1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,

Slides:



Advertisements
Similar presentations
ITEC474 INTRODUCTION.
Advertisements

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Vault Marco Alamanni
GOLD SILVER BRONZE. © CGI Group Inc Oracle Auditing COUG Presentation – June 19, 2014 Ray Smith June 2014.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Chapter 9 Auditing Database Activities
System Administration Accounts privileges, users and roles
Harvard University Oracle Database Administration Session 2 System Level.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Administering User Security
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Managing the Oracle RDBMS Today you will look at the basics, including: –Setting up Enterprise Manager –Using Enterprise Manager –Using Server Manager.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
11 Copyright © 2004, Oracle. All rights reserved. Oracle Database Security.
CHAPTER 2 Implementing a Database. Introduction to Creating Databases After you’ve installed the Oracle software, the next logical step is to create a.
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Database Programming Sections 13–Creating, revoking objects privileges.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
1Introduction Objectives 1-2 Course Objectives 1-3 Oracle Products 1-4 Relational Database Systems 1-5 How the Data Is Organized 1-6 Integrity Constraints.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.
Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
16 Copyright © Oracle Corporation, All rights reserved. Managing Privileges.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
IT Database Administration SECTION 01. Starting Up and Shutting Down the Database Database Administration Facilities – A number of tools are available.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Introduction to Oracle. Oracle History 1979 Oracle Release client/server relational database 1989 Oracle Oracle 8 (object relational) 1999.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
Database Role Activity. DB Role and Privileges Worksheet.
Controlling User Access Fresher Learning Program January, 2012.
Advanced Databases DBA: Security and Backups Guide to Oracle 10g 1.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Week 2 Lecture 1 Creating an Oracle Instance. Learning Objectives  Learn the steps for creating a database  Understand the prerequisites for creating.
Transactions, Roles & Privileges Oracle and ANSI Standard SQL Lecture 11.
IST 318 Database Administration Lecture 9 Database Security.
Chapter 13Introduction to Oracle9i: SQL1 Chapter 13 User Creation and Management.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Chapter 6 Virtual Private Databases
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
19 Managing Privileges Objectives Identifying system and object privileges Granting and revoking privileges Controlling operating system or password.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
18 Copyright © 2004, Oracle. All rights reserved. Implementing Oracle Database Security.
20 Copyright © 2006, Oracle. All rights reserved. Best Practices and Operational Considerations.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Controlling User Access
Managing Privileges.
Controlling User Access
Controlling User Access
Managing Privileges.
Using Data Dictionary and Dynamic Performance Views
Database Security OER- UNIT 5 AUDIT PART 1 - INTRODUCTION
OER- UNIT 3 Authorization
Recovering from Noncritical Losses
Managing Privileges.
Presentation transcript:

1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies, Inc. January 17, 2007 Version 1

2 Intro You are a manager or project lead You are a manager or project lead You need to secure E-Biz Suite for SOX compliance purposes You need to secure E-Biz Suite for SOX compliance purposes You have or are implementing controls for application end users You have or are implementing controls for application end users Your DBA has the access and power to overcome or tamper with these controls without detection Your DBA has the access and power to overcome or tamper with these controls without detection You need to mitigate DBA risk You need to mitigate DBA risk

3 Background In the context of SOX, external auditors are beginning to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. In the context of SOX, external auditors are beginning to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. After all, the systematic controls you have established for application end users will have little impact on your DBA’s ability to overcome them.

4 Outline Database Basics Database Basics Auditing the DBA Auditing the DBA Issues Issues Recommendations Recommendations

5 DBA & Database Basics 1. DBA’s Primary Functions DBA’s Primary Functions DBA’s Primary Functions 2. Database Objects Database Objects Database Objects 3. Database Access Database Access Database Access 4. Database Operations Database Operations Database Operations 5. DBA Access in Oracle 9i / E Biz Suite DBA Access in Oracle 9i / E Biz Suite DBA Access in Oracle 9i / E Biz Suite Next

6 DBA’s Primary Functions –Database Creation, Startup and Shutdown –Application Implementation/Upgrade –Maintenance, Backup & Recovery –Performance Optimization –Security/User Management –Trouble Shooting Return

7 Database Objects Return Tables Views Procedures Functions Users Triggers Database Links Packages Indexes Sequences Synonyms Roles

8 Database Access –Users Connect to the database –Privileges Provide access to specific data or objects –Roles Bundle privileges for easy assignment to users User Privilege Role Privilege User vs Schema? Return

9 Database Operations –Select Data from Tables and Views –DML: Insert, Update and Delete Records –DDL: Create, Alter and Drop Objects –Startup and Shutdown Database Return

10 DBA Access in Oracle 9i / E Biz Suite a.Default Database Users/Schemas Default Database Users/SchemasDefault Database Users/Schemas b.Administrative Privileges Administrative PrivilegesAdministrative Privileges c.Administrative Roles Administrative RolesAdministrative Roles d.Connection Authentication Connection AuthenticationConnection Authentication e.File System Entry Points to the Database File System Entry Points to the DatabaseFile System Entry Points to the Database f.Application Access Application AccessApplication Access Next The DBA has the keys to the kingdom!

11 Default Database Users/Schemas –SYS … The master account. Owns the Data Dictionary. –PUBLIC … All users have access to this Schema. –SYSTEM … Has all DB privs, but can’t alter SYS objects. –APPS …The E Business Suite Master Account –APPLSYS …The Application Object Library Master Account Return

12 Administrative Privileges –SYSDBA (Default schema is SYS) Database creation Database creation Instance startup and shutdown Instance startup and shutdown Archive and Recovery Archive and Recovery Can Access any User’s Data Can Access any User’s Data –SYSOPER (Default schema is PUBLIC) Same as above, but… Same as above, but… Can’t Access other User’s Data Can’t Access other User’s Data Return

13 Administrative Roles –DBA (All system privileges WITH ADMIN OPTION) –SELECT_CATALOG_ROLE (Data Dictionary Views) –EXECUTE_CATALOG_ROLE (Data Dictionary Packages and Procedures) –DELETE_CATALOG_ROLE (AUD$ Table) Return

14 Connection Authentication –Oracle Operating System Account Groups OSDBA (dba in unix) OSDBA (dba in unix) OSOPER (oper in unix) OSOPER (oper in unix) –REMOTE_LOGIN_PASSWORDFILE None None Exclusive Exclusive Shared Shared –O7_DICTIONARY_ACCESSIBILITY = TRUE Users may be granted access to SYS Users may be granted access to SYS Users may logon to SYS remotely and without OS authentication Users may logon to SYS remotely and without OS authentication Return

15 File System Entry Points to the Database –FNDCPASS file executable (Change an application user’s password as changed by the FND “anonymous” user) –$ORACLE_HOME/reports60/server/CGIcmd.dat (Contains APPS password) Return

16 Application Access –SYSADMIN via APPS User –EXAMINE via APPS User –All underlying tables of E-Biz Suite Return

17 Approaches to Auditing the DBA SQL Audit (AUDIT_TRAIL = TRUE) SQL Audit (AUDIT_TRAIL = TRUE) Database Initialization Parameter –Session When a user logs in or out of the database. –Statement When a user tries to delete any table. –Privilege When a user tries to delete a table using an assigned privilege. –Object When a user tries to delete a specific table. But…the SYS user owns the audit trail!

18 Approaches to Auditing the DBA Database Triggers (Application Auditor) Database Triggers (Application Auditor) –Table Level (DML) –System Level DDL DDL Session connection Session connection Server errors Server errors Database startup Database startup But…the SYS user can Disable the triggers!

19 Approaches to Auditing the DBA Log Miner Log Miner –Redo and Archive Logs –DML –DDL Fine Grained Auditing (FGA) Fine Grained Auditing (FGA) Monitor select statements at the row level. AUDIT_SYS_OPERATIONS = TRUE AUDIT_SYS_OPERATIONS = TRUE Database Initialization Parameter Database Initialization Parameter But…the SYS user can Disable Log Miner, FGA, or any init parameter.

20 Issues / Discussion Common Misconception Common Misconception Should we audit at the Application or Database level? Application Database Operating System End User DBA Data is not stored in the application layer, but in the database layer. On Commit

21 Issues / Discussion When is SYSDBA access necessary? When is SYSDBA access necessary? SYSDBA has control over SYS objects, AUD$ (the SQL Audit table) and Initialization Parameters Alternatives to Support DBA role Alternatives to Support DBA role –SYSOPER (Startup and Shutdown) –SYSTEM (Maintenance, Security) –NAMED ACCOUNT w/ DBA Role (Maintenance, Security)

22 Issues / Discussion Securing audit mechanisms from the DBA Securing audit mechanisms from the DBA –Triggers –Logminer views, redo and archive logs –SYS.AUD$ audit trail table –File system audit directories –Database initialization parameters AUDIT_FILE_DEST AUDIT_FILE_DEST AUDIT_SYS_OPERATIONS AUDIT_SYS_OPERATIONS AUDIT_TRAIL AUDIT_TRAIL

23 Issues / Discussion “Operating system authentication takes precedence over password file authentication. Specifically, if you are a member of the OSDBA or OSOPER group for the operating system, and you connect as SYSDBA or SYSOPER, you will be connected with associated administrative privileges regardless of the username/password that you specify.” “Operating system authentication takes precedence over password file authentication. Specifically, if you are a member of the OSDBA or OSOPER group for the operating system, and you connect as SYSDBA or SYSOPER, you will be connected with associated administrative privileges regardless of the username/password that you specify.” Oracle9i Database Administrator's Guide

24 Recommendations Segregate DBA duties and access Segregate DBA duties and access –Database and Application Support –Security, Access and Auditing Limit use of SYSDBA Limit use of SYSDBA Limit OS user assignment of the “dba” group Limit OS user assignment of the “dba” group Utilize named accounts when possible Utilize named accounts when possible

25 Recommendations Audit DBA activity on Key Application Objects Audit DBA activity on Key Application Objects –Triggers (Application Auditor) –Log Miner –SQL Audit Activate AUDIT_SYS_OPERATIONS Activate AUDIT_SYS_OPERATIONS Initialization Parameter Protect the AUDIT_FILE_DEST log directory from the DBA Protect the AUDIT_FILE_DEST log directory from the DBA –Copy audit log files to secure directories Rsync (unix) Rsync (unix) Unison (unix) Unison (unix) Ask how App Auditor can help you secure the audit trail.

26 Recommendations “It is suggested that you create at least one additional administrator user, and grant that user the DBA role, to use when performing daily administrative tasks. It is recommended that you do not use SYS and SYSTEM for these purposes.” “It is suggested that you create at least one additional administrator user, and grant that user the DBA role, to use when performing daily administrative tasks. It is recommended that you do not use SYS and SYSTEM for these purposes.” Oracle9i Database Administrator's Guide

27 Recommendations “To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by Oracle. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS.” “To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by Oracle. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS.” Oracle9i Database Administrator's Guide

28 Commentary It may be said by many DBAs that the DBA role is a trusted role, or that a good DBA could overcome almost any restrictions or audit trail deployed for control and compliance purposes. Whether that is true or not, is not the point. The reality is that external auditors are starting to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. Any particular approach may not be ‘bullet proof’, but each hurdle or preventive measure deployed reduces the overall risk as assessed by the auditor.

29 Hurdles to Mitigate Risk DBA Fraud Use Named Accounts Audit Access Audit Transactions Secure Audit Trail Limit SYSDBA Usage

30 Application Auditor Audit/Alert/Prevent Audit/Alert/Prevent –DML transactions –DDL operations –DBA activity –IT Staff activity –Application user activity Audit Session Connections Audit Session Connections Audit Server Errors Audit Server Errors Secure the Audit Schema from the DBA Secure the Audit Schema from the DBA Visit to lean more.

31 References Oracle9i Database Administrator's Guide Release 2 (9.2) Oracle9i Database Administrator's Guide Release 2 (9.2) Oracle Privacy Security Auditing Oracle Privacy Security Auditing by Arup Nanda & Donald K. Burleson

32 Thank You!

33 User Vs. Schema UserSchema ViewsTablesProcedures Connects to the database A user which owns objects Return

34 E- Biz Suite Schema Map SYS APGL SYSTEM APPS APPLSYS AR SCOTT PUBLIC End User

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.