Oracle Sleuth: Who Did It? Sitansu S. Mittra Senior Principal Engineer & Database Management Specialist Computer Sciences Corporation Session id: 36652

Topic Outline  Prevention of unauthorized user access – roles, privileges, profiles  Detection of harmful activities – AUDIT TRAIL, LogMiner  Correction of impact of activities via ‘ undo ’ and ‘ redo ’ entries – LogMiner  Roadmap for Ensuring Data Security in Oracle Databases  Bibliography

Prevention of Unauthorized User Access Create a user account. Assign one or more roles to the user. Assign system and object level privileges to each role Set up a profile for the user or use DEFAULT profile.

Relationship among users, roles, privileges, and profiles: M:N USER > ROLE M:N ROLE > PRIVILEGE M:1 USER PROFILE Role = named collection of system or object level privileges that are granted to the role

A role can be granted to a user or to another role. Privilege = capability to perform authorized function(s) in the database A system privilege enables a user to perform designated tasks in the database. There are 126 such privileges that can be listed by the query: select distinct NAME from system_privilege_map order by 1;

An object privilege enables a user to perform primarily DML type tasks (INSERT, UPDATE, DELETE) on designated objects (tables, views, sequences, procedures) in the database. There are 8 such privileges GRANT Privileges are assigned to roles or users and roles are assigned to other roles or users via the GRANT command.

Sample Session Transcript SQL>create role A; Role created. SQL>create role B; Role created. SQL>create user X identified by *****; User created. SQL> grant select any table, execute any procedure, insert any table,delete any table, update any table to A; Grant succeeded.

Privileges granted directly to a role or a user can be displayed by querying dba_sys_privs or dba_tab_privs, as the case may be. But privileges granted indirectly to a role or a user cannot be so displayed. Sample Session Transcript SQL> grant create any table, insert any table, create session to B; Grant succeeded.

SQL> create role C; Role created. SQL> grant B to C; Grant succeeded. SQL> grant C to X; Grant succeeded. SQL> select grantee, privilege from dba_sys_privs where grantee in ('A', 'B', 'C', 'X') order by grantee, privilege;

GRANTEE PRIVILEGE A CREATE SESSION A DELETE ANY TABLE A EXECUTE ANY PROCEDURE A SELECT ANY TABLE A UPDATE ANY TABLE B CREATE ANY TABLE B CREATE SESSION B INSERT ANY TABLE 8 rows selected.

(Note that C and X are not listed since they were granted the privileges indirectly. But X does have the privileges granted to B. For example, X can create a table and insert rows into the table, as shown below.) SQL> connect x/***** Connected. SQL> create table P 2 (m number not null, 3 n varchar2 (10)); Table created. SQL> insert into P values (17, 'sample'); 1 row created.

REVOKE Privileges granted directly to a role or a user can be taken away from that role or user via the REVOKE command. But privileges granted indirectly to a role or a user cannot be so taken away. You must find the direct grantee from whom you can revoke the privileges. SQL> revoke insert any table from A; Revoke succeeded.

DBA Views about Roles and Privileges DBA_ROLESall roles that exist DBA_ROLE_PRIVSroles granted to users/roles ROLE_ROLE_PRIVSroles granted to other roles DBA_SYS_PRIVSsystem privileges granted to users/roles DBA_TAB_PRIVSobject privileges granted to users/roles

GRANT WITH GRANT or ADMIN OPTION One can grant an object privilege to a user WITH GRANT OPTION whereby the user can grant those privileges to other users or roles. These are called grantable privileges and can be assigned only to users, but not to roles. One can grant a system privilege to a user or a role WITH ADMIN OPTION whereby the user can grant those privileges to other users or roles.

Default Role A user can have one or more roles. By default, when a user logs in, all of his/her roles are activated. One can designate a subset of these roles as default roles. In that case, only the default roles are activated at logon time.

Profile A profile is a collection of quotas and privileges related to the following system resource limits and password management: System Resource  CPU time I/O operation Idle time Connect time

System Resource (Contd.) Memory space as private SQL area (MTS) Concurrent sessions Password Management  Password aging and expiration Password history Password complexity verification Account locking

A user can have only one profile at a time - either Oracle provided DEFAULT profile or a profile created via CREATE PROFILE command and assigned to a user via ALTER USER command. A CREATEd profile can be dropped, but not the DEFAULT profile.

All limits of the DEFAULT profile are UNLIMITED. But the DBA can change the values via ALTER PROFILE command so that the modified values apply to all users who are assigned the DEFAULT profile. Query to find limits of any profile: select * from dba_profiles order by RESOURCE_TYPE;

Changes made to a profile via ALTER PROFILE command take effect for subsequent sessions only. A profile that has users assigned to it can be dropped only via the command DROP PROFILE profile CASCADE. In that case, Oracle assigns the DEFAULT profile to all users who had the dropped profile as their default profile.

PUBLIC as User PUBLIC is a special user in Oracle. Any system level or object level privilege granted to PUBLIC can be used by all current and future users of the database. Ideally, privileges should not be granted to PUBLIC. Privileges granted to PUBLIC can be determined by running the following queries:

select privilege from dba_sys_privs where grantee = 'PUBLIC' order by 1; select privilege from dba_tab_privs where grantee = 'PUBLIC' order by 1;

Detection of Harmful Activities via AUDIT TRAIL A DBA can track the following user activities via the auditing capability: login attempts, database actions, and access (retrieval and update) to database objects.

Prerequisite:set the initialization parameter AUDIT_TRAIL to the value TRUE or DB (default is FALSE or NONE). Audit records are written to the table SYS.AUD$ DBA_ views containing auditing information: DBA_AUDIT_EXISTS, DBA_AUDIT_OBJECT, DBA_AUDIT_SESSION, DBA_AUDIT_STATEMENT, DBA_AUDIT_TRAIL DBA_AUDIT_TRAIL is most comprehensive

Auditing Login Attempts Login as a DBA privileged account Type “audit session;” Allow users to login as needed. Run the following query to see the login and logout activities, both successful and unsuccessful:

select username, os_username, to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Login Time", to_char (LOGOFF_TIME, 'dd-mon-yyyy hh24:mi:ss') "Logout Time", decode (returncode, 0, 'Connected', 01017, 'invalid username/password', 01005, 'null password given', returncode) "Login Status" from dba_audit_session order by 1, 3 desc;

Auditing Database Actions DBA can audit any action affecting a database object. Oracle allows 144 actions that can be listed with the query select action, name from audit_actions;

Possible actions such as CREATE, ALTER, and DROP that can affect a specific object type can be grouped together during auditing; e.g., “audit table;” will audit all actions affecting a table With auditing activated for an object, all actions pertaining to that object are recorded in the view DBA_AUDIT_OBJECT. Run the following query to get a list of all such actions :

select username, os_username, owner, obj_name, action_name, to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time” from dba_audit_object order by 1, 4, 6 desc; DBA can analyze the result to identify users responsible for harmful activities

Access (Retrieval and Update) to Database Objects Access includes four DML commands, SELECT, INSERT, UPDATE, and DELETE For each table to be audited, enter the command AUDIT ALL ON table_name BY ACCESS;

“ BY ACCESS ” option causes an audit record to be written to the table SYS.AUD$ once for each time the table is accessed; e.g., if a user performs four update transactions (INSERT, UPDATE, DELETE) on a table, then four separate records are written to SYS.AUD$. They can be viewed by querying the view DBA_AUDIT_OBJECT.

Run the query: select username, os_username, owner, obj_name, action_name, to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time" from dba_audit_object order by 1, 4, 6 desc;

Sample Session Transcript SQL> audit table; Audit succeeded. SQL> audit view; Audit succeeded. SQL> audit all on dqsmith.explore by access; Audit succeeded.

SQL> audit all on EXPLORE_COPY by access; Audit succeeded. SQL> audit all on EXPLORE_ORIGINAL by access; Audit succeeded. SQL> select username, os_username, owner, obj_name, action_name, to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time" from dba_audit_object order by 1, 4, 6 desc;

USERNAME OS_USERNAME OWNER OBJ_NAME ACTION_NAME Transaction Time DQSMITH Mittra DQSMITH EXPLORE CREATE TABLE 18-jul :38:36

DQSMITH Mittra SEKHAR EXPLORE INSERT 17-jul :07:26 DQSMITH Mittra SEKHAR EXPLORE_ORIGINAL SELECT 18-jul :50:38 etc. etc. etc. ……

Storage Management for AUD$ During auditing AUD$ grows rapidly and fragments SYSTEM tablespace. Archive its rows frequently to remedy this situation: Determine archiving frequency based on growth rate of AUD$. Copy the rows of AUD$ into AUD$_COPY, say, created in a non-SYSTEM tablespace. Truncate AUD$.

Correction of Impact of Harmful Activities with LogMiner LogMiner provides two additional capabilities not available with AUDIT TRAIL: DML commands executed and DML commands to reverse them Session information to identify the user

LogMiner under Oracle 8i Allows DBA to read binary Redo Log files, online or archived Setup Include initialization parameter utl_file_dir in init.ora file whose value is a directory to which Oracle can write. Run scripts dbmslmd.sql and dbmslm.sql located in $ORACLE_HOME/rdbms/admin.

Setup (Contd.) Create LogMiner dictionary. Include Redo Log files for LogMiner analysis. Start a LogMiner session. Always end LogMiner session with the procedure DBMS_LOGMNR.END_LOGMNR to avoid an Ora internal error. (Appendix 1 contains all the scripts to setup LogMiner under Oracle 8i.)

LogMiner Output Four v$ views, v$logmnr_logs, v$logmnr_contents, v$logmnr_dictionary, and v$logmnr_parameters, contain LogMiner data. Query v$logmnr_contents on columns sql_redo (retrieve executed DML commands) and sql_undo (retrieve reverse of executed DML commands) to track user activities session_info and related columns to retrieve user identification information

LogMiner Session Transcript sql_redo SQL>select to_char (timestamp, 'dd-mon- yyyy hh24:mi:ss') "Transaction Time", sql_redo from v$logmnr_contents where table_space != 'SYSTEM' and timestamp > '15-JUL-2003 ‘ order by 1;

Transaction Time SQL_REDO jul :51:29 insert into "SYS"."TEST_LOG_MINER"("TEST_ID","TEST_DAT E","TESTER_NAME","FINDINGS") values (856,TO_DATE('17-MAY :00:00', 'DD-M ON-YYYY HH24:MI:SS'),'Sakuntala Datta','All success'

LogMiner Session Transcript (Contd.) sql_undo SQL>select to_char (timestamp, 'dd-mon- yyyy hh24:mi:ss') "Transaction Time", sql_undo from v$logmnr_contents where table_space != 'SYSTEM' and timestamp > '15-JUL-2003 ‘ order by 1;

Transaction Time SQL_UNDO jul :51:29 delete from "SYS"."TEST_LOG_MINER" where "TEST_ID" = 856 and "TEST_DATE" = TO_DATE('17-MAY :00:00', 'DD-MON- YYYY HH24:MI:SS') and "TESTER_NAME" = 'Sakuntala Datta' and "FINDINGS" = 'All success' and ROWID = 'AAAA7NAAGAAAACPAAE';

LogMiner Session Transcript (Contd.) SESSION_INFO and Related Columns select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time",username, session#, serial#, operation,session_info from v$logmnr_contents where timestamp > '07-AUG-2003' and seg_name = 'EXPLORE' order by 1;

Transaction Time USERNAME SESSION# SERIAL# OPERATION SESSION_INFO aug :00:05 TIMS INSERT LoginUserName = TIMS, ClientInfo =, OsUserName = Mittra, MachineName = DTS- 57\CSC-TIMS33

LogMiner Limitations (1)LogMiner must be invoked afresh with each new session. All LogMiner session information resides in the PGA (Program Global Area) which is a component of the SGA (System Global Area). PGA is flushed when a user session ends normally or abnormally and all the session information is lost.

LogMiner Limitations (Contd.) A session ends normally by executing the procedure dbms_logmnr.end_logmnr. A session ends abnormally generating a silent internal Oracle error ORA when the user types “ exit ” or issues the command “ connect username/password ” without exiting.

Session Transcript SQL> connect / as sysdba Connected. (Session as user “ SYS ” starts) SQL> show user USER is "SYS ” (LogMiner is started successfully.) SQL> connect tims/******* Connected. (Session as user “ SYS ” ends abnormally. PGA is flushed. LogMiner session is lost)

SQL> select to_char (timestamp, 'dd-mon- yyyy hh24:mi:ss') "Transaction Time", username, sql_redo, sql_undo from v$logmnr_contents where TABLE_SPACE = 'TIMSDATA' order by 1 desc; sql_redo, sql_undo from v$logmnr_contents * ERROR at line 2: ORA-01306: dbms_logmnr.start_logmnr() must be invoked before selecting from v$logmnr_contents

LogMiner Limitations (Contd.) (2)All LogMiner tables are created in the SYSTEM tablespace, which may get fragmented over time due to the growth of these tables. So, Oracle recommends that a separate tablespace be created to store the tables created and used by LogMiner. The procedure dbms_logmnr_d.set_tablespace can be used to create such a tablespace.

Session Transcript SQL> create tablespace logmnr_tblspc datafile '/tims1/ssmittra/dev01/monami_instance/l ogminer/LOGMNR_TBLSPC01.dbf' size 200M; Tablespace created. SQL> EXEC DBMS_LOGMNR_D.SET_TABLESPACE ('logmnr_tblspc'); PL/SQL procedure successfully completed.

LogMiner Limitations (Contd.) (3)LogMiner dictionary is static under 8i, but dynamic under 9i. This means that DML actions made after the dictionary is created are not recorded there under 8i. But this limitation has been removed in 9i.

LogMiner under Oracle 9i Setup is same as under Oracle 8i except that there is no need to run dbmslmd.sql to create a static dictionary, because the LogMiner dictionary is dynamically updated continuously from the online data dictionary. Appendix 2 contains all the scripts to setup LogMiner under Oracle 9i.

LogMiner under Oracle 9i (Contd.) Columns of v$logmnr_contents (e.g., sql_redo, sql_undo, session_info) return the same information as under Oracle 8i Other three LogMiner v$ views are identical under 8i and 9i

LogMiner dictionary is dynamic under 9i Sample Session Transcript 09:25:42 SQL> select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", username,sql_redo from v$logmnr_contents where TABLE_SPACE = 'TIMSDATA ’ and to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') > '04-aug :24:27' order by 1;

Transaction Time USERNAME SQL_REDO aug :25:06 SYS insert into "TIMS"."EXPLORE"("COL01","COL02","COL03", "COL04") values ('35128','a vav',TO_DATE('02-AUG-03', 'DD-MON- RR'),'17'); (ENTER ONE INSERT AND ONE DELETE)

09:40:48 SQL> INSERT into tims.explore values (6513, 'Indumati', sysdate - 3, 16); 1 row created. 09:43:31 SQL> DELETE from tims.explore_copy where col02 = 'cxxc'; 1 row deleted.

09:44:14 SQL> select to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') "Transaction Time", username,sql_redo from v$logmnr_contents where TABLE_SPACE = 'TIMSDATA ’ and to_char (timestamp, 'dd-mon-yyyy hh24:mi:ss') > '04-aug :24:27' order by 1;

Transaction Time USERNAME SQL_REDO aug :25:06 SYS insert into "TIMS"."EXPLORE"("COL01","COL02","COL03","COL04") values ('35128','a vav',TO_DATE('02-AUG-03', 'DD-MON- RR'),'17');

05-aug :41:11 SYS INSERT into “ TIMS"."EXPLORE"("COL01","COL02","COL0 3","COL04") values ('6513','In dumati',TO_DATE('02-AUG-03', 'DD-MON- RR'),'16');

05-aug :44:16 SYS DELETE from "TIMS"."EXPLORE_COPY" where "COL01" = '2013' and "COL02" = 'cxxc' an d "COL03" = TO_DATE('04-AUG-03', 'DD- MON-RR') and "COL04" = '11' and ROWID = 'AA AHxBAMgAAASOUAAB'; (INSERT AND DELETE COMMANDS HAVE BEEN RECORDED IN THE DICTIONARY DYNAMICALLY)

Roadmap for Ensuring Data Security in Oracle Databases Follow the principle of prevention, detection, and correction of harmful user activities, intentional or unintentional. Restore database to an instant prior to the occurrence of a harmful event. Avoid PUBLIC as user as far as possible. Review and update security management plan.

Bibliography Kevin Loney and Marlene Theriault – Oracle 9i DBA Handbook, Chapters. 10 and 11, Oracle Press, Sitansu S. Mittra – Database Performance Tuning and Optimization Using Oracle, Chapter 5, Springer-Verlag, Oracle MetaLink – papers on LogMiner; e.g., Notes , , etc. Marlene Theriault and Aaron Newman - Oracle Security Handbook, Chapters 16 and 17, Oracle Press, 2001.