABLE statements:
AUDIT TABLE;
DML statements, with respect to a particular type of database object operation, but not specifically an operation on a named object. For example, the following audit command initiates auditing for all SELECT FROM TABLE statements, irrespective of the table on which the SQL statement executes:
AUDIT SELECT TABLE;
669
Statement auditing can be broad or focused in scope; use statement auditing to audit activities of all users or a selected subset of users.
Privilege Auditing
Privilege auditing audits the use of system privileges such as CREATE TABLE or SELECT ANY TABLE. You can audit the use of any system privilege. The general syntax for this form of auditing is as follows:
AUDIT [option | ALL ] ON [username.]objectname [BY [SESSION|ACCESS]] [WHENEVER [NOT] SUCCESSFUL]
Privilege auditing is more focused than statement auditing because each option audits only specific types of system privileges, not a related set of statements. For example, the statement audit option AUDIT TABLE audits the CREATE TABLE, DROP TABLE, and ALTER TABLE SQL statements, while the privilege audit option CREATE TABLE audits only CREATE TABLE SQL statements. The privilege audit option for monitoring the creation of all tables follows:
AUDIT CREATE TABLE;
Note
If similar statement and privilege audit options are set for example, the AUDIT TABLE statement audit option and the AUDIT CREATE TABLE privilege audit option only a single record is generated in the audit trail when an event falls into both categories.
You can set privilege auditing to audit system privilege activities of a selected user or all users of a database.
The following list shows the DML statements that will be recorded as the result of schema object auditing:
ALTER AUDIT COMMENT DELETE EXECUTE
670
For example, AUDIT SELECT ON tablename audits all SQL SELECT statements executed against the specified table. If objects are indirectly referenced by synonyms, clusters, or indexes, they can be audited by setting schema object audit statements on their respective base tables.
Note
If schema object auditing is set on a table and its view, a SELECT operation on the view generates two audit records.
Because it only audits a specific DML statement on a schema object, schema object auditing is very focused. Schema object auditing always applies to all users of the database.
If neither line is mentioned in the audit syntax, both successful and unsuccessful SQL statement executions are audited.
671
For example, the following auditing command audits SELECT commands for the BOOKS_LOANED table:
AUDIT SELECT ON AMY.BOOKS_LOANED BY SESSION;
User TONY connects to the database and executes five SELECT statements on the BOOKS_LOANED table. Oracle8i generates only one audit record because you specified the BY SESSION option. The BY ACCESS constraint setting generates an audit record into the audit trail for each audit option execution. For example, if you set BY ACCESS for the previous example, TONY generates five audit records into the audit trail. You can only set the following audit operations using the BY ACCESS audit option constraint: All statement audit options that audit DDL operations All privilege audit options that audit DDL statements For all other audit options, BY SESSION is the default.
Auditing by user
Statement and privilege auditing options permit auditing on SQL statements issued by a specific or general user in a database. You can use the BY USER auditing constraint to minimize the number of audit records generated. For example, use the following syntax to enforce the statement auditing option on the SELECT statement by the users TONY and KRISTY:
AUDIT SELECT TABLE by TONY, KRISTY
Auditing by proxy
A new feature of Oracle8i is the ability to audit by proxy. A proxy is a new feature of Oracle8i that allows middleware (such as an application server) to log on as a user without passing the users password to the database. Sending passwords to the database is a possible security leak, especially if the transaction is done across the Internet. Before you can audit by proxy, you must set up a user and the middleware with a proxy relationship. The ALTER USER command has a new parameter for this. The syntax is as follows:
ALTER USER user_name GRANT CONNECT THROUGH proxy_name [ WITH ROLE [ALL EXCEPT ] role_name ]
The user_name is the end user. The proxy_name parameter specifies the name of the Oracle user with which the middleware (application server) logs on to the database. Omitting the WITH ROLE clause gives the proxy the same roles as the user.
672
For example, a Web-database application server logs on as WEBAPP. The end user named JOHN logs on to the Web application and queries the database. The application server queries the database as the proxy of JOHN. As the proxy, the application is able to query all the tables that JOHN is allowed to query. To tell the database to use WEBAPP as JOHNs proxy, issue the following command:
ALTER USER JOHN GRANT CONNECT THROUGH WEBAPP;
The middleware verifies the users identity by requiring a name and password, or any other sort of validation it wants. It then acts as the users proxy (or representative) when accessing the database. The database validates the identity of the middleware and assumes that the middleware is a familiar and trustworthy entry point into the database. Even though the user logged on to Oracle is named WEBAPP, Oracle knows that it is really JOHN on the other side of the application. The application has many end users for which it is a proxy. The auditing thread between the end user and the database activity would be lost without new functionality to take proxies into account. Oracle8i has added the BY PROXY clause into the AUDIT command for handling these new forms of activity. The syntax is as follows:
AUDIT option BY PROXY [ ON BAHALF OF [ ANY | user_name ] ];
Continuing with our example, lets say you want to audit all the query activity that user JOHN has done through the WEBAPP proxy. The command for auditing would be as follows:
AUDIT SELECT TABLE BY WEBAPP ON BEHALF OF JOHN;
To end the proxy relationship between the proxy and the user, use the ALTER USER command, as follows:
ALTER USER JOHN REVOKE CONNECT THROUGH WEBAPP;
673
When a session is created, the current auditing options are retrieved from the data dictionary. These auditing options exist for the life of the session. Setting or modifying audit options causes all subsequent sessions to use the new options, while existing sessions still continue to use the audit options in place at their creation. In contrast, changes to schema object audit options are immediately effective for current sessions.
Note
The AUDIT command only activates auditing options; it does not enable Oracle8i auditing as a whole.
To audit all unsuccessful connections to the database BY SESSION, regardless of user, use the following command:
AUDIT SESSION WHENEVER NOT SUCCESSFUL;
To audit all unsuccessful connections to the database by a specified user (TONY), use the following command:
AUDIT SESSION BY TONY WHENEVER NOT SUCCESSFUL;
674
To audit all unsuccessful INSERT, DELETE, and DROP ANY TABLE system privileges on all tables, use BY ACCESS, which requires two statements, as follows:
AUDIT INSERT TABLE, DELETE TABLE BY ACCESS WHENEVER NOT SUCCESSFUL; AUDIT DROP ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;
To audit all successful DELETE commands on the STUDENTS table, use BY ACCESS as follows:
AUDIT DELETE ON AMY.STUDENTS BY ACCESS WHENEVER SUCCESSFUL;
675
The terminal identifier The name of the schema object accessed The operation performed or attempted The completion code of the operation The date and timestamp The system privileges used Either Oracle8i or the operating system (OS) audit trail can store all the database audit records. Lets look at the advantages of using each audit storage mechanism.
The database audit trail does not store information about data values that may have been changed by a SQL statement.
676
SQLWKS> SELEC OWNER,OBJ_NAME 2> ACTION, ACTION_NAME, SESSIONID, ENTRYID, RETURNCODE 3> FROM SYS.USER_AUDIT_TRAIL 4>WHEREOBJ_NAME='BOOKS_LOANED' 5> OS_USERNAME USERNAME TERMINAL TIMESTAMP OWNER OBJ_NAME Sulaco Sulaco Sulaco Sulaco Sulaco Sulaco Sulaco 7 rows selected PREM PREM PREM PREM PREM PREM PREM SULACO SULACO SULACO SULACO SULACO SULACO SULACO 29-Oct-97 29-Oct-97 29-Oct-97 29-Oct-97 29-Oct-97 29-Oct-97 29-Oct-97 PREM PREM PREM PREM PREM PREM PREM
ACTION ACTION_NAME SESSIONID ENTRYID RETURNCODE 2 2 2 2 2 7 4 INSERT INSERT INSERT INSERT INSERT DELETE DELETE 132 137 137 137 137 138 138 1 1 2 3 4 2 3 2291 0 0 0 0 0 0
Figure 25-1: Audit trail records contain user, session, object, and other identifiers.
677
The following query looks at all your auditing records, listing them in descending order by date and time:
SELECT TO_CHAR(TIMESTAMP#,MM/DD/YY HH:MI:SS) TIMESTAMP, USERID, AA.NAME ACTION, OBJ$CREATOR||.||OBJ$NAME OBJECT_NAME FROM SYS.AUD$ AT, SYS.AUDIT_ACTIONS AA WHERE AT.ACTION# = AA.ACTION ORDER BY TIMESTAMP# DESC;
If you disable Oracle8i auditing as a whole, you can use the CATNOAUD.SQL script to remove the preceding audit views.
678
You can also delete specific records, such as all records for the STUDENTS table, as follows:
DELETE FROM SYS.AUD$ WHERE objname = STUDENTS;
You can also archive the audit records by exporting them to an operating system file or using the following statement:
INSERT INTO audit_temp SELECT * FROM SYS.AUD$;
Note
Only the SYS user, who holds the DELETE ANY TABLE system privilege, and any user granted the DELETE privilege on SYS.AUD$ by the user SYS can delete records.
If the audit trail fills and an auditing option is enabled BY SESSION, users will not be able to connect to the database. In this situation, the SYS user must connect and delete the records. The SYS user is not audited and can make space available.
SYS.AUD$ is the only SYS schema object you can modify directly.
679
Create the audit trail table in a different schema to allow better tablespace management and data segregation from the audited tables.
You have to set the triggering event on the audit trigger appropriately to capture the necessary actions on the audited table.
680
Create a table to contain the BOOKS_LOANED audit data using the following command:
CREATE TABLE AUDIT_BOOKS_LOANED ( AUDIT_ID NUMBER(5) PRIMARY KEY, AUDIT_BOOK_ID NUMBER(5) , AUDIT_STUDENT_ID NUMBER(5) , AUDIT_LOAN_DATE DATE , AUDIT_BOOK_FINE NUMBER(5,2), AUDIT_ACTION VARCHAR2(10), AUDIT_DATE DATE DEFAULT (SYSDATE));
Now, create a trigger that will record INSERT, UPDATE, and DELETE operations on the BOOKS_LOANED table, as shown in Listing 25-2.
681
Summary
In this chapter, you learned: The audit feature within Oracle8i can monitor potentially suspicious user activity as well as provide statistics on how the database is being accessed and used. Oracle8i can audit database operations at the following levels: SQL statement, system privilege, and schema object. You can narrow the focus of Oracle8i auditing by capturing only successful events or only unsuccessful events. You can also choose between having audited SQL statements recorded once per session or once per use. You can further focus your auditing efforts by auditing specific users rather than all users. The audit trail can be accessed through a number of views using the AUD$ system table. The AUD$ table requires growth management and should be archived and purged at regular intervals. Triggers provide a way to capture changes to the data in a table something you cant do using the built-in auditing features of Oracle8i.