Feature

Auditing Oracle Database

Muhammad Mushfiqur
Rahman, CISA, CCNA, CEH,
ITIL V3, MCITP, MCP, MCSE,
MCTS, OCP, SCSA, has
11 years of IT operations, Database auditing is the activity of monitoring SQL injection is a technique used to take
project management and and recording configured database actions from advantage of nonvalidated input vulnerabilities
custom business solutions, database users and nondatabase users, to ensure to pass SQL commands through a web
enterprise resource the security of the databases. application for execution by a back-end
planning implementation, An administrator can perform auditing on database. Attackers take advantage of the fact
and information security individual actions, such as the type of Structured that programmers often chain together SQL
management experience. Query Language (SQL) statement executed, or commands with user-provided parameters and,
Rahman is manager, on combinations of data that can include the user therefore, can embed SQL commands inside
information systems security name, application or time stamp, for example. these parameters. The result is that the attacker
at the Premier Bank Limited, Auditors need to audit for both successful and can execute arbitrary SQL queries and/or
Bangladesh. He also has 10 failed activities, and include or exclude specific commands on the back-end database server
years of experience teaching users from the audit: through the web application.
different IT courses for end Data exfiltration is the unauthorized copying,
users and IT professionals. Proper auditing of a database will ensure transfer or retrieval of data from a computer or
He can be reached at the safeguarding of the database, which server. Data exfiltration is a malicious activity
[email protected]. means that the database and its features performed through various techniques, typically
installation, default account, patches, by cybercriminals over the Internet or other
services, password policy, account lockout network. Data exfiltration is also known as data
policy and audit policy have proven extrusion, data exportation or data theft.
auditing to be a continuous process.1 Staging server is a server that enables
assembling, deploying and testing a software
The major types of risk activities include: or web site on a server instance, similar to the
Mistake: Failure to maintain or operate production server. Typically, software or a web
the database as required leads to accidental site is deployed on the staging server from
disclosure of information, and unauthorized the development server when development is
changes lead to unauthorized and accidental complete. A staging server helps to identify
disclosures, inserts, updates or deletions. the software or web site behavior, experience
Do you have Misuse: Failure to maintain access rights to the and performance as it will be visible on
something database leads to abuse of privileged access and the production server. This helps software
to say about leakage of information. developers or quality assurance (QA) staff
this article? Malicious action: Failure to maintain a secure, identify and resolve any problems, bugs,
Visit the Journal logical setup of the database leads to data theft performance or usability issues, or other issues
pages of the ISACA or a denial-of-service (DoS) attack. before the software or web site is deployed
web site (www.isaca. on the production server. The staging server
org/journal), find the COMMON VULNERABILITIES FOUND IN can be a staging database server, staging web
article, and choose
DATABASE ATTACKS site server or staging application server, for
the Comments tab to
Many attacks begin with social engineering: example.
share your thoughts.
Phishing is an e-mail fraud method in which Analyzing database configuration is critical to
Go directly to the article: the perpetrator sends out legitimate-looking determine vulnerabilities and assure the standard
emails in an attempt to gather personal and auditing. Database auditing includes:
financial information from recipients. Typically, 1. Finding sensitive data and privileges
the messages appear to come from well-known 2. Preventing data access
and trustworthy web sites. Web sites that are 3. Validating that detection and alert mechanisms
frequently spoofed by phishers include PayPal, are in place
eBay, MSN, Yahoo and Best Buy, for example.

1 ISACA JOURNAL VOLUME 6, 2014

 There are multiple mechanisms available that must be in password is the same as their username. These will be the first
place when databases are configured, including: credentials that a hacker will attempt to use to connect to the
Data redaction provides selective, on-the-fly redaction of database. As a best practice, each of these accounts should be
sensitive data in SQL query results, prior to application configured with a strong unique password, and if an account
display, so that unauthorized users cannot view the is not required, it should be locked and expired.
sensitive data. It enables consistent redaction of database To change the password, the following SQL code should
columns across application modules accessing the same be executed:
database information. Data redaction minimizes changes to sqlplus> connect mydba
applications because it does not alter actual data in internal sqlplus> alter user SYSTEM account lock and expire
database buffers, caches or storage, and it preserves the The following SQL can be used to lock and expire those
original data type and formatting when transformed data are default accounts:
returned to the application. Data redaction has no impact on sqlplus> connect mydba
database operational activities, such as backup and restore, sqlplus> alter user SYSTEM account lock and expire
upgrade, and patch, and on high-availability clusters. The default accounts installed with Oracle vary by version.
Data masking obfuscates sensitive data by replacing them Figure 1 provides a quick reference of the accounts that are
with other datatypically characters that will meet the installed by default (if the DBCA is never executed) in Oracle
requirements of a system designed to test or still work 9, 10 and 11 in an open state.
with the masked results. Masking ensures that vital parts
of personally identifiable information (PII), such as the Figure 1Oracle Default Accounts
first five digits of a social security number, are obscured or
Oracle 9i Oracle 10g 2 Oracle 11g
otherwise deidentified.
SYSTEM SYSTEM SYSTEM
Data encryption involves converting and transforming
data into scrambled, often unreadable, ciphertext using SYS SYS SYS
nonreadable mathematical calculations and algorithms. SCOTT SYSMAN
Restoring the message requires a corresponding decryption DBSNMP MGMT_VIEW
algorithm and the original encryption key. DBSNMP
Source: Muhammad Mushfiqur Rahman. Reprinted with permission.
DATABASE AUDITING STEPS
The following steps need to be followed for database auditing. Starting with Oracle version 11g, database administrators
(DBAs) can easily locate any accounts with default passwords
Step 1: Determine if Default Accounts Have Been Changed (same as username) by using the database view DBA_
or Disabled USERS_WITH_DEF_PWD.
Default privileged Oracle accounts continue to be the highest
risk issue commonly encountered. It is an easy issue to fix and Step 2: Audit the Strength of Oracle Database SID
prevent. After installation, Oracle has a number of default The Oracle system ID (SID) is a unique value that is required
accounts, each with a default preset value. Following database for all clients to connect to the Oracle database. Because it
install, the Oracle database configuration assistant (DBCA) must be unique, there cannot be more than one database with
automatically locks and expires the majority of the default the same SID on the same Oracle server.
database user accounts. Additionally, DBCA changes the If a client connection uses an incorrect SID to connect
SYSTEM account to the value specified during the to an Oracle database, it will get the message ORA-12505:
installation routine. TNS:listener does not currently know of SID given in connect
If an Oracle database is manually installed, the DBCA descriptor. However, SIDs can be brute forced. There are
never executes, and those dangerous default privileged numerous tools to brute force the Oracle SID, including
accounts are never locked and expired. By default, their

ISACA JOURNAL VOLUME6, 2014 2

 Metasploit modules, operational acceptance testing (OAT) last CPU release. Additionally, all DBAs should register with the
and SIDGuess. Oracle email Security Alert Advisory Service3 to ensure timely
The key to thwarting SID brute-force attacks is to select notification of Oracle patches and security alerts.
a SID that is strong. When creating an Oracle SID, the There is also a mechanism that Oracle employs if a critical
selection should: vulnerability is discovered that warrants immediate patch
Not be a dictionary word release. Oracle refers to patches released immediately under
Be at least 10 characters in length this program as off-schedule security alerts. Since the CPU
Include at least one special character program began in 2005, there have only been a few times
Incorporating these elements ensures that the SID is when Oracle released patches under this emergency process.
strong, i.e., difficult for an attacker to brute force. Organizations should develop a method for applying these
Why does a strong SID matter when the SID is stored as emergency released patches, but given their historic low
a cleartext value within the Oracle client configuration file, volume, the focus should be on the routine applying of CPU
TNSNAME.ora, on every single system that is configured patches every quarter.4
to connect to the database? It matters because as long as an
attacker can compromise at least one system that is configured Step 4: Audit PUBLIC Role for Identification of
to connect to the Oracle database, obtaining the SID from Unnecessary Privileges
the TNSNAMES.ORA file is trivial. However, it is important In Oracle, extended routines exist that allow minimally
to consider instances where the attacker is external to the privileged users to execute functions that they otherwise
organization and has compromised a single host that does not would not be able to execute. These extended routines are
have an Oracle client connection configured. A strong SID will called packages, and are roughly equivalent to Extended
not in and of itself prevent hackers from gaining a connection Stored Procedures in Microsoft SQL Server. A special role,
to an organizations Oracle database, but it is a good practice as called PUBLIC, acts as a default role assigned to every user in
part of a defense-in-depth approach to security. the Oracle database. Any database user can execute privileges
that are granted to PUBLIC. This is commonly exploited for
Step 3: Audit the Oracle Critical Patch Updates database privilege escalation.
This is one of those security best practice recommendations with These packages and subtypes should be revoked from
which most organizations commonly struggle. Depending on the PUBLIC and made executable for an application only when
database schema, Oracle critical patch updates (CPUs) can have absolutely necessary.
significant impact on the Oracle databasesignificant enough
that the organization might have to perform extensive regression Step 5: Check That Database Auditing Is Enabled
testing to ensure that applying the latest Oracle CPUs has no To identify the malicious or authorized activities in a database,
impact on database functionality. it is important to check that database auditing options are
Oracle releases CPUs quarterly on the Tuesday closest to enabled. To ensure that database auditing is enabled, one needs
the 17th day of the month. Oracle has a special bulletin page to perform the following activities during the database audit:
that describes all of the most recent Oracle Critical Patch Audit SYS operationsBy default, Oracle databases do not
Updates and Advisories.2 Fortunately, CPUs are cumulative in audit SQL commands executed by the privileged SYS and
nature. One can simply install the latest Oracle CPU to gain users connecting with SYSDBA or SYSOPER privileges.
all of the security patches since the products initial release. If a database is hacked, these privileges are going to be the
The key to an effective CPU patch process is creating hackers first target. Fortunately, auditing SQL commands of
a regimented regression testing process that corresponds these privileged users is very simple: sqlplus> alter system
to Oracles four scheduled releases every year. Even in set audit_sys_operations=true scope=spfile.
organizations with the most stringent regression testing Enable database auditingAgain, by default, Oracle
processes, the CPUs can usually be architected in such a manner auditing of SQL commands is not enabled. Auditing should
that they can be applied no more than three months after the be turned on for all SQL commands. Database auditing is

3 ISACA JOURNAL VOLUME 6, 2014

 turned on with the audit_trail parameter: sqlplus> alter when utl_http.REQUEST_FAILED then null; end;
system set audit_trail=DB, EXTENDED scope=spfile. END;
(Note: The command enables auditing from the database, /
but not the database vault information, into the table SYS. Error triggerError triggers are Oracle error messages.
AUD$.) There are actually four database auditing types: They can be useful for detecting attacks from SQL injection
OS, DB, EXTENDED and XML. and other attack methods.
Enable auditing on important database objectsOnce
For example, command (as user SYS):
auditing has been enabled, it can be turned on for objects
SQL> CREATE OR REPLACE TRIGGER after_error
where an audit trail is important.
AFTER SERVERERROR ON DATABASE
DECLARE pragma autonomous_transaction; id
Step 6: Audit to Ensure That Database Triggers for Schema
NUMBER;
Auditing and Logon/Logoff Events Are Configured
sql_text ORA_NAME_LIST_T; v_stmt CLOB; n
To effectively audit schema changes and logon and logoff
NUMBER;
events, Oracle provides Data Definition Language (DDL)
BEGIN
triggers to audit all schema changes and can report the exact
n := ora_sql_txt(sql_text);
change, when it was made, and by which user.
IF n >= 1 THEN
Logon triggerBy using a logon trigger, one can send logon
FOR i IN 1..n LOOP
and logoff events in real time to another system. Think of it
v_stmt := v_stmt || sql_text(i);
as a syslog daemon for your database events. The following
END LOOP;
example would send all logon and logoff events to a web
END IF;
server in real-time.
FOR n IN 1..ora_server_error_depth LOOP
SQL> create or replace trigger sec_logon after logon on
IF ora_server_error(n) in
database.
(900,906,907,911,917,920,923,933,970,103
DDL triggerUsing the DDL triggers, an Oracle DBA can
1,1476,1719,1722,1742,1756,1789,1790,2424
automatically track all changes to the database, including
7, 29257,29540) THEN
changes to tables, indexes and constraints. The data from
INSERT INTO system.oraerror VALUES (SYS_GUID()
this trigger are especially useful for change control for
, sysdate, ora_login_user, ora_client_ip_address, ora_
the Oracle DBA. The following example sends events for
server_e rror(n), ora_server_error_msg(n), v_stmt);
GRANT, ALTER, CREATE, DROP.
END IF; END LOOP;
Command (as user SYS): END after_error; /
SQL> create or replace trigger DDLTrigger
AFTER DDL ON DATABASE Step 7: Audit to Ensure That a DAM Solution Is Implemented
DECLARE If an organization can afford the extra expense of an additional
rc VARCHAR(4096); software product, a database monitoring solution can be very
BEGIN useful. It solves the issue of not being able to monitor the
begin DBAs activity at an organizational level. It also provides useful
rc:=utl_http.request(http://192.168.2.201/user=||ora_ insight into dangerous SQL queries and role modifications that
login_user||; might indicate an attacker has compromised a database. The
DDL_TYPE=||ora_sysevent||;DDL_OWNER=||ora_dict_ key to all database activity monitoring (DAM) solutions is that
obj_owner||;DDL_NA they operate within memory of the Oracle server and operate
ME=||ora_dict_obj_name||;sysdate=||to_char(sysdate, independently of the databases native auditing and logging
YYYY-MM-DD functions. For anyone familiar with network intrusion detection
hh24:mi:ss); systems (IDSs), DAMs have an analogous function: They
exception operate within the database layer on the server rather than at
any of the network layers.
ISACA JOURNAL VOLUME6, 2014 4
 Step 8: Audit to Ensure That Password Management for
All Oracle Logins Is Enabled
Oracle provides fairly robust password management for
Oracle logins. Unfortunately, none of these are applied in the Learn more about and discuss Oracle Database in the
default Oracle account profile. Knowledge Center.
In Oracle, logins are assigned an account policy through an www.isaca.org/topic-oracle-database
Oracle profile. Every login can be applied to only one Oracle
profile. If no Oracle profile is specified when the login is
created, it is assigned the default Oracle profile. PASSWORD_REUSE_TIME 1
Oracle covers the syntax for Oracle profiles well, but here PASSWORD_REUSE_MAX 10
are the recommended settings at a high level: Password complexity verificationWithout a password
Creating profilesOracle profiles are created with: complexity verification function, users most likely choose
CREATE PROFILE profilename LIMIT SQL statement simple dictionary words that are easy to remember and easy
for a hacker to guess. In Oracle, a user Procedural Language
Users are added to the profile with:
(PL)/SQL script must be set to check the complexity of
ALTER USER login(s) PROFILE profilename
a users password. In general, the password verification
Account lockout configurationAccount lockout
function should ensure that users passwords incorporate
configuration should be enabled. Locking accounts for 30
the following criteria:
days after five invalid attempts greatly reduces the risk of
Differ from their username
brute-force attacks. If 30 days is not feasible, even a setting
Are not a dictionary word
of one day greatly reduces the risk of brute-force attacks.
Are at least 10 characters in length
The following two parameters are used to specify account Include at least one alpha, one numeric and one
lockouts in an Oracle profile: special character
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 30 Step 9: Check to Ensure That Regular Database Security
Password expirationBy expiring passwords, one can help Assessments Are Performed
ensure that they are being changed on a periodic basis. Every secure configuration that has been discussed could be
Expiring user passwords at least every 90 days is a security easily detected with an automated database vulnerability tool.
best practice. The following parameter is used to specify the Automated database vulnerability tools provide an excellent
number of days that can lapse before a user must change way to quickly validate an organizations Oracle secure
their password: configurations. Obviously, these kinds of tools are only useful
PASSWORD_LIFE_TIME 90 if one has privileges. They are intended for DBAs, auditors
Password historyWithout password history, users will and security professionals to run for regular assessments.
most likely use the same password each time they change These tools are prone to false-positives and, unfortunately,
it. To ensure that users do not reuse passwords, there are false-negatives, but their benefits greatly outweigh their risk.
two parameters. The important thing to note is that these
settings are cumulative and both thresholds must match Step 10: Determine That Database Traffic Is Encrypted
before users are able to change their password. In general, This recommendation is rarely implemented, except in the
a password reuse allowance of one time is sufficient in most secure organizations. Oracle supports network-level
conjunction with a password reuse maximum allowance of encryption by both Secure Sockets Layer (SSL), using
10 or more. Setting the password reuse allowance higher X.509v3 signed certificates, and native encryption
than one time may be problematic if users frequently change without certificates.
their password. The important thing to note with these two The takeaway with network-level encryption is not only
settings is that they both should not be set to unlimited: that sensitive data in transit are protected when encryption

5 ISACA JOURNAL VOLUME 6, 2014

is employed, but also that the SID is protected. Without N onadministrative user access to objects owned by the
encryption, the SID can be easily enumerated through man-in- SYS schema
the-middle attacks. Permissions on run-time facilities
2. Lock and expire default (predefined) user accounts.
Step 11: Audit Security Threats and Countermeasures 3. Monitor the granting of the following privileges to only
Properly users and roles that need these privileges. By default,
An organization should create a written security policy to Oracle Database audits the following privileges:
enumerate the security threats it is trying to guard against and ALTER SYSTEM
the specific measures the organization must take. Security AUDIT SYSTEM
threats can be addressed with different types of measures: CREATE EXTERNAL JOB
Procedural, such as requiring data center employees to 4. Revoke access as follows:
display security badges G rant privileges only to roles. Granting privileges to roles
Physical, such as securing computers in restricted-access and not individual users makes the management and
facilities tracking of privileges much easier.
Technical, such as implementing strong authentication L imit the proxy account (for proxy authorization)
requirements for critical business systems privileges to CREATE SESSION only.
Personnel-related, such as performing background checks U se secure application roles to protect roles that are
or vetting key personnel enabled by application code.
D iscourage users from using the NOLOGGING clause in
GUIDELINES FOR SECURING USER ACCOUNTS AND PRIVILEGES SQL statements.
Follow these guidelines to secure user accounts and privileges:
1. Practice the principle of least privilege. Oracle recommends CONCLUSION
granting necessary privileges only. Do not provide database Data are a very decisive resource for any business due to
users or roles more privileges than necessary. (If possible, shielding; regularly auditing the database should never be left
grant privileges to roles, not users.) In other words, the to chance or patchwork solutions. During the audit period,

principle of least privilege is that users be given only stakeholders need
those privileges that are actually required to efficiently to identify that a
Without an all-encompassing
perform their jobs. To implement this principle, restrict the system is configured
auditing solution, organizations as per the standard

following as much as possible:
The number of SYSTEM and OBJECT privileges granted put precious data at risk. that ensures the
to database users mitigation of the
The number of people who are allowed to make SYS- data risk.
privileged connections to the database A complete, all-inclusive auditing solution must be
The number of users who are granted the ANY privileges, implemented that can easily accomplish each of the following:
such as the DROP ANY TABLE privilege. For example, Access and authentication auditing
there is generally no need to grant CREATE ANY TABLE User and administrator auditing
privileges to a non-DBA-privileged user. Suspicious activity auditing
The number of users who are allowed to perform actions Vulnerability and threat auditing
that create, modify or drop database objects, such as the Change auditing
TRUNCATE TABLE, DELETE TABLE, DROP TABLE Without an all-encompassing auditing solution,
statements, and so on organizations put precious data at risk. Corrupt, inaccurate
The CREATE ANY JOB, BECOME USER, EXP_FULL_ or compromised data equal lost revenue, lost time, and
DATABASE, and IMP_FULL_DATABASE privileges compromised customer and employee relationships.
Library-related privileges to trusted users only Auditing is a continuous and ongoing process no matter
Synonym-related privileges to trusted users only what system or provider is in use. Even the basics should

ISACA JOURNAL VOLUME6, 2014 6

 be reviewed periodically to avoid a false sense of security. 2
 racle, Oracle Critical Patch Updates and Advisories,
O
The database is a sensitive component in business; thus, it is www.oracle.com/technetwork/topics/security/
important to ensure the database is configured properly to alerts-086861.html
ensure the security of business data. 3
Oracle, Security Alert Advisory Service, www.oracle.com/
technetwork/topics/security/securityemail-090378.html
ENDNOTES 4
Oracle, white paper, www.oracle.com/us/support/assurance/
1
Microsoft, Security Monitoring and Attack Detection, leveraging-cpu-wp-164638.pdf?ssSourceSiteId=otnen
Technet, 29 August 2006, http://technet.microsoft.com/
en-us/library/cc875806.aspx

7 ISACA JOURNAL VOLUME 6, 2014