Presentation on theme: "Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation"— Presentation transcript:
1Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation IS Audit Supervisor, North Carolina State Auditor
2Objective To explain the following: Key Oracle Audit Areas Risks in each Audit AreaControls that should be implementedAudit procedures to evaluate controls
3Audit Areas Data Dictionary Privileges Parameters Default Users AccountsProfilesRolesLinksAudit Trail
4Data DictionaryContains all the information about the structures and objects of the databaseTables, columns, users, data files, etc.Owned by the Oracle account “SYS”This is the most powerful account in OracleContains all the security dataTables, users, tab privs., etc
5Data Dictionary RisksAttackers can gain valuable information about the databaseincluding accounts and encrypted passwords.Attackers could destroy the database by deleting key tables.
6Data Dictionary Controls Ensure Access to the data dictionary is limited to only those accounts that need access to fulfill their job duties.Normally, only the database administrators should have access to the data dictionary.
7Audit Procedure to evaluate controls over Data Dictionary O7_DICTIONARY_ACCESSIBILITY=FALSEthis is a database initialization parameter that controls access to objects in the SYS schema.Set this to FALSE to prevent users with EXECUTE ANY PROCEDURE and SELECT ANY DICTIONARY from accessing objects in the SYS schema.If set to TRUE, accounts with "ANY" privileges could get access to objects in the SYS schema, hence the data dictionary.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME)=‘O7_DICTIONARY_ACCESSIBILITY’;
8Privileges Privileges are Types of privileges the tasks that accounts or roles are allowed to perform.used by the database to determine if access to resources will be allowed or denied.Types of privilegesSystem Privileges - Apply to the entire databaseSchema Object Privileges -Apply only to a portion of the database
9Risks of Powerful Privileges Excessive access to system tables and critical application tables may lead to:Unauthorized changes to dataDenial of database services
10Controls over Powerful Privileges Privileges should be granted based on the need to know, need to use basis.Polices, procedures, and standards should support privilege granting decisions.
11Controls over Powerful Privileges Privileges on system and database objects should be carefully assessed, documented, and granted to the proper accounts and rolesTypically end-user accounts should not be granted system privileges except create sessionInsert, Update, Delete on critical tables should be limited to required users
12System PrivilegesSystem Privileges allow an account to perform a particular action on any schemaEx. Read (Select) any table in the databaseSELECT ANY TABLE privilegeOver 150 different system privileges in Oracle
13Audit Procedures to evaluate controls over System Privileges
14Audit Procedures to evaluate controls over System Privileges Ensure that only authorized personnel has system privileges in critical databases.Therefore, all system privileges except for CREATE SESSION should be restricted to the Database Administrators (DBA)SQL Command to Evaluate ControlSELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE <> 'CREATE SESSION';Ensure REVOKE ALL <PRIVS> FROM <USER>;
16Audit Procedures to evaluate controls over System Privileges Prevent granting privileges for the entire catalog of objectsprevent granting of privileges that contain the keyword ANY.The ANY keyword grants the ability for the user to set privileges for the entire catalogue of objects in the database.Check for any user or role that has the ANY keyword and revoke this privilege where possible.SQL Command to Evaluate ControlREVOKE ALL <PRIVS> FROM <USER>;SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE like "%ANY%";SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE like '%SELECT_ANY_%'
17Audit Procedures to evaluate controls over System Privileges Prevent granting of ALL privileges.The GRANT ALL PRIVILEGES must not be used; it gives full access to all tables, views and objects to the user or role it is granted to.SQL Command to Evaluate ControlREVOKE ALL PRIVILEGES FROM <USER/ROLE>GRANT <SPECIFIC PRIVILEGES> TO <USER/ROLE>;SELECT * FROM DBA_SYS_PRIVS WHERE UPPER(PRIVILEGE) like 'GRANT ANY %' OR PRIVILEGE like 'GRANT ALL %';
18Audit Procedures to evaluate controls over System Privileges Prevent granting of SELECT ANY TABLE.If application data is sensitive, and it is possible, revoke this privilege from the DBA accounts as well.SQL Command to Evaluate Control REVOKE SELECT ANY <OBJECT> FROM <USER>;SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE like '%SELECT ANY %'
19Audit Procedures to evaluate controls over System Privileges Prevent granting of privileges that have CREATE.Check for any user that has object creation privileges and revoke where possible.Excessive create privileges can allow an attack to create arbitrary objects, tables, and views.SQL Command to Evaluate ControlREVOKE CREATE <PRIV> FROM <USER/ROLE>SELECT * FROM DBA_SYS_PRIV FROM PRIVILEGE LIKE 'CREATE %';
20Schema Object Privileges Privileges on tables, views, and stored procedures within a particular schemaTypically used to control access to critical application data
21Schema A schema is Schema database objects a collection of database objects.owned by a database user and has the same name as that user.Schema database objectsare logical structures created by users to contain, or reference, their data.include structures like tables, views, and indexes.
22Examples of Schema database objects TablesIndexesViewsSynonymsSequencesDatabase linksPackagesProceduresFunctionsEtc.
25Audit Procedures to evaluate controls over Schema Object Privileges
26Audit Procedures to evaluate controls over Schema Object Privileges Lock account access for application schema owners Lock the account for the application schema owner. Users must not connect to the database as the application owner.SQL Command to Evaluate ControlALTER USER <USERNAME> ACCOUNT LOCK PASSWORD EXPIRESELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS;SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS WHERE USERNAME in (list of application schema owner accounts);
27Audit Procedures to evaluate controls over Schema Object Privileges Review users access to various application data and determine if access is granted based on a need to know, need to use basis.
28Parameters Updatable configuration settings for the database Default settings populated during installationTypically stored in files on the host server, such as Unix
29Parameter Risks Improperly configured parameters could allow unauthorized access to sensitive dataunauthorized control of the databaseUnauthorized access to configuration parameters could allow unauthorized modification of the database.
30Parameter ControlsGain an Understanding of all configuration parameters for the database.The organization should develop a baseline defining secure parameter configurations.Default configuration parameters should be modified,Defaults Settings could lessen database security.Authorized Access to files or tables with configuration parametersThe organizations should define those people who need access to these files or tables to perform their job duties.
31Audit Procedures to evaluate controls over Parameters
32Evaluate Controls over Parameters SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER;Provides the runtime values of all the parameters
33Key Parameters to Audit Set REMOTE_OS_AUTHENT= FALSEto disallow a user that is authenticated to the network domain to access the database without DB credentials.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_OS_AUTHENT %’;
34Key Parameters to Audit Set _trace_files_public= FALSEprevents users from having the ability to read trace files which may contain sensitive information about the running Oracle instance. This is an internal Oracle parameter. (default: FALSE)SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%TRACE_FILES_PUBLIC%’;
35Key Parameters to Audit Set REMOTE_OS_ROLES=FALSEto prevent Connection spoofing. Default is FALSE.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_OS_ROLES %’;
36Key Parameters to Audit Set REMOTE_LISTENER=’ ’to prevent the use of a listener on a remote machine separate from the database instance.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%REMOTE_LISTENER%’;
37Key Parameters to Audit AUDIT_TRAIL = OS (recommended setting)AUDIT_TRAIL parameter ensures basic auditing is turn on.AUDIT_TRAIL to OS reduces the likelihood of a Denial of Service attack and it is easier to secure the audit trail.Any auditing information stored in the database is viewable and modifiable by the DBA if set to DB or DB_EXTENDED.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%AUDIT_TRAIL%’;
38Key Parameters to Audit Set OS_ROLES=FALSEOS_ROLES allows externally created groups to be used to manage database roles. This can lead to misaligned or inherited permissions.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME) LIKE ‘%OS_ROLES %’;
39Key Parameters to Audit REMOTE_LOGIN_PASSWORDFILE=NONEPrevent remote privileged connections to the database.SQL Command to Evaluate ControlSELECT * FROM V$PARAMETER WHERE UPPER(NAME)=‘REMOTE_LOGIN_PASSWORDFILE’;
40Default User Accounts Default accounts are created during installation These accounts own different features of the database
41Default User RisksInitial passwords should be changed after database installationDefault user ids and passwords are well known and could be used to allow unauthorized access to the database.
42Default User Controls All initial passwords should be changed Some default user accounts should be removed or locked as appropriate.
43Audit Procedures to evaluate controls over Default Accounts
44Default User Account Audit Procedures SQL Command to Evaluate ControlSELECT * FROM DBA_USERS_WITH_DEFPWD; (DBA_USERS_WITH_DEFPWD not in versions prior to Oracle 11g)Note: the script was design to run on database versions 11g and prior.The error message above is what you should see if you are runningthis command on an Oracle database that is not 11g.
45Sample Output From Script SQL Command to Evaluate ControlSELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS WHERE USERNAME in (list of default accounts);Note: the script looks for known default accounts, to determineif the accounts are locked.
46Default User Account Audit Procedures Check if Default Passwords are ChangedCompare default password per hash values in Oracle white papers to password hash from database under audit to determine if default passwords were changed.USERNAMEPASSWORD-HASHFrom Oracle WhitepapersPASSWORD-HASH From database under auditACCOUNT_STATUSWKSYS69ED49EE DOPENCTXSYS24ABAB8B06281B4CLOCKEDMDSYS72979A94BAD2AF80EXPIRED & LOCKEDWMSYS7C9BA362FORDSYS7EFA02EC7EA6B86F
47ProfilesOracle Profiles are used for resource and password management.Typically, a profile is created, then assigned to a user account.The profile contains the password settings, failed login attempt setting, password complexity etc.All user accounts are automatically assigned a DEFAULT profile.Specific users profiles are not explicitly assigned a user profile.
48Profile Risk Improperly configured profiles could allow: unauthorized access to sensitive dataunauthorized control of the databasepasswords that never expireunlimited failed login attempts to the oracle database.
49Profile ControlsOrganizations should define secure profile settings in a configuration baseline.Recommendation:Set three separate profiles instead of using the default profile:- application profiles,- system profiles, and- user profilesRationale:User, System, and Application accounts require different resource and password settings.
50Profile Audit Procedures SQL Command to Evaluate ControlSELECT * FROM DBA_PROFILES;PROFILECONFIGURATION SETTINGRESOURCEVALUECPSPID_USERFAILED_LOGIN_ATTEMPTSPASSWORD3CUSTOMER5DEFAULTDEVELOPERPASSWORD_LIFE_TIMEUNLIMITPASSWORD_LOCK_TIME.0208
51Key Profile Settings to Audit Check the values of the following resources listed in the RESOURCE_NAME column, and compare to organization or statewide security standards:failed_login_attempts must be set to 3 (default 10 counts)password_life_time must be set to 60 or 90 days (default 180 days)password_lock_time must be set to 1 (default unlimited days)password_reuse_max must be set to 20 (default unlimited counts),limits the number of different passwords that must be rotated by the user before the current password can be reusedpassword_reuse_time must be set to 365 (default unlimited days)sets the amount of time that must pass before a password can be reused;
52Key Profile Settings to Audit password_grace_time must be set to 3 (default unlimited days)to specify the number of days that the user is warned to change their password before their password expiresidle_time must be set to a number (default unlimited minutes);limits the maximum length of time (in minutes) a session can be idle connect_time must set to a number to limits the maximum length of time (in minutes) a session can be held open (default unlimited minutes);password_verify_functionContains the password complexityThe password verification function can be obtained from DBA_SOURCE table:SQL Command to Evaluate ControlSELECT * FROM DBA_SOURCE WHERE TYPE='FUNCTION';
53Roles A group of privileges that can be assigned to individual users Oracle Databases have default roles already definedRoles make management of individual users easier to control
54Roles Risks Default roles can grant excessive privileges Careless assignment of roles may grant users excessive elevated privilegesChanges in job assignments makes role maintenance difficult.
55Roles ControlsPasswords should be assigned to roles with important privilegesWritten maintenance procedures should existEvidence should exist to support that maintenance procedures are followedDefault roles should not be used
56Audit Procedures to evaluate controls over Roles
57Audit Procedures to evaluate controls over Roles Review the following powerful role privileges:DBADELETE_CATALOG_ROLEEXECUTE_CATALOG_ROLEEXP_FULL_DATABASEIMP_FULL_DATABASERECOVERY_CATALOG_OWNERSELECT_CATALOG_ROLESQL Command to Evaluate ControlSELECT * FROM DBA_ROLES ORDER BY ROLE;
58Audit Procedures to evaluate controls over Roles Determines if the persons in roles are appropriate.SQL Command to Evaluate ControlSelect * from DBA_USERs;Select * from DBA_ROLE_PRIVS;Select * from DBA_ROLES;Select * from DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA';
59Link$Connections that allow one database to interact with another
60Link$ Risks Unknown users in the remote database Causes Clear text password to be stored in the data dictionaryMultiple databases are at risk for unauthorized accessPublic links are not uncommon
61Links Controls Public links should not be used Access should not be granted to the data dictionary tablemay have passwords stored in clear textUser permissions and/or executable procedures should restrict a users ability to use linksLinks should not exist from test or development databases into production databases
62Audit Procedures to evaluate controls over LINK$
63Audit Procedures to evaluate controls over LiNK$ Restrict Access to LINK$Revoke access to the LINK$ table from all users and roles except for SYS and DBA accounts.SQL Command to Evaluate ControlSELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME in 'LINK$‘SELECT * from DBA_TAB_PRIVS WHERE TABLE_NAME in 'LINK$',
64Audit TrailBuilt-in facility to monitor activity that occurs within the databaseLogs are created of the activity that is auditedLogs are kept either on the operating system or in the database.However, it is preferred to keep logs on the operating systems to avoid unauthorized modification from database administrators.
65Audit Trail Risks Without an Audit Trail No accountability is assigned to actions occurring within or to the databaseData could be stolen without the knowledge of the database ownersThe database can be damaged or misconfigured without the knowledge of the database owners
66Audit Trail ControlsPolicies and procedures should exist defining the auditing that should be performedAuditing should be enabledAudit logs should be monitoredAudit logs should be secured within the operating system
67Audit Procedures to evaluate controls over Audit Trail
68Audit Procedures to evaluate controls over Audit Trail Restrict Access to AUD$ and USER_HISTORY$',Revoke access to the 'AUD$' table from all users and roles except for SYS and DBA accounts.Allowing users to alter the AUD$ or USER_HISTORY$ table can compromise the audit trail or integrity of the Oracle databaseNote: This is only applicable if the audit trail parameter is set to db or db_extended;SQL Command to Evaluate ControlSELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME in AUD$SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME in USER_HISTORY$SELECT * from DBA_TAB_PRIVS WHERE TABLE_NAME in AUD$SELECT * from DBA_TAB_PRIVS WHERE TABLE_NAME in USER_HISTORY$
69Discussion of Handouts Oracle ScriptsSample Work papersQuestions??Sources:Oracle WhitepapersOracle Website