Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "ERP Oracle Database Security"] [Next entry: "alter session set current_schema"]

Good Audit Trail Design

Continuing with the series of posting the MS PPT slides (as pdf's) from recent past talks on all subjects Oracle security I have a new one for you. There are a few more still to post. I don't really know why I didn't post the slides directly after the talks themselves but they got left so I am now ploughing through them and releasing the material to my website.

Todays new MS PPT slides just posted to the site is from a talk I did in 2020 at the UKOUG. This is a talk Designing a good database audit trail and a link to it is also posted to our Oracle Security white papers page.

This talk focuses on the need to have a useful and well designed audit trail in the database that focuses on capturing an attack at the database level and not just at the application level. Often companies have audit trails that are part of the application but neglect to design and implement a good audit trail in the database at the database level itself. This is important. If an attacker goes in direct and steals data or causes damage to the database not via the application the logging mechanisms in application screens are not going to show the direct access to data or the database itself.

The talk focuses on the need to design an audit trail and shows that we cannot just take some settings from documents such as CIS as we need to understand what we as a business needs to know about the database; i.e. who logs in, who accesses as a DBA, who accesses out of hours, who tries SQL Injection, who tries to escalate rights and much more. We discuss the need to design events that should be captured and from there decide how we may implement those events as an audit trail; this could be using standard audit, triggers, unified audit or indeed any solution. The most important aspect is to design what you want to know before you decide on the technical solution.

I include some ideas of the basics to include in your audit trail and then I hack a sample database with just standard audit settings from Oracle and show that these standard settings do not capture the hacks. We next implement a sample designed audit trail and then finally hack again to show that these hacks are indeed audited at the database audit level.

That's it, please have a read of the slides

#oracleace #dbsec #oracle #database #security #databreach #audit #audittrail