Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,

Similar presentations


Presentation on theme: "1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,"— Presentation transcript:

1 1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies, Inc. January 17, 2007 Version 1

2 2 Intro You are a manager or project lead You are a manager or project lead You need to secure E-Biz Suite for SOX compliance purposes You need to secure E-Biz Suite for SOX compliance purposes You have or are implementing controls for application end users You have or are implementing controls for application end users Your DBA has the access and power to overcome or tamper with these controls without detection Your DBA has the access and power to overcome or tamper with these controls without detection You need to mitigate DBA risk You need to mitigate DBA risk

3 3 Background In the context of SOX, external auditors are beginning to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. In the context of SOX, external auditors are beginning to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. After all, the systematic controls you have established for application end users will have little impact on your DBA’s ability to overcome them.

4 4 Outline Database Basics Database Basics Auditing the DBA Auditing the DBA Issues Issues Recommendations Recommendations

5 5 DBA & Database Basics 1. DBA’s Primary Functions DBA’s Primary Functions DBA’s Primary Functions 2. Database Objects Database Objects Database Objects 3. Database Access Database Access Database Access 4. Database Operations Database Operations Database Operations 5. DBA Access in Oracle 9i / E Biz Suite DBA Access in Oracle 9i / E Biz Suite DBA Access in Oracle 9i / E Biz Suite Next

6 6 DBA’s Primary Functions –Database Creation, Startup and Shutdown –Application Implementation/Upgrade –Maintenance, Backup & Recovery –Performance Optimization –Security/User Management –Trouble Shooting Return

7 7 Database Objects Return Tables Views Procedures Functions Users Triggers Database Links Packages Indexes Sequences Synonyms Roles

8 8 Database Access –Users Connect to the database –Privileges Provide access to specific data or objects –Roles Bundle privileges for easy assignment to users User Privilege Role Privilege User vs Schema? Return

9 9 Database Operations –Select Data from Tables and Views –DML: Insert, Update and Delete Records –DDL: Create, Alter and Drop Objects –Startup and Shutdown Database Return

10 10 DBA Access in Oracle 9i / E Biz Suite a.Default Database Users/Schemas Default Database Users/SchemasDefault Database Users/Schemas b.Administrative Privileges Administrative PrivilegesAdministrative Privileges c.Administrative Roles Administrative RolesAdministrative Roles d.Connection Authentication Connection AuthenticationConnection Authentication e.File System Entry Points to the Database File System Entry Points to the DatabaseFile System Entry Points to the Database f.Application Access Application AccessApplication Access Next The DBA has the keys to the kingdom!

11 11 Default Database Users/Schemas –SYS … The master account. Owns the Data Dictionary. –PUBLIC … All users have access to this Schema. –SYSTEM … Has all DB privs, but can’t alter SYS objects. –APPS …The E Business Suite Master Account –APPLSYS …The Application Object Library Master Account Return

12 12 Administrative Privileges –SYSDBA (Default schema is SYS) Database creation Database creation Instance startup and shutdown Instance startup and shutdown Archive and Recovery Archive and Recovery Can Access any User’s Data Can Access any User’s Data –SYSOPER (Default schema is PUBLIC) Same as above, but… Same as above, but… Can’t Access other User’s Data Can’t Access other User’s Data Return

13 13 Administrative Roles –DBA (All system privileges WITH ADMIN OPTION) –SELECT_CATALOG_ROLE (Data Dictionary Views) –EXECUTE_CATALOG_ROLE (Data Dictionary Packages and Procedures) –DELETE_CATALOG_ROLE (AUD$ Table) Return

14 14 Connection Authentication –Oracle Operating System Account Groups OSDBA (dba in unix) OSDBA (dba in unix) OSOPER (oper in unix) OSOPER (oper in unix) –REMOTE_LOGIN_PASSWORDFILE None None Exclusive Exclusive Shared Shared –O7_DICTIONARY_ACCESSIBILITY = TRUE Users may be granted access to SYS Users may be granted access to SYS Users may logon to SYS remotely and without OS authentication Users may logon to SYS remotely and without OS authentication Return

15 15 File System Entry Points to the Database –FNDCPASS file executable (Change an application user’s password as changed by the FND “anonymous” user) –$ORACLE_HOME/reports60/server/CGIcmd.dat (Contains APPS password) Return

16 16 Application Access –SYSADMIN via APPS User –EXAMINE via APPS User –All underlying tables of E-Biz Suite Return

17 17 Approaches to Auditing the DBA SQL Audit (AUDIT_TRAIL = TRUE) SQL Audit (AUDIT_TRAIL = TRUE) Database Initialization Parameter –Session When a user logs in or out of the database. –Statement When a user tries to delete any table. –Privilege When a user tries to delete a table using an assigned privilege. –Object When a user tries to delete a specific table. But…the SYS user owns the audit trail!

18 18 Approaches to Auditing the DBA Database Triggers (Application Auditor) Database Triggers (Application Auditor) –Table Level (DML) –System Level DDL DDL Session connection Session connection Server errors Server errors Database startup Database startup But…the SYS user can Disable the triggers!

19 19 Approaches to Auditing the DBA Log Miner Log Miner –Redo and Archive Logs –DML –DDL Fine Grained Auditing (FGA) Fine Grained Auditing (FGA) Monitor select statements at the row level. AUDIT_SYS_OPERATIONS = TRUE AUDIT_SYS_OPERATIONS = TRUE Database Initialization Parameter Database Initialization Parameter But…the SYS user can Disable Log Miner, FGA, or any init parameter.

20 20 Issues / Discussion Common Misconception Common Misconception Should we audit at the Application or Database level? Application Database Operating System End User DBA Data is not stored in the application layer, but in the database layer. On Commit

21 21 Issues / Discussion When is SYSDBA access necessary? When is SYSDBA access necessary? SYSDBA has control over SYS objects, AUD$ (the SQL Audit table) and Initialization Parameters Alternatives to Support DBA role Alternatives to Support DBA role –SYSOPER (Startup and Shutdown) –SYSTEM (Maintenance, Security) –NAMED ACCOUNT w/ DBA Role (Maintenance, Security)

22 22 Issues / Discussion Securing audit mechanisms from the DBA Securing audit mechanisms from the DBA –Triggers –Logminer views, redo and archive logs –SYS.AUD$ audit trail table –File system audit directories –Database initialization parameters AUDIT_FILE_DEST AUDIT_FILE_DEST AUDIT_SYS_OPERATIONS AUDIT_SYS_OPERATIONS AUDIT_TRAIL AUDIT_TRAIL

23 23 Issues / Discussion “Operating system authentication takes precedence over password file authentication. Specifically, if you are a member of the OSDBA or OSOPER group for the operating system, and you connect as SYSDBA or SYSOPER, you will be connected with associated administrative privileges regardless of the username/password that you specify.” “Operating system authentication takes precedence over password file authentication. Specifically, if you are a member of the OSDBA or OSOPER group for the operating system, and you connect as SYSDBA or SYSOPER, you will be connected with associated administrative privileges regardless of the username/password that you specify.” Oracle9i Database Administrator's Guide

24 24 Recommendations Segregate DBA duties and access Segregate DBA duties and access –Database and Application Support –Security, Access and Auditing Limit use of SYSDBA Limit use of SYSDBA Limit OS user assignment of the “dba” group Limit OS user assignment of the “dba” group Utilize named accounts when possible Utilize named accounts when possible

25 25 Recommendations Audit DBA activity on Key Application Objects Audit DBA activity on Key Application Objects –Triggers (Application Auditor) –Log Miner –SQL Audit Activate AUDIT_SYS_OPERATIONS Activate AUDIT_SYS_OPERATIONS Initialization Parameter Protect the AUDIT_FILE_DEST log directory from the DBA Protect the AUDIT_FILE_DEST log directory from the DBA –Copy audit log files to secure directories Rsync (unix) Rsync (unix) Unison (unix) Unison (unix) Ask how App Auditor can help you secure the audit trail.

26 26 Recommendations “It is suggested that you create at least one additional administrator user, and grant that user the DBA role, to use when performing daily administrative tasks. It is recommended that you do not use SYS and SYSTEM for these purposes.” “It is suggested that you create at least one additional administrator user, and grant that user the DBA role, to use when performing daily administrative tasks. It is recommended that you do not use SYS and SYSTEM for these purposes.” Oracle9i Database Administrator's Guide

27 27 Recommendations “To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by Oracle. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS.” “To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by Oracle. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS.” Oracle9i Database Administrator's Guide

28 28 Commentary It may be said by many DBAs that the DBA role is a trusted role, or that a good DBA could overcome almost any restrictions or audit trail deployed for control and compliance purposes. Whether that is true or not, is not the point. The reality is that external auditors are starting to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. Any particular approach may not be ‘bullet proof’, but each hurdle or preventive measure deployed reduces the overall risk as assessed by the auditor.

29 29 Hurdles to Mitigate Risk DBA Fraud Use Named Accounts Audit Access Audit Transactions Secure Audit Trail Limit SYSDBA Usage

30 30 Application Auditor Audit/Alert/Prevent Audit/Alert/Prevent –DML transactions –DDL operations –DBA activity –IT Staff activity –Application user activity Audit Session Connections Audit Session Connections Audit Server Errors Audit Server Errors Secure the Audit Schema from the DBA Secure the Audit Schema from the DBA Visit to lean more.

31 31 References Oracle9i Database Administrator's Guide Release 2 (9.2) Oracle9i Database Administrator's Guide Release 2 (9.2) Oracle Privacy Security Auditing Oracle Privacy Security Auditing by Arup Nanda & Donald K. Burleson

32 32 Thank You!

33 33 User Vs. Schema UserSchema ViewsTablesProcedures Connects to the database A user which owns objects Return

34 34 E- Biz Suite Schema Map SYS APGL SYSTEM APPS APPLSYS AR SCOTT PUBLIC End User


Download ppt "1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,"

Similar presentations


Ads by Google