 |
|
Oracle Tips by Burleson |
Suppose a user ALLPOWERFUL has been granted the
system privilege CREATE ANY TABLE. Using that privilege, the user
creates a table claim_master in CLAIM_SCHEMA's schema. This is a
special kind of activity – the object claim_master is owned by
CLAIM_SCHEMA, but is created by ALLPOWERFUL. The Privilege Auditing
records these types of statements in the audit trail. A simple
example is shown below. The following query is used to start
auditing whenever the user ALLPOWERFUL uses the CREATE ANY TABLE
system privilege.
audit create
any table by allpowerful by session;
The user issues the following command to create
a table CLAIM_MASER in the CLAIM_SCHEMA's schema. It uses the system
privilege CREATE ANY TABLE, not CREATE TABLE.
create table claim_schema.claim_master (………);
The user then issues the following statement to
create a table claim_master in its own schema:
create table
claim_schema.claim_master (………);
In this second statement, the user does not use
CREATE ANY TABLE, but CREATE TABLE.
If the auditing options are set for CREATE ANY
TABLE and not CREATE TABLE, only the first statement will be
audited, not the second.
Let's see the effects of the privileges used in
auditing. In this example the user CLAIM_SCHEMA creates a table as:
create table sometab1 (col1 number);
Now, the user ALLPOWERFUL creates another table
in CLAIM_SCHEMA's schema as follows.
create table claim_schema.sometab2 (col1
number);
Since the user has the CREATE ANY TABLE system
privilege, he can create a table in any other user's schema.
Note the important point here. The owner of
both these new tables is CLAIM_SCHEMA, although one is created by
ALLPOWERFUL. Since we have set up auditing on the privilege CREATE
ANY TABLE and that was precisely what the user used, the audit
records for these two actions will be different.
Next, the user ALLPOWERFUL creates yet another
table in his own schema.
create table
sometab3 (col1 number);
This statement does not need the system
privilege CREATE ANY TABLE, but just CREATE TABLE.
In each of these cases the auditing actions
will be different. Let's see how. Check the audit records generated
by issuing the following query:
select
username, owner, action_name, priv_used
from dba_audit_object;
And the result comes back as:
USERNAME OWNER ACTION_NAME PRIV_USED
--------------- --------------- --------------- ----------------
CLAIM_SCHEMA CLAIM_SCHEMA CREATE TABLE CREATE TABLE
ALLPOWERFUL CLAIM_SCHEMA CREATE TABLE CREATE ANY TABLE
ALLPOWERFUL ALLPOWERFUL CREATE TABLE CREATE TABLE
We have several important points to be noted on
the results.
-
In the first record, the USERNAME column is
CLAIM_SCHEMA, as the user himself issued the statement to create
the object in his own schema. Therefore the value of the OWNER
column is also CLAIM_SCHEMA.
-
In the second record, however, the USERNAME
column shows ALLPOWERFUL, the user who actually issued the
statement. The object was created in the schema of CLAIM_SCHEMA;
so the OWNER is different.
-
The user CLAIM_SCHEMA created the table
using the privilege CREATE TABLE, therefore the column PRIV_USED
reflects that. In the second case, the user ALLPOWERFUL used the
privilege CREATE ANY TABLE, the same is reflected in the
appropriate column.
-
In the third case, the user ALLPOWERFUL used
the privilege CREATE TABLE to create the table; so the PRIV_USED
column recorded that.
Even though the results were similar, the
auditing process captured the exact way these objects were created.
This is a very powerful feature to capture the actions of the users
regardless of what objects resulted. The model can also be used to
check if a user with sweeping privileges, such as SELECT ANY TABLE,
attempted to select data from other tables. The username will be
recorded in the audit tables.
This can be used to enforce HIPAA mandated
security requirements effectively. As we discussed in the earlier
chapters, we determined that no user, except SYS and SYSTEM, should
have sweeping privileges. But if one does, for business reasons,
auditing can easily point out the objects that were accessed using
these privileges and then a case can be made to assign specific
grants.
The general syntax of the Privilege Auditing
is:
AUDIT
<privilege_list>|ALL PRIVILEGES
[BY <username>|<proxyuser>]
[ON BEHALF OF <userlist>|ANY] Useful only if
the Proxyuser is used.
[BY SESSION|ACCESS]
[WHENVER [NOT] SUCCESSFUL]
where:
privilege_list is the list of privileges that can be audited. If
more than one privilege is given, they are separated by
commas. The allowable privileges are shown in
Table 8.2. This is available in the view system_privilege_map.
ALL - If all the privileges used by a user are
to be audited, then the key clause ALL PRIVILEGES can be used.
username is the name of the user for which the
audit is enabled.
Examples
To enable auditing on CREATE TABLE and CREATE
PROCEDURE by user CLAIM_SCHEMA, use the statement:
Audit create table, create procedure by
claim_schema by session;
To enable auditing of all privileges possible
for the same user, use the following:
audit all privileges by claim_schema by
session;
If the auditing on CREATE ANY TABLE is enabled
for all users, the BY <username> clause should be omitted, as in:
audit create table by access whenever
successful;
This will audit the statement on all users. The
following statement creates an audit record when user Judy wants to
connect but was not successful due to some problem, such as invalid
password.
audit create session by judy by session
whenever not successful;
Table 8.2 below shows the list of allowed
privileges that can be specified in the <privilege_list>.
|
ADMINISTER DATABASE TRIGGER |
ADMINISTER RESOURCE MANAGER |
ADMINISTER SECURITY |
|
ALTER ANY CLUSTER |
ALTER ANY DIMENSION |
ALTER ANY EVALUATION CONTEXT |
|
ALTER ANY INDEX |
ALTER ANY INDEXTYPE |
ALTER ANY LIBRARY |
|
ALTER ANY OPERATOR |
ALTER ANY OUTLINE |
ALTER ANY PROCEDURE |
|
ALTER ANY ROLE |
ALTER ANY RULE |
ALTER ANY RULE SET |
|
ALTER ANY SECURITY PROFILE |
ALTER ANY SEQUENCE |
ALTER ANY SNAPSHOT |
|
ALTER ANY TABLE |
ALTER ANY TRIGGER |
ALTER ANY TYPE |
|
ALTER DATABASE |
ALTER PROFILE |
ALTER RESOURCE COST |
|
ALTER ROLLBACK SEGMENT |
ALTER SESSION |
ALTER SYSTEM |
|
ALTER TABLESPACE |
ALTER USER |
ANALYZE ANY |
|
AUDIT ANY |
AUDIT SYSTEM |
BACKUP ANY TABLE |
|
BECOME USER |
COMMENT ANY TABLE |
CREATE ANY CLUSTER |
|
CREATE ANY CONTEXT |
CREATE ANY DIMENSION |
CREATE ANY DIRECTORY |
|
CREATE ANY EVALUATION CONTEXT |
CREATE ANY INDEX |
CREATE ANY INDEXTYPE |
|
CREATE ANY LIBRARY |
CREATE ANY OPERATOR |
CREATE ANY OUTLINE |
|
CREATE ANY PROCEDURE |
CREATE ANY RULE |
CREATE ANY RULE SET |
|
CREATE ANY SECURITY PROFILE |
CREATE ANY SEQUENCE |
CREATE ANY SNAPSHOT |
|
CREATE ANY SYNONYM |
CREATE ANY TABLE |
CREATE ANY TRIGGER |
|
CREATE ANY TYPE |
CREATE ANY VIEW |
CREATE CLUSTER |
|
CREATE DATABASE LINK |
CREATE DIMENSION |
CREATE EVALUATION CONTEXT |
|
CREATE INDEXTYPE |
CREATE LIBRARY |
CREATE OPERATOR |
|
CREATE PROCEDURE |
CREATE PROFILE |
CREATE PUBLIC DATABASE LINK |
|
CREATE PUBLIC SYNONYM |
CREATE ROLE |
CREATE ROLLBACK SEGMENT |
|
CREATE RULE |
CREATE RULE SET |
CREATE SECURITY PROFILE |
|
CREATE SEQUENCE |
CREATE SESSION |
CREATE SNAPSHOT |
|
CREATE SYNONYM |
CREATE TABLE |
CREATE TABLESPACE |
|
CREATE TRIGGER |
CREATE TYPE |
CREATE USER |
|
CREATE VIEW |
DEBUG ANY PROCEDURE |
DEBUG CONNECT ANY |
|
DEBUG CONNECT SESSION |
DEBUG CONNECT USER |
DELETE ANY TABLE |
|
DEQUEUE ANY QUEUE |
DROP ANY CLUSTER |
DROP ANY CONTEXT |
|
DROP ANY DIMENSION |
DROP ANY DIRECTORY |
DROP ANY EVALUATION CONTEXT |
|
DROP ANY INDEX |
DROP ANY INDEXTYPE |
DROP ANY LIBRARY |
|
DROP ANY OPERATOR |
DROP ANY OUTLINE |
DROP ANY PROCEDURE |
|
DROP ANY ROLE |
DROP ANY RULE |
DROP ANY RULE SET |
|
DROP ANY SECURITY PROFILE |
DROP ANY SEQUENCE |
DROP ANY SNAPSHOT |
|
DROP ANY SYNONYM |
DROP ANY TABLE |
DROP ANY TRIGGER |
|
DROP ANY TYPE |
DROP ANY VIEW |
DROP PROFILE |
|
DROP PUBLIC DATABASE LINK |
DROP PUBLIC SYNONYM |
DROP ROLLBACK SEGMENT |
|
DROP TABLESPACE |
DROP USER |
ENQUEUE ANY QUEUE |
|
EXECUTE ANY EVALUATION CONTEXT |
EXECUTE ANY INDEXTYPE |
EXECUTE ANY LIBRARY |
|
EXECUTE ANY OPERATOR |
EXECUTE ANY PROCEDURE |
EXECUTE ANY RULE |
|
EXECUTE ANY RULE SET |
EXECUTE ANY TYPE |
EXEMPT ACCESS POLICY |
|
FLASHBACK ANY TABLE |
FORCE ANY TRANSACTION |
FORCE TRANSACTION |
|
GLOBAL QUERY REWRITE |
GRANT ANY OBJECT PRIVILEGE |
GRANT ANY PRIVILEGE |
|
GRANT ANY ROLE |
INSERT ANY TABLE |
LOCK ANY TABLE |
|
MANAGE ANY QUEUE |
MANAGE TABLESPACE |
ON COMMIT REFRESH |
|
QUERY REWRITE |
READUP |
READUP DBHIGH |
|
RESTRICTED SESSION |
RESUMABLE |
SELECT ANY DICTIONARY |
|
SELECT ANY SEQUENCE |
SELECT ANY TABLE |
SYSDBA |
|
SYSOPER |
UNDER ANY TABLE |
UNDER ANY TYPE |
|
UNDER ANY VIEW |
UNLIMITED TABLESPACE |
UPDATE ANY TABLE |
|
WRITEDOWN |
WRITEDOWN DBLOW |
WRITEUP |
|
WRITEUP DBHIGH |
|
|
Table 8.2 System Privilege Auditing Options
Shortcuts
Sometimes you may want to audit a group of
options on all objects of a specific type. For instance, you want to
audit CREATE, DROP and TRUNCATE on all tables by user JUDY whenever
they are not successful. You could issue:
audit create table by judy whenever not
successful;
audit drop table by judy whenever not
successful;
audit truncate table by judy whenever not
successful;
Or you could just issue:
audit table by judy whenever not successful;
This will audit the statements CREATE, DROP and
TRUNCATE only, not other statements such as INSERT, DELTE, ALTER,
etc. Therefore it is important to remember which of the operations
are audited and which are not. The shortcuts and their actions have
been given in table 8.3 below. The general syntax is:
AUDIT
<shortcut> ……
The available shortcuts have been described in
Table 8.3 below.
|
IF THE SHORTCUT IS |
THEN THE AUDITING OPTIONS ARE SET
FOR |
|
CLUSTER |
CREATE CLUSTER
AUDIT CLUSTER
DROP CLUSTER
TRUNCATE CLUSTER |
|
CONTEXT |
CREATE CONTEXT
DROP CONTEXT |
|
DATABASE LINK |
CREATE DATABASE LINK
DROP DATABASE LINK |
|
DIMENSION |
CREATE DIMENSION
ALTER DIMENSION
DROP DIMENSION |
|
DIRECTORY |
CREATE DIRECTORY
DROP DIRECTORY |
|
INDEX |
CREATE INDEX
ALTER INDEX
DROP INDEX
ANALYZE ANY |
|
NOT EXISTS |
This is a special case of shortcut. If
this is set, any SQL statement failing due to the
non-existence of an object triggers and audit record. |
|
IF THE SHORTCUT IS |
THEN THE AUDITING OPTIONS ARE SET FOR |
|
PROCEDURE |
CREATE FUNCTION
CREATE LIBRARY
CREATE PACKAGE
CREATE PACKAGE BODY
CREATE PROCEDURE
DROP FUNCTION
DROP LIBRARY
DROP PACKAGE
DROP PROCEDURE
JAVA STORED PROCEDURES |
|
PROFILE |
CREATE PROFILE
ALTER PROFILE
DROP PROFILE |
|
PUBLIC DATABASE LINK |
CREATE PUBLIC DATABASE LINK
DROP PUBLIC DATABASE LINK |
|
PUBLIC SYNONYM |
CREATE PUBLIC SYNONYM
DROP PUBLIC SYNONYM |
|
ROLE |
CREATE ROLE
ALTER ROLE
DROP ROLE
SET ROLE |
|
IF THE SHORTCUT IS |
THEN THE AUDITING OPTIONS ARE SET FOR |
|
ROLLBACK SEGMENT |
CREATE ROLLBACK SEGMENT
ALTER ROLLBACK SEGMENT
DROP ROLLBACK SEGMENT |
|
SEQUENCE |
CREATE SEQUENCE
DROP SEQUENCE |
|
SESSION |
The connections and disconnections by users
are audited. |
|
SYNONYM |
CREATE SYNONYM
DROP SYNONYM |
|
SYSTEM AUDIT |
This is also a special case of auditing.
When a user issues the AUDIT command itself, or NOAUDIT, this
setting triggers an audit record to be generated. |
|
SYSTEM GRANT |
Whenever the user grants a system privilege
to another user or itself, this setting triggers an audit trail. |
|
TABLE |
CREATE TABLE
DROP TABLE
TRUNCATE TABLE |
|
TABLESPACE |
CREATE TABLESPACE
ALTER TABLESPACE
DROP TABLESPACE |
|
IF THE SHORTCUT IS |
THEN THE AUDITING OPTIONS ARE SET FOR |
|
TRIGGER |
CREATE TRIGGER
ALTER TRIGGER
Important: Only the statements that enable
or disable a trigger by the ALTER TRIGGER command are logged,
not altering the trigger body.
DROP TRIGGER
ALTER TABLE
Only the trigger related statements in
ALTER TABLE, such as adding or dropping triggers are audited. |
|
TYPE |
CREATE TYPE
CREATE TYPE BODY
ALTER TYPE
DROP TYPE
DROP TYPE BODY |
|
USER |
CREATE USER
ALTER USER
DROP USER |
|
VIEW |
CREATE VIEW
DROP VIEW |
Table 8.3 Shortcuts and their Auditing Actions
Oracle also provides
another type of shortcut to audit some commonly used system
privileges. They are
referred to as DBA, RESOURCE and CONNECT to
record groups of privileges.
Note: The words CONNECT, RESOURCE, and DBA
should not be confused with the database roles of the same names.
These are just shortcuts to a group of privileges.
The following example shows how the shortcuts
are used:
audit
connect;
This will enable auditing for CREATE SESSION,
since CONNECT is a shortcut for it. The shortcut RESOURCE enables
auditing on the following:
-
ALTER SYSTEM
-
TABLE
-
CLUSTER
-
TABLESPACE
-
ROLLBACK SEGMENT
-
TYPE
-
SYNONYM
-
VIEW
-
SEQUENCE
-
DATABASE LINK
-
PROCEDURE
So when you use AUDIT RESOURCE, the auditing is
enabled for all objects mentioned above.
The third shortcut, DBA does the same as
enabling auditing on the following:
-
PUBLIC SYNONYM
-
PUBLIC DATABASE LINK
-
ROLE
-
SYSTEM GRANT
These three shortcuts can be used to enable
auditing quickly. It may not be practical to audit everything these
shortcuts offer since some may be left out. If necessary, one
convenient way may be to enable auditing by the shortcut and then
selectively disable auditing. For instance, if all the audit options
in the shortcut RESOURCE are necessary, except VIEW, they can all be
enabled by AUDIT RESOURCE and then the undesired one can be disabled
by the NOAUDIT VIEW command.
This shortcut concept may not be particularly
useful and can be prone to mistakes. Remember from the above
discussion that a shortcut TABLE refers to only CREATE TABLE, DROP
TABLE and TRUNCATE TABLE. This shortcut does not include other
important operations such as ALTER TABLE, even though the user may
expect it to. It is perhaps best to avoid shortcuts at least to
avoid confusion, if nothing else.
Object Auditing
This type of auditing is based on specific
objects and the actions made on them, not general statements, or
using privileges. An example may make it clearer:
audit select on claim_schema.claims by access;
This will
enable audit trails when any user selects from the table CLAIMS.
Note the important difference here – there is no user specified.
Just the object is specified and
the frequency of triggering – by session or by
access. So any user who selects from this table will trigger
auditing.
In general, the audit command takes the
following form:
AUDIT
<statement_list>|ALL
[ON <objectname>|DEFAULT]
[BY SESSION|ACCESS]
[WHENEVER [NOT] SUCCESSFUL]
Where:
statement_list are the allowable statements
that can be audited. The list is different in every version; a
recent list for each version may be found in the data dictionary
view stmt_audit_option_map. Table 8.1
has a list of such statements. If more than one statement is given,
they are separated by comma.
If all statements are required to be audited on
an object, the keyword ALL can be used.
objectname is the name of the object on which
the actions are to be audited. A list of object names can be given
also, separated by commas. The objects can also be specified in the
<owner>.<objectname> format
Examples
To enable audit on all types of privileges on
the object, use the clause ALL PRIVILEGES in the statement. An
example is given below for illustration.
audit all privileges;
The use of ON
DEFAULT specifies that those auditing options be turned on for any
objects of that type created after this statement is given. For
instance, if we want to
enable select auditing on all tables created, we
would issue:
audit select
on default by access;
The setting of auditing on default objects can
be seen from the data dictionary view all_def_audit_opts, as shown
below:
select * from all_def_audit_opts
/
ALT AUD COM DEL GRA IND INS LOC
REN SEL UPD REF EXE
--- --- --- --- --- --- --- --- --- --- --- ---
---
-/- -/- -/- -/- -/- -/- -/- -/- -/- A/A -/- -/-
-/-
Note how the SEL column shows by access on both
successful and unsuccessful attempts.
Checking for
Unsuccessful Actions
If the action is not successful, and the action
is audited for non-success, then an audit record is generated. The
view dba_audit_exists shows those records.
For instance, assume we set up auditing for CREATE TABLE by any user
for both success and non-success. We would issue the following two
statements consecutively.
connect claim_schema/claim_schema
create table mytab1 (col1 number)
/
create table mytab1 (col1 number)
/
Note how the attempt was made to create the same
table again, and it will fail with the following message:
ORA-00955:
name is already used by an existing object
The success and failure of these two statements
will be logged in the audit table. The failure of the statement can
be seen from records in the dba_audit_exists as follows:
select ACTION_NAME, returncode
from dba_audit_exists
SEE CODE
DEPOT FOR FULL SCRIPT
and obj_name = 'MYTAB1';
The result comes back as:
ACTION_NAME RETURNCODE
--------------------------- ----------
CREATE TABLE 955
The only record here is the failure of the
second statement. The RETURNCODE field is the important since it
records the exact error condition that caused this failure. In this
case, it is 955, which corresponds to the ORA-00955 thrown earlier.
It is important to note that not all types of
errors are reported in this view. For instance ORA-955 is reported,
but "ORA-1950 no privileges on tablespace XXX" is not reported.
Reported audit records are in the dba_audit_trail and dba_audit_object views.
This may
cause some confusion while searching for unsuccessful operations in
the database. It may be
worthwhile to query only the view dba_audit_trail
for everything, including unsuccessful operations.
Auditing for SYS
Connections
This is a thorny issue is Oracle security. When
a user with SYSDBA privileges connects to the database, the action
is expected to be for administrative reasons only, such as shutdown,
startup, add a service to the listener, etc. Generally, we would not
expect these actions to be audited and therefore not picked up by
the auditing mechanism.
However, the user who is connected as SYSDBA is
a regular user, just like any other user, but with all powerful do
anything privileges. This user could potentially alter the data in a
table in any schema. Since the action is not audited, the trace of
this data manipulation is hidden. In case of an investigation later,
the audit trails will have no record of such manipulations – a huge
security hole.
Sine HIPAA regulations expect accountability
for data changes at any level, regardless of who made them, it
becomes necessary to audit the actions of such privileged users for
any data changes. Unfortunately, in Oracle 8i and below, the actions
of a user connected as SYSDBA is not recorded, except the mandatory
audit trail in the OS filesystem that merely states that the SYSDBA
connection was established, nothing else. The actions conducted by
the user after connecting as SYSDBA are not recorded.
In Oracle 9i
and up, the facility is available. All actions by the user connected
a SYSDBA, such as changing data, etc., can recorded in the audit
trail. This is
independent of the setting in the audit_trail parameter.
It is done through the initialization parameter audit_sys_operations.
By default it is set to FALSE. The following setting in the
initialization parameter file will enable SYSDBA auditing:
audit_sys_operations = TRUE
This is a static parameter that cannot be set
using the ALTER SYSTEM command since the database must be bounced
for it to take effect.
When this is set to TRUE, all actions by the
user connected as SYSDBA and SYSOPER are audited in the operating
system file. Some very important points must be observed in this
regard, and are perhaps better explained through examples.
Let's create three users with three different
privileges as follows.
create user sysdba1 identified by sysdba1
/
grant create session, sysdba to sysdba1
/
create user sysoper1 identified by sysoper1
/
grant create session, sysoper to sysoper1
/
create user regulardba1 identified by
regulardba1
/
grant create session, dba to regulardba1
/
|
|
|
and include the URL for the page.
