Oracle 10g R2 Auditing Features: Fine-Grained Auditing

CS780 April 29, 2010 Cassidy Heeyeon Roh

Auditing
Monitoring and recording of selected user database

actions
SQL statements User name Application Time, etc

Security policies can trigger auditing when

specified elements in an Oracle database are accessed or altered, including the contents within a specified object

Auditing
Purpose
Enable future accountability for current actions taken

in particular schema, table, or row, or affecting specific content Deter users (or others) from inappropriate actions based on that accountability Investigate suspicious activity
Deletion of rows from tables

Auditing
Purpose
Notify an auditor that an unauthorized user is

manipulating or deleting data and that the user has more privileges than expected which can lead to reassessing user authorizations Monitor and gather data about specific database activities
Updates, number of concurrent users at peak times

Detect problems with authorization or access control

implementation
Create audit policies to track them

Audit Records
Audit records
Successful statement execution, unsuccessful

statement execution, or both Statement execution once in each user session or once every time the statement is executed Activities of all users or of a specified user
Audit record storage
Contains audited operation, user of operation, time

and date of operation Data dictionary table database audit trail Operating system files operating system audit trail

Audit Types
Types of Audits
Statement Auditing AUDIT TABLE Audit SQL statements by type of statement Broad Audit on selected user or every user

Privilege Auditing AUDIT CREATE TABLE Statement auditing, auditing particular type of action Audit on selected user or every user

Audit Types
Types of Audits
Schema Object Auditing AUDIT SELECT ON <employees> Audit specific statements on particular schema objects Focused Specified type of statement on a specified schema object Always applies to all users of the database Fine-Grained Auditing Audit at the most granular level Data access and actions based on content using any Boolean measure Audit on access to or change in a column

FGA vs Triggers
Triggers PS/SQL call for every row processed Create record only when relevant information changed by DML statement
FGA
No additional cost per row process Audit only once for every policy Audit when specified relevant column occur Specific type of DML statement Changed by statement/selection Combination criteria statement Supports tables and views

Fine-Grained Auditing
Implement security policies and associate security

policies with tables, views or synonyms

Automatic enforcement of security policies regardless

of data access method (e.g. through application by ad hoc queries) Application context with fined-grained access control is called Virtual Private Database (VPD)

Fine-Grained Auditing
Advantages
Simple user-defined SQL predicates on objects as

conditions for selective auditing Query is auditing during fetch

When policy conditions are met for a returning row

Able to run a user-defined event handler, if specified

in policy Implement using DBMS_FGA package or triggers

Fine-Grained Access Control (VPD)

Capabilities
Limit access at row levels SELECT, INSERT, UPDATE, DELETE Use security policies when you need them Invoke a policy only if a particular column is

referenced Restrict access using a combination of row-level and column-level controls, by applying a VPD policy to a view

Fine-Grained Access Control (VPD)

Capabilities
Have some policies that are always applied, called

static policies, and others that can change during execution, called dynamic policies Use more than one policy for each table, including building on top of base policies in packaged applications Distinguish policies between different applications by using policy groups. Each policy group is a set of policies that belong to an application

Fine-Grained Access Control (VPD)

Capabilities
Distinguish and control the use of INDEX in row level

security policies Designate an application context, called a driving context, to indicate the policy group in effect. When tables, views, or synonyms are accessed, the finegrained access control engine looks up the driving context to determine the policy group in effect and enforces all the associate policies that belong to that policy group

Fine-Grained Auditing
PL/SQL package
Administer security policies/policy groups Add, drop, enable, refresh DBMS_RLS for VPD (fine-grained access control) DBMS_FGA for Fine-Grained Auditing

Audit record storage

SYS.FGA_LOG$ table Access through DBA_FGA_AUDIT_TRAIL view

Fine-Grained Auditing
Minimize false or unhelpful audits with

specifications
Audit INSERT, UPDATE, MERGE, SELECT, DELETE

No need to enable AUDIT_TRAIL

Add/remove policies as necessary

Require EXECUTE privilege on DBMS_FGA package

Ability to temporarily enable/disable FGA policies
No loss of metadata
DBMS_FGA.ENABLE_POLICY

DBMS_FGA.DISABLE_POLICY

Fine-Grained Auditing
Policies
Monitor data accessed based on content Specify columns and conditions E.g. specific types of DML statements in connection with columns specified Specify name of routine performed when audit event

occurs
Notify

Alert administrator
Handle errors and anomalies

Fine-Grained Auditing
Policies
Example Limiting logical access to Specifications Test results for product under developement Salary

Audit Action type Area of action Time of action User of action

FGA ADD_POLICY Parameters

Parameter object_schema Description The schema of the object to be audited. (If NULL, then the current login user schema is assumed.) Default Value NULL

object_name policy_name audit_condition

audit_column handler_schema handler_module

The name of the object to be audited. The unique name of the policy. A condition in a row that indicates a monitoring condition. NULL is allowed and acts as TRUE.
The columns to be checked for access. These can include hidden columns. The default, NULL, causes audit if any column is accessed or affected. The schema that contains the event handler. The default, NULL, causes the current schema to be used. The function name of the event handler includes the package name if necessary. This function is called only after the first row that matches the audit condition in the query is processed. If the procedure fails with an exception, then the user SQL statement will fail as well. Whether the policy is to be enabled: TRUE means enable it. The SQL statement types to which this policy is applicable: INSERT, UPDATE, DELETE, or SELECT only. Both where to write the fine-grained audit trail and whether or not to populate LSQLTEXT and LSQLBIND. Whether a statement is audited when the query references any column specified in the audit_column parameter or only when all such columns are referenced.

NULL
NULL NULL NULL

enable statement_types audit_trail audit_column_opts

TRUE TRUE DB+EXTENDED ANY_COLUMNS

Fine-Grained Auditing
Event handler Flexible event handler (handler_module)
Notify administrator when triggering event occurs
PROCEDURE <procedure name> (object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2 ) AS ...

Audit trail record

audit_trail DBMS_FGA.DB + DBMS_FGA.EXTENDED SQLBIND and SQLTEXT values are recorded DBMS_FGA.XML Audit records written to XML-formatted OS files

Fine-Grained Auditing
DBMS_FGA.ADD_POLICY Syntax
DBMS_FGA.ADD_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, audit_condition VARCHAR2, audit_column VARCHAR2, handler_schema VARCHAR2, handler_module VARCHAR2, enable BOOLEAN, statement_types VARCHAR2, audit_trail BINARY_INTEGER IN DEFAULT, audit_column_opts BINARY_INTEGER IN DEFAULT);

Fine-Grained Auditing
DBMS_FGA.ADD_POLICY Example
begin DBMS_FGA.ADD_POLICY object_schema object_name policy_name audit_condition audit_column handler_schema handler_module enable statement_types audit_trail audit_column_opts end; / ( => => => => => => => => => => => 'scott', 'emp', 'mypolicy1', 'sal < 100', -- audit when sal < 100 'comm, sal', NULL, NULL, TRUE, 'INSERT, UPDATE', DBMS_FGA.XML + DBMS_FGA.EXTENDED, DBMS_FGA.ANY_COLUMNS);

Fine-Grained Auditing
DBMS_FGA.ADD_POLICY Example
begin DBMS_FGA.ADD_POLICY ( object_schema => 'HR', object_name => 'EMPLOYEES', policy_name => 'POLICY_EMP_SAL_COMM', audit_condition => 'NULL', -- record all audit_column => 'SALARY, COMMISSION_PCT', statement_types => 'SELECT, UPDATE', audit_column_opts => DBMS_FGA.ALL_COLUMNS -- audit when all audit_column specified are in statement_types); end; / PL/SQL procedure successfully completed.

Fine-Grained Auditing
Example executions as HR:
UPDATE hr.employees SET SALARY = SALARY+ 4000 WHERE employee_id =197; UPDATE hr.employees SET SALARY = SALARY+ 4000, COMMISSION_PCT = COMMISSION_PCT+ 0.5 WHERE COMMISSION_PCT > 0;

SELECT employee_id, salary FROM hr.employees;

DELETE hr.employees WHERE employee_id = 110; SELECT * FROM hr.employees;

Fine-Grained Auditing
Example executions before enabled:
UPDATE hr.employees SET SALARY = SALARY+ 4000 WHERE employee_id =197; UPDATE hr.employees SET SALARY = SALARY+ 4000, COMMISSION_PCT = COMMISSION_PCT+ 0.5 WHERE COMMISSION_PCT > 0;

1 row updated.

35 rows updated.

SELECT employee_id, salary FROM hr.employees; 107 rows selected.

DELETE hr.employees WHERE employee_id = 110; SELECT * FROM hr.employees; 1 row deleted. 106 rows selected.

Fine-Grained Auditing
DBMS_FGA.ENABLE_POLICY Example
DBMS_FGA.ENABLE_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, enable BOOLEAN); BEGIN DBMS_FGA.ENABLE_POLICY ( object_schema => 'HR', object_name => 'EMPLOYEES', policy_name => 'POLICY3_EMP_SAL_COMM', enable => TRUE); END; / PL/SQL procedure successfully completed.

Fine-Grained Auditing
DBMS_FGA.ENABLE_POLICY Example
DBMS_FGA.DISABLE_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, enable BOOLEAN);

DBMS_FGA.DROP_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, enable BOOLEAN);

Fine-Grained Auditing
Example executions when enabled:
UPDATE hr.employees SET SALARY = SALARY+ 4000 WHERE employee_id =197; 1 row updated. -- NOT audited as only UPDATE on SALARY (no COMMISION_PCT) UPDATE hr.employees SET SALARY = SALARY+ 4000, COMMISSION_PCT = COMMISSION_PCT+ 0.5 WHERE COMMISSION_PCT > 0; 35 rows updated. UPDATE hr.employees * ERROR at line 1: ORA-28138: Error in Policy Predicate -- audited when UPDATE/SELECT on SALARY AND COMMISION_PCT

Fine-Grained Auditing
Example executions when enabled:
SELECT employee_id, salary FROM hr.employees; 107 rows selected. -- NOT audited as require SALARY and COMMISSION_PCT

DELETE hr.employees WHERE employee_id = 110; 1 row deleted. -- NOT audited as DELETE action not specified SELECT * FROM hr.employees; 106 rows selected. SELECT * FROM hr.employees * ERROR at line 1: ORA-28112: failed to execute policy function

Fine-Grained Auditing
Audit trails:
SELECT * FROM SYS.FGA_LOG$; SELECT/DELETE * FROM DBA_FGA_AUDIT_TRAIL; 847 20-APR-10 HR WORKGROUP\MET-VS HR POLICY_EMP_SAL_COMM UPDATE hr.employees SET SALARY = SALARY+ 4000 WHERE employee_id =197 UPDATE 20-APR-10 03.39.32.544000 PM -04:00

MET-VS\CS780 MET-VS\CS780 EMPLOYEES 698725

Audit trails as stored in OS

Element AUDIT_TYPE CLIENT_ID COMMENT_TEXT DB_USER ENTRYID EXTENDED_TIMESTAMP GLOBAL_UID INSTANCE_NUMBER Type NUMBER VARCHAR2(64) VARCHAR2(4000) VARCHAR2(30) NUMBER TIMESTAMP(6) WITH TIME ZONE VARCHAR2(32) NUMBER

OBJECT_NAME
OBJECT_SCHEMA POLICY_NAME

VARCHAR2(128)
VARCHAR2(30) VARCHAR2(30)

PROXY_SESSIONID
SESSION_ID SQL_BIND

NUMBER
NUMBER VARCHAR2(4000)

SQL_TEXT
STATEMENT_TYPE STATEMENTID TERMINAL TRANSACTIONID

VARCHAR2(4000)
VARCHAR2(28) NUMBER VARCHAR2(255) RAW(8)

Audit Trails Views

View STMT_AUDIT_OPTION_MAP Description Contains information about auditing option type codes. Created by the SQL.BSQ script at CREATE DATABASE time.

AUDIT_ACTIONS
ALL_DEF_AUDIT_OPTS DBA_STMT_AUDIT_OPTS

Contains descriptions for audit trail action type codes.

Contains default object-auditing options that will be applied when objects are created. Describes current system auditing options across the system and by user.

DBA_PRIV_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS USER_OBJ_AUDIT_OPTS DBA_AUDIT_TRAIL USER_AUDIT_TRAIL DBA_AUDIT_OBJECT USER_AUDIT_OBJECT DBA_AUDIT_SESSION USER_AUDIT_SESSION DBA_AUDIT_STATEMENT USER_AUDIT_STATEMENT

Describes current system privileges being audited across the system and by user.
Describes auditing options on all objects. The USER view describes auditing options on all objects owned by the current user. Lists all audit trail entries. The USER view shows audit trail entries relating to current user. Contains audit trail records for all objects in the system. The USER view lists audit trail records for statements concerning objects that are accessible to the current user. Lists all audit trail records concerning CONNECT and DISCONNECT. The USER view lists all audit trail records concerning connections and disconnections for the current user. Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user.

DBA_AUDIT_EXISTS
DBA_AUDIT_POLICIES DBA_FGA_AUDIT_TRAIL DBA_COMMON_AUDIT_TRAIL

Lists audit trail entries produced BY AUDIT NOT EXISTS.

Shows all the auditing policies on the system. Lists audit trail records for value-based auditing. Combines standard and fine-grained audit log records, and includes SYS and mandatory audit records written in XML format.

Audit Trails
Combining regular auditing (AUDIT command)

and FGA audit policies

Query the DBA_COMMON_AUDIT_TRAILS data

dictionary view
Union of DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL

data dictionary views DBA_AUDIT_TRAIL view provides audit trail entries DBA_FGA_AUDIT_TRAIL displays all audit records for FGA

Questions/Comments?