auditing 20180220 doag chu · 20/02/18& 14...
Transcript of auditing 20180220 doag chu · 20/02/18& 14...
20/02/18
1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Unified AudiCng 20. Februar 2018
Claudia Hüffer Principal Sales Consultant Oracle Architects for Cloud & IT Technologies
20/02/18
2
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The following is intended to outline our general product direcCon. It is intended for informaCon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcConality, and should not be relied upon in making purchasing decisions. The development, release, and Cming of any features or funcConality described for Oracle’s products remains at the sole discreCon of Oracle.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
4
5
6
20/02/18
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
5
5
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng – Gründe und Methoden
• Database Security Guide: • h`p://docs.oracle.com/database/121/DBSEG/audiCng.htm#DBSEG340 • AudiCng is the monitoring and recording of configured database acCons, from both database users and nondatabase users.
• Oracle recommends that you audit your databases. • AudiCng is an effecCve method of enforcing strong internal controls so that your site can meet its regulatory compliance requirements.
6
Was ist Audi7ng?
20/02/18
4
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7
GDPR’s Key Security Principles
Assess
Processes, Profiles,
Data SensiCvity, Risks
Detect
AudiCng, AcCvity Monitoring,
AlerCng, ReporCng
Prevent
EncrypCon, PseudonymizaCon, AnonymizaCon,
Fine Grained Access Control,
Privileged Access Control,
SeparaCon of DuCes
Oracle Public
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng – Gründe und Methoden
9
Audi7ng -‐ Eigenscha?en
20/02/18
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng – Gründe und Methoden
• As a general rule, design your audiCng strategy to collect the amount of informaCon that you need to meet compliance requirements, but focus on acCviCes that cause the greatest security concerns
• Periodically archive and purge the audit trail data
11
Umfang und Best Prac7ces
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng – Gründe und Methoden
• Unified AudiCng • Standard AudiCng • Fine Grained AudiCng • Custom audiCng using table triggers • GeneraCng SQL traces via logon triggers • Oracle Logminer
12
Methoden
20/02/18
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
13
5
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
17
Unified Audi7ng – Single Unified Database Audit Trail
AUD$ FGA_LOG$
DVSYS AUDIT_TRAIL$
OS, XML, EXTENDED
Unified Audit Trail
UNIFIED_AUDIT_TRAIL
Audit Viewer Role • View Audit Data
Audit Admin Role • Manage Policies • Manage Audit Data
20/02/18
7
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
19
5
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
20
Unified Audi7ng Architecture – Oracle 12cR1
Ac7ons audited • select * from hr.employees • create Database Vault realm • expdp , impdp • backup, restore, recover Audit records generated
1
View SYS.UNIFIED_AUDIT_TRAIL 4 Read-Only AUDSYS Table
GEN0
3 Background process
SQL> EXEC SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL
Manual flush 3
2 Audit records in SGA in-memory queues
20/02/18
8
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
• Defaultmäßig werden Audit Records erst in SGA Queues und dann periodisch in die Audit Tabelle im AUDSYS Schema im SYSAUX Tablespace geschrieben. è bei einem Crash oder Shutdown Abort könnten Records verloren gehen!
• Verfügbare Modi: – Immediate-‐write mode – Queued-‐write mode (Default) – Einstellen mit DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY Procedure
• Init.ora-‐Parameter UNIFIED_AUDIT_SGA_QUEUE_SIZE, 1-‐30MB
21
Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
22
Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 • Einstellen des immediate-‐write Mode mit: BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);
END;
/
20/02/18
9
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
23
Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 • Einstellen des queued-‐write Mode mit: BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_QUEUED_WRITE);
END;
/
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
24
Unified Audi7ng Architecture – Beeinflussung von Queueing-‐Verhalten in 12cR1 • Manuelles Flush der Audit Records in den Audit Trail bei Queued Mode: • Aktuelle Instanz: EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL(DBMS_AUDIT_MGMT.FLUSH_CURRENT_INSTANCE); • Alle Instanzen in RAC Umgebung: EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL(DBMS_AUDIT_MGMT.FLUSH_ALL_INSTANCES);
• In MulCtenant Umgebungen: CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT oder DBMS_AUDIT_MGMT.CONTAINER_ALL
20/02/18
10
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
• To improve read performance of the unified audit trail, the unified audit records are wri`en immediately to disk to an internal relaConal table in the AUDSYS schema. In the previous release, the unified audit records were wri`en to the common logging infrastructure (CLI) SGA queues.
• If the version of the database that you are using supports parCConed tables, then this internal table is a parCConed table.
• By default, audit trail records are wri`en to the AUDSYS schema in the SYSAUX tablespace. You can designate a different tablespace, including one that is encrypted, by using the built-‐in PL/SQL procedure DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
26
Unified Audi7ng Architecture – Oracle 12cR2 – kein Queuing mehr
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
• Neu installierte Oracle 12c Datenbank ist im sogenannten Mixed Mode • TradiConelles und Unified AudiCng können parallel genutzt werden • Dient dazu mit dem Unified AudiCng vertraut zu werden und alte Audit-‐Einstellungen nach und nach ins Unified AudiCng zu überführen
• Datenbank zeigt im Mixed Mode (Default für neue DB mit 12c) SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; VALUE ---------------------------------------------------------------- FALSE
27
Welche Audit-‐Modi hat Oracle 12c?
20/02/18
11
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng in Oracle 12c
Mode Features How to enable Mixed mode audiCng Has both tradiConal and unified
audiCng Enable any unified audit policy. There is no need to restart the database.
Pure unified audiCng Has only unified audiCng Link the oracle binary with uniaud_on and restart the database.
28
Unterschiede zwischen Mixed Mode Audi7ng und Pure Unified Audi7ng
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• AudiCng SQL Statements, Privileges, and Other General AcCviCes – Anlegen einer Policy mit CREATE AUDIT POLICY – Einschalten mit AUDIT POLICY – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL
• AudiCng Commonly Used Security-‐Relevant AcCviCes – Zuweisen einer vordefinierten Policy – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL
• AudiCng Specific, Fine-‐Grained AcCviCes – Verwendung von DBMS_FGA PL/SQL Package – Analysieren mit Abfrage auf UNIFIED_AUDIT_TRAIL
30
Was kann audi7ert werden?
20/02/18
12
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• Oracle provides two roles for users who perform audiCng: AUDIT_ADMIN and AUDIT_VIEWER
• To perform any kind of audiCng, you must be granted the AUDIT_ADMIN role. This role enables you to create unified and fine-‐grained audit policies, use the AUDIT and NOAUDIT SQL statements, view audit data, and manage the audit trail administraCon.
• An auditor can view audit data awer being granted the AUDIT_VIEWER role. This role enables users to view and analyze audit data.
• In previous releases, users were allowed to add and remove audit configuraCon to objects in their own schemas without any addiConal privileges. This ability is no longer allowed.
ConfidenCal – Oracle Internal/Restricted/Highly Restricted 31
Rechte und Rollen
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
32
5
6
20/02/18
13
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng – AkCvieren, Einrichten
• Dazu muss das oracle Executable neu gelinkt werden • 1) Datenbank runterfahren mit SQL> shutdown immediate
• 2) Oracle executable neu linken cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle
• 3) Datenbank wieder starten SQL > STARTUP
33
Umstellen auf Pure Unified Audi7ng Mode
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng – AkCvieren, Einrichten
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
VALUE
----------------------------------------------------------------
FALSE ç Mixed Mode = Default nach Neu-‐InstallaCon oder Zustand nach Relinken mit Schalter uniaud_off
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
VALUE
----------------------------------------------------------------
TRUE ç Pure Unified AudiCng Mode, Zustand nach Relinken mit Schalter uniaud_on
34
Welcher Mode ist eingestellt?
20/02/18
14
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
35
Informa7onen in den Audit Records BASIC AUDIT INFORMATION Record Database Session: • Username, Database Client • Terminal, IP Address • Instance Number, DBID Database OperaCon: • AcCon executed • SCN • Object accessed, SQL statement EXTENDED AUDIT INFORMATION columns For component-‐specific informaCon: FGA: FGA_POLICY_NAME Data Pump operaCons: DP_XXX RMAN operaCons: RMAN_XXX OLS operaCons: OLS_XXX DV violaCons/changes: DV_XXX RAS operaCons: XS_XXX
BAI in view SYS.UNIFIED_AUDIT_TRAIL
EAI in view SYS.UNIFIED_AUDIT_TRAIL
New columns
Basic Audit InformaCon
Extended Audit InformaCon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• The UNIFIED_AUDIT_TRAIL data dicConary view captures acCviCes from administraCve users such as SYSDBA, SYSBACKUP, and SYSKM
• The following audit-‐related acCviCes are mandatorily audited: • CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, NOAUDIT, EXECUTE of the DBMS_FGA PL/SQL package, EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package, ALTER TABLE a`empts on the AUDSYS audit trail table (not possible), Top level statements by the administraCve users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM, unCl the database opens, All user-‐issued DML statements on the SYS.AUD$ and SYS.FGA_LOG$ dicConary tables, ...
36
Mandatory Audi7ng
Jede Änderung an den AUDIT-‐Einstellungen und auch das Löschen von AUDIT-‐Einträgen wird protokolliert! Jede Admin-‐TäCgkeit hinterlässt
Spuren! WichCg für Auditoren!
20/02/18
15
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
37
CREATE AUDIT POLICY -‐ SYNTAX
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
38
AUDIT POLICY -‐ SYNTAX
20/02/18
16
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
39
Unified and Condi7onal Audi7ng
my-‐audit-‐policy PRIVILEGES ACTIONS
WHEN IP_ADDRESS != ''10.288.241.88''
Except HR
Policy Name What When ExcepCons
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• When you audit a role, Oracle Database audits all system privileges that are directly granted to the role.
• Syntax: – CREATE AUDIT POLICY policy_name ROLES role1 [, role2];
• Beispiel 1: – CREATE AUDIT POLICY audit_roles_pol ROLES IMP_FULL_DATABASE, EXP_FULL_DATABASE;
• Beispiel 2: – CREATE AUDIT POLICY role_dba_audit_pol ROLES DBA CONTAINER = ALL;
• Einschalten z.B. mit: AUDIT POLICY role_dba_audit_pol; 40
Audi7ng Roles
20/02/18
17
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• System privilege audiCng audits acCviCes that use a system privilege, such as SELECT ANY TABLE.
• list of auditable system privileges: SYSTEM_PRIVILEGE_MAP table (>250) • Syntax:
– CREATE AUDIT POLICY policy_name PRIVILEGES privilege1 [, privilege2];
• Beispiel: – CREATE AUDIT POLICY my_simple_priv_policy PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY;
41
Audi7ng System Privileges
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• Beispiel mit Bedingung: – CREATE AUDIT POLICY os_users_priv_pol PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY WHEN 'SYS_CONTEXT (''USERENV'', ''OS_USER'') IN (''psmith'', ''jrawlins'')' EVALUATE PER SESSION;
• Einschalten mit: – AUDIT POLICY os_users_priv_pol;
• Abfragen z.B. mit: – SELECT SYSTEM_PRIVILEGE_USED FROM UNIFIED_AUDIT_TRAIL WHERE OS_USERNAME = 'PSMITH' AND UNIFIED_AUDIT_POLICIES = 'OS_USERS_PRIV_POL';
42
Audi7ng System Privileges
20/02/18
18
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• Syntax: – CREATE AUDIT POLICY policy_name ACTIONS acCon1 [, acCon2 ON object1] [, acCon3 ON object2];
• Beispiele: – CREATE AUDIT POLICY my_simple_obj_policy ACTIONS SELECT ON OE.ORDERS, UPDATE ON HR.EMPLOYEES; AkConen auf mehreren Objekten
– CREATE AUDIT POLICY select_user_dicConary_table_pol ACTIONS SELECT ON SYS.USER$; AkConen auf SYS Objekt
– CREATE AUDIT POLICY acCons_on_hr_emp_pol1 ACTIONS EXECUTE, GRANT ON app_lib; mehrere AkConen auf einem Objekt
47
Audi7ng Object Ac7ons
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• Weitere Beispiele: – CREATE AUDIT POLICY all_acCons_on_hr_emp_pol ACTIONS ALL ON HR.EMPLOYEES; alle AkConen auf einer Tabelle
– CREATE AUDIT POLICY acCons_on_hr_emp_pol2 PRIVILEGES CREATE LIBRARY ACTIONS EXECUTE, GRANT ON app_lib; KombinaCon System Privilege und
Objekt-‐AkCon
• In allen Beispielen muss die Policy danach mit AUDIT POLICY... akCviert werden!
48
Audi7ng Object Ac7ons
20/02/18
19
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• The UNIFIED_AUDIT_TRAIL data dicConary view automaCcally stores Oracle Recovery Manager audit events in the RMAN_column.
• Unlike other Oracle Database components, you do not create a unified audit policy for Oracle Recovery Manager events.
• Relevant columns in UNIFIED_AUDIT_TRAIL:
52
Audi7ng Oracle Recovery Manager Events
RMAN_SESSION_RECID Recovery Manager session idenCfier RMAN_SESSION_STAMP Timestamp for the session RMAN_OPERATION The Recovery Manager operaCon executed by the job RMAN_OBJECT_TYPE Type of objects involved in a Recovery Manager session RMAN_DEVICE_TYPE Device associated with a Recovery Manager session
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
• You can audit Data Pump export (expdp) and import (impdp) operaCons. • Syntax:
– CREATE AUDIT POLICY policy_name ACTIONS COMPONENT=DATAPUMP { EXPORT | IMPORT | ALL };
• Beispiele: – CREATE AUDIT POLICY audit_dp_export_pol ACTIONS COMPONENT=DATAPUMP EXPORT;
– CREATE AUDIT POLICY audit_dp_import_pol ACTIONS COMPONENT=DATAPUMP IMPORT;
– CREATE AUDIT POLICY audit_dp_all_pol ACTIONS COMPONENT=DATAPUMP ALL;
55
Audi7ng Oracle Data Pump Events
20/02/18
20
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng SQL Statements, Privileges, and Other General AcCviCes
The DP_* columns of the UNIFIED_AUDIT_TRAIL view show Oracle Data Pump-‐specific audit data
56
Audi7ng Oracle Data Pump Events
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng und MulCtenant
• Beipiel Common Unified Audit Policy – CREATE AUDIT POLICY dict_updates ACTIONS UPDATE ON SYS.USER$, DELETE ON SYS.USER$, UPDATE ON SYS.LINK$, DELETE ON SYS.LINK$ CONTAINER = ALL; ç muss in root eingegeben werden
• Beispiel Local Unified Audit Policy – CREATE AUDIT POLICY table_privs PRIVILEGES CREATE ANY TABLE, DROP ANY TABLE CONTAINER = CURRENT; ç eingegeben in PDB
58
Local Unified Audit Policy versus Common Unified Audit Policy
20/02/18
21
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
61
Policy zuweisen mit: AUDIT POLICY ...
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• Zuweisen an besCmmte User: – AUDIT POLICY role_connect_audit_pol BY SYS, SYSTEM;
• Zuweisen an User mit besCmmten Rollen: – AUDIT POLICY admin_audit_pol BY USERS WITH GRANTED ROLES DBA, CDB_DBA;
• Ausschließen von besCmmten Usern beim Zuweisen: – AUDIT POLICY role_connect_audit_pol EXCEPT rlee, jrandolph;
• Audit-‐Eintrag nur bei Nicht-‐Erfolg – AUDIT POLICY role_connect_audit_pol WHENEVER NOT SUCCESSFUL;
62
Zuweisen einer Audit Policy mit AUDIT POLICY -‐ Beispiele
20/02/18
22
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng Commonly Used Security-‐Relevant AcCviCes
Logon Failures Predefined Unified Audit Policy The ORA_LOGON_FAILURES unified audit policy tracks failed logons only, but not any other kinds of logons.
Secure OpCons Predefined Unified Audit Policy The ORA_SECURECONFIG unified audit policy provides all the secure configuraCon audit opCons.
Oracle Database Parameter Changes Predefined Unified Audit Policy
The ORA_DATABASE_PARAMETER policy audits commonly used Oracle Database parameter se�ngs.
User Account and Privilege Management Predefined Unified Audit Policy
The ORA_ACCOUNT_MGMT policy audits commonly used user account and privilege se�ngs.
Center for Internet Security RecommendaCons Predefined Unified Audit Policy
The ORA_CIS_RECOMMENDATIONS policy performs audits that the Center for Internet Security (CIS) recommends.
Oracle Database Real ApplicaCon Security Predfined Audit Policies
You can use predefined unified audit policies for Oracle Database Real ApplicaCon Security events.
Oracle Database Vault Predefined Unified Audit Policy
The ORA_DV_AUDPOL predefined unified audit policy audits Oracle Database Vault schema objects.
65
Verwendung vordefinierter Policies
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
AudiCng Commonly Used Security-‐Relevant AcCviCes
66
Verwendung vordefinierter Policies
20/02/18
23
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
67
5
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• Archiving the Unified and TradiConal Database Audit Trails – To archive the unified, tradiConal standard, and tradiConal fine-‐grained audit records, copy the relevant records to a normal database table
INSERT INTO table SELECT ... FROM UNIFIED_AUDIT_TRAIL ...; INSERT INTO table SELECT ... FROM SYS.AUD$ ...;
INSERT INTO table SELECT ... FROM SYS.FGA_LOG$ ...;
• Purging Audit Trail Records – You can use the DBMS_AUDIT_MGMT PL/SQL package to schedule automaCc purge jobs, manually purge audit records, and perform other audit trail operaCons.
68
Housekeeping
20/02/18
24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• To perform the audit trail purge tasks, in most cases, you use the DBMS_AUDIT_MGMT PL/SQL package.
• You must have the AUDIT_ADMIN role before you can use the DBMS_AUDIT_MGMT package.
• Oracle Database mandatorily audits all execuCons of the DBMS_AUDIT_MGMT PL/SQL package procedures.
• Manually Purge or create job to regularly purge Audit Trail
70
Purging Audit Trail Informa7on
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• Vorgehen: • 1) Plan a Cmestamp and archive strategy • 2) OpConally set an archive Cmestamp for audit records • 3) Create and schedule purge job • 4) Enable (oder disable) Purge Job
71
Purging the Audit Trail on a Regularly Scheduled Basis
20/02/18
25
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng -‐ Purging on regularly scheduled basis
BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, LAST_ARCHIVE_TIME => '12-OCT-2017 06:30:00.00', RAC_INSTANCE_NUMBER => 1, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; / AUDIT_TRAIL_TYPE: DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML
CONTAINER: DBMS_AUDIT_MGMT.CONTAINER_CURRENT DBMS_AUDIT_MGMT.CONTAINER_ALL (nur von root)
LAST_ARCHIVE_TIME: DD-MON-YYYY HH:MI:SS.FF oder z.B. sysdate-14
73
Set an archive 7mestamp for audit records -‐ Beispiel
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng -‐ Purging on regularly scheduled basis
BEGIN DBMS_AUDIT_MGMT.CREATE_PURGE_JOB ( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, AUDIT_TRAIL_PURGE_INTERVAL => 12, AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_PJ', USE_LAST_ARCH_TIMESTAMP => TRUE, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; /
AUDIT_TRAIL_PURGE_INTERVAL: In hours Later on, if you want to update this value, run the DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL procedure.
74
Create and Schedule the Purge Job -‐ Beispiel
20/02/18
26
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng -‐ Purging on regularly scheduled basis
BEGIN DBMS_AUDIT_MGMT.SET_PURGE_JOB_STATUS( AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_PJ', AUDIT_TRAIL_STATUS_VALUE => DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE); END; /
AUDIT_TRAIL_STATUS_VALUE: DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE DBMS_AUDIT_MGMT.PURGE_JOB_DISABLE
75
Enable / Disable Purge Job -‐ Beispiel
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
• Vorgehen: • 1) Plan a Cmestamp and archive strategy • 2) OpConally set an archive Cmestamp for audit records • 3) Purge audit records with DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL
79
Manually Purging the Audit Trail
20/02/18
27
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng -‐ Manually Purging the Audit Trail
BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, LAST_ARCHIVE_TIME => '12-OCT-2013 06:30:00.00', RAC_INSTANCE_NUMBER => 1, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT); END; / AUDIT_TRAIL_TYPE: DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML
CONTAINER: DBMS_AUDIT_MGMT.CONTAINER_CURRENT DBMS_AUDIT_MGMT.CONTAINER_ALL (nur von root)
LAST_ARCHIVE_TIME: DD-MON-YYYY HH:MI:SS.FF oder z.B. sysdate-14
81
Set an archive 7mestamp for audit records -‐ Beispiel
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng -‐ Manually Purging the Audit Trail
BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, USE_LAST_ARCH_TIMESTAMP => TRUE, CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT ); END; /
82
Manually Purge Audit Trail -‐ Beispiel
20/02/18
28
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
AUDIT_UNIFIED_POLICIES Describes all unified audit policies created in the database AUDIT_UNIFIED_ENABLED_POLICIES Describes all unified audit policies that are enabled in the database AUDITABLE_SYSTEM_ACTIONS Maps the auditable system acCon numbers to the acCon names
SYSTEM_PRIVILEGE_MAP (table) Describes privilege (audiCng opCon) type codes. This table can be used to map privilege (audiCng opCon) type numbers to type names.
UNIFIED_AUDIT_TRAIL Displays all audit records
V$OPTION You can query the PARAMETER column for Unified AudiCng to find if unified audiCng is enabled
83
Data Dic7onary Views
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng
DBA_AUDIT_MGMT_CLEAN_EVENTS Displays the history of purge events of the tradiConal (that is, non-‐unified) audit trails This view applies to read-‐write databases only. For read-‐only databases, a history of purge events is in the alert log. (*)
DBA_AUDIT_MGMT_CLEANUP_JOBS Displays the currently configured audit trail purge jobs DBA_AUDIT_MGMT_CONFIG_PARAMS
Displays the currently configured audit trail properCes that are used by the DBMS_AUDIT_MGMT PL/SQL package
DBA_AUDIT_MGMT_LAST_ARCH_TS Displays the last archive Cmestamps that have set for audit trail purges
84
Audit Trail Management Data Dic7onary Views
(*) For unified audiCng, you can find a history of purged events by querying the UNIFIED_AUDIT_TRAIL data dicConary view, using the following criteria: OBJECT_NAME is DBMS_AUDIT_MGMT, OBJECT_SCHEMA is SYS, and SQL_TEXT is set to LIKE %DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL%
20/02/18
29
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
AudiCng – Gründe und Methoden
Möglichkeiten mit Oracle 12c
Unified AudiCng – Konzept, Rechte, Rollen
Unified AudiCng – AkCvieren, Einrichten
Unified AudiCng – Housekeeping
Zusammenfassung
1
2
3
4
87
5
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DetecCon is much more important than prevenCon ... everything we know about complex systems tells us that we cannot find and fix every vulnerability. – Bruce Schneier, Secrets and Lies, 2004, Kapitel 24
20/02/18
30
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Datenbank AudiCng mit Oracle 12c
• Unified Audit Trail – Policies steuern das AudiCng, nicht IniCalisierungsparameter
• AUDSYS ist Eigentümer des Audit Trail – Nur eine Tabelle im Tablespace SYSAUX
• Zugriff auf den Audit Trail nur für Rollen AUDIT_ADMIN und AUDIT_VIEWER
• Unterstützt RMAN, Data Pump und Direct Path Loader • Bessere Performance
89
Unified Audi7ng
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Unified AudiCng mit Oracle 12c
• Vergleichbar mit dem Einrichten des FGA (Policies)
91
Konfigurieren
CREATE AUDIT POLICY zumbeispiel PRIVILEGES SELECT ANY TABLE ACTIONS CREATE USER, ALTER USER,
SELECT ON SCOTT.EMP ROLES RESOURCE WHEN 'SYS_CONTEXT(''USERENV'', ''MODULE'') <> (''PERSVERW'')' EVALUATE PER STATEMENT CONTAINER = CURRENT; -- nur in einer PDB
20/02/18
31
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Audit Vault and Database Firewall
Vorgefer7gte und eigene Berichte
Alerts !
Firewall Events
Benutzer Anwendungen
Database Firewall Erlauben
Protokollieren
Alarmieren
Ersetzen
Blocken
Audit Daten
Audit Vault Repository
BS, Directory, Dateisystem & beliebige Audit Logs Policies
(Baselines)
Security Analyst
Auditor
SOC
Oracle Audit Vault: • Umfassendes AudiCng vieler Systeme • Ablage von Audit-‐Daten in einem gehärteten System • Trennung von Zuständigkeiten (Auditor, Security-‐Admin,...) • Umfangreiche Standard-‐Berichte
20/02/18
32
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Maintain Control and Visibility on Cloud Databases
ConfidenCal – Oracle Internal/Restricted/Highly Restricted 94
Customer Premise
Keys, Wallets, Audit Data, Masked Data
Audit Vault Key Vault Data Masking & Subse�ng
xxxxxxx xxxxxxx xxxxxxx
Database Cloud Services (DBCS)
Encrypt data by default using TDE Restrict admin access by Database Vault
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Infoquellen • Produkt-‐DokumentaCon 12cR1
– h`p://docs.oracle.com/database/121/DBSEG/part_6.htm
• Produkt-‐DokumentaCon 12cR2 – h`p://docs.oracle.com/database/122/DBSEG/part_6.htm
• Tutorial – h`p://www.oracle.com/webfolder/technetwork/tutorials/obe/db/12c/r1/security/sec_uni_audit/sec_uni_audit.html
• Blogs – h`ps://blogs.oracle.com/imc/oracle-‐database-‐12c-‐security:-‐new-‐unified-‐audiCng – h`ps://uhesse.com/2015/07/31/less-‐performance-‐impact-‐with-‐unified-‐audiCng-‐in-‐oracle-‐12c/ – h`p://oracle.ninja/unified-‐audiCng-‐some-‐gotchas-‐to-‐be-‐aware-‐of/
ConfidenCal – Oracle Internal/Restricted/Highly Restricted 95
20/02/18
33
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Q & A
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The preceding is intended to outline our general product direcCon. It is intended for informaCon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcConality, and should not be relied upon in making purchasing decisions. The development, release, and Cming of any features or funcConality described for Oracle’s products remains at the sole discreCon of Oracle.
97
20/02/18
34
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 98