Skip navigation.

Stephen Kost's E-Business Suite Security Blog

Syndicate content
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 4 hours 26 min ago

Fine Grained Auditing (FGA) and Protecting Oracle E-Business PII Data for Executives

Fri, 2015-02-13 06:00

With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.

The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, but will catch people directly connecting to the database from their laptop. However, it will only do so if PII data for executives is accessed:

BEGIN

DBMS_FGA.ADD_POLICY (
   object_schema     =>  'HR',
   object_name       =>  'PER_ALL_PEOPLE_F',
   policy_name       =>  'FGA_PPF_NOT_GUI_AND_OFFICER',
   audit_condition   =>  ' PER_ALL_PEOPLE_F.PERSON_ID IN (
         SELECT PAX.PERSON_ID
         FROM PER_ASSIGNMENTS_X PAX, PER_JOBS J, PER_JOB_DEFINITIONS JD
         WHERE PAX.JOB_ID = J.JOB_ID
         AND J.JOB_DEFINITION_ID = JD.JOB_DEFINITION_ID
         AND UPPER(JD.SEGMENT6) LIKE UPPER(''%EXECUTIVE%''))
         AND NOT (SYS_CONTEXT (''USERENV'',''IP_ADDRESS') IN
         (''IP of your DB server’’, ‘’IP of your cm server’’, 
           ‘’IP of your application server’’) 
        AND SYS_CONTEXT (''USERENV'',''CURRENT_USER'') = ''APPS'' ) ',
   audit_column      =>   NULL,
   handler_schema    =>   NULL,
   handler_module    =>   NULL,
   enable            =>   TRUE,
   statement_types   =>  'SELECT',
   audit_trail       =>   DBMS_FGA.DB,
   audit_column_opts =>   DBMS_FGA.ANY_COLUMNS);

END;

Here is an explanation of the policy above:

  • Audits only direct database activity and ignores database connections from the E-Business Suite user interface, the database server, the web and application servers, as well as the concurrent manager.
  • Audits SELECT activity against PER_ALL_PEOPLE_F or any view based on the table PER_ALL_PEPOPLE_F. PII data exists outside of PER_ALL_PEOPLE_F but this table is the central table within the E-Business Suite that defines a person and thus contains critical PII data such as name, birthdate and National Identifier.
  • Audits ALL columns in the table but could easily be restricted to only specific columns.
  • Audits ONLY those result sets that includes current or ex-employee whose job title has ‘%Executive%' in the Job Title. Note this policy was demonstrated using the Vision demo database. Your Job Key Flexfield definition will be different.
  • FGA comes standard with the Enterprise license of the Oracle database. If you own the Oracle E-Business Suite, you don't need an additional license to use FGA.

The policy above would certainly strengthen an overall database security posture, but it does have several immediate drawbacks:

  • While it does address risks with direct database activity, including the use of the APPS account from a laptop, it will not guard against privileged database users such as DBAs.
  • Spoofing of USRENV attributes is possible which precludes using any USERENV attribute other than the IP address and DB username.
  • Audit data needs security stored and regularly purged. Privileged users may have access to FGA data and policies. Audit data also needs to be retained and purged per corporate policies.
  • Lastly, the performance impact of the policy above would need to be carefully measured. If the policy above were to be implemented, it would need to be seriously tested, especially if modules are to be used such as Oracle Advanced Benefits and/or Payroll.

As part of a database security program, Integrigy recommends that all clients implement defense in depth. No one tool or security feature will protect your data. Oracle Traditional Auditing (TA) as well as FGA policies similar to the above should be implemented, but the both TA and FGA have limitations and trade-offs.

Integrigy recommends that both Oracle TA and FGA be used with database security solutions such as the Oracle Audit Vault and Database Firewall (AVDF), Splunk, Imperva, and IBM Guardium.  Database monitoring and alerting needs to be automated and should done using a commercial tool. You also need to secure and monitor privileged users such as DBAs and database security cannot come at the cost of overall application performance.

Our client conversation about the FGA policy above concluded that while the policy could work, given the variety of different database connections, a better solution would be to utilize a variation of the policy above along with Splunk, which they already own.

If you have questions about the sample FGA policy above or about database security, please contact us at: mailto:info@integrigy.com

References

Tags: AuditingSensitive DataHIPAAOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Integrigy Database Log and Audit Framework with the Oracle Audit Vault

Fri, 2015-02-06 06:00

Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements. 

The Integrigy Framework for database logging and auditing is a direct result of Integrigy’s consulting experience and will be equally useful to both those wanting to improve their capabilities as well as those just starting to implement logging and auditing.  Our goal is to provide a clear explanation of the native auditing and logging features available, present an approach and strategy for using these features and a straight-forward configuration steps to implement the approach.

Integrigy’s Framework is also specifically designed to help clients meet compliance and security standards such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), FISMA, and HIPAA.  The foundation of the Framework is PCI DSS requirement 10.2.

Integrigy’s Log and Audit Framework can be easily implemented using the Oracle Audit Vault.  The high-level summary is a follows –

Level 1

Enable database auditing as directed by the Integrigy Framework Level 1 requirements. 

Level 2
  1. Install the Oracle Audit Vault.  If already installed, it is highly recommended to perform a health check as described in Audit Vault Server Configuration Report and Health Check Script (Doc ID 1360138.1).
  2. Configure Oracle database to use Syslog per Integrigy Framework Level 2 requirements.  Set the database initialization parameter AUDIT_TRAIL parameter to equal ‘OS’ and AUDIT_FILE_DEST parameter to desired file in the directory specification.  Last set the initialization parameter AUDIT_SYSLOG_LEVEL to ‘LOCAL1.WARNING’ to generate Syslog formatted log files.
  3. Install and activate the Oracle Audit Vault collector agent OSAUD for operating system files.  Collect Syslog formatted logs located by the AUDIT_FILE_DEST parameter.
Level 3

Protect application log and audit tables by creating standard database audit policies and adding these new policies the Audit Vault Collectors.  Create database alerts based on correlations between standard database events and application audit logs.

Oracle E-Business Suite Example

To use the Oracle Audit Vault with the Oracle E-Business Suite, no additional patches required either for the E-Business Suite or the Oracle database.  This is because the Oracle Audit Vault uses only standard Oracle database functionality. 

There are two steps for Level 3.  The first is to protect the Oracle E-Business Suite audit tables, the second is to build alerts and reports that correlate application and database log information.  To protect the E-Business Log and Audit tables, enable standard auditing on them.  The second step is to define the Audit Vault alerts and reports.

Below is an example of event E12 - Protect Application Audit Data

The sign-on audit tables log user logon and navigation activity for the professional forms user interface.  This data needs to be protected.

Steps
  1. Enable Standard Auditing
  2. Create Audit Vault Alert
  3. Forward to Alert to Syslog (This feature is available as of Oracle AVDF version 12.1.2)

To enable standard auditing:

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGINS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESPONSIBILITIES BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESP_FORMS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_UNSUCCESSFUL_LOGINS BY ACCESS;

 

To create an alert in Audit Vault:

Audit Vault -> Auditor -> Policy -> Alerts -> Create Alert

 

Name: E12 - Modify audit and logging

Condition:

 :TARGET_OWNER='APPLSYS' AND :EVENT_NAME in ('UPDATE','DELETE') AND :TARGET_OBJECT in ('FND_LOGINS','FND_LOGIN_RESPONSIBILITIES','FND_LOGIN_RESP_FORMS','FND_UNSUCCESSFUL_LOGINS')

Example:

 

                             

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault - Oracle Client Identifier and Last Login

Fri, 2015-01-30 06:00

Several standard features of the Oracle database should be kept in mind when considering what alerts and correlations are possible when combining Oracle database and application log and audit data.

Client Identifier

Default Oracle database auditing stores the database username but not the application username.  In order to pull the application username into the audit logs, the CLIENT IDENTIFIER attribute needs to be set for the application session which is connecting to the database.  The CLIENT_IDENTIFIER is a predefined attribute of the built-in application context namespace, USERENV, and can be used to capture the application user name for use with global application context, or it can be used independently. 

CLIENT IDENTIFIER is set using the DBMS_SESSION.SET_IDENTIFIER procedure to store the application username.  The CLIENT IDENTIFIER attribute is one the same as V$SESSION.CLIENT_IDENTIFIER.  Once set you can query V$SESSION or select sys_context('userenv','client_identifier') from dual.

The table below offers several examples of how CLIENT_IDENTIFIER is used.  For each example, for Level 3 alerts, consider how the value of CLIENT_IDENTIFIER could be used along with network usernames, enterprise applications usernames as well as security and electronic door system activity logs.

Oracle CLIENT_IDENTIFIER

Application

Example of how used

E-Business Suite

As of Release 12, the Oracle E-Business Suite automatically sets and updates client_identifier to the FND_USER.USERNAME of the user logged on.  Prior to Release 12, follow Support Note How to add DBMS_SESSION.SET_IDENTIFIER(FND_GLOBAL.USER_NAME) to FND_GLOBAL.APPS_INITIALIZE procedure (Doc ID 1130254.1)

PeopleSoft

Starting with PeopleTools 8.50, the PSOPRID is now additionally set in the Oracle database CLIENT_IDENTIFIER attribute. 

SAP

With SAP version 7.10 above, the SAP user name is stored in the CLIENT_IDENTIFIER.

Oracle Business Intelligence Enterprise Edition(OBIEE)

When querying an Oracle database using OBIEE the connection pool username is passed to the database.  To also pass the middle-tier username, set the user identifier on the session.  To do this in OBIEE, open the RPD, edit the connection pool settings and create a new connection script to run at connect time.  Add the following line to the connect script:

 

CALL DBMS_SESSION.SET_IDENTIFIER('VALUEOF(NQ_SESSION.USER)')

 

Last Login

Tracking when database users last logged in is a common compliance requirement.  This is required in order to reconcile users and cull stale users.  New with Oracle12c, Oracle provides this information for database users.  The system table SYS.DBA_USERS has a column, last_login. 

Example:

select username, account_status, common, last_login

from sys.dba_users

order by last_login asc;

Username

Account_Status

Common

Last_Login

C##INTEGRIGY

OPEN

YES

05-AUG-14 12.46.52.000000000 PM AMERICA/NEW_YORK

C##INTEGRIGY_TEST_2

OPEN

YES

02-SEP-14 12.29.04.000000000 PM AMERICA/NEW_YORK

XS$NULL

EXPIRED & LOCKED

YES

02-SEP-14 12.35.56.000000000 PM AMERICA/NEW_YORK

SYSTEM

OPEN

YES

04-SEP-14 05.03.53.000000000 PM AMERICA/NEW_YORK

 

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit VaultOracle Database
Categories: APPS Blogs, Security Blogs

UPDATED: Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)

Sun, 2015-01-25 20:59

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).

On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1.  Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.

Integrigy has updated the information we provided on how to validate if this security flaw exists in your environment and how to remediate the issue based on the additional information provided by Oracle.  The remediation can be done without applying the January 2015 CPU, but requires the database patch to be applied first.

For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.

Tags: VulnerabilityOracle E-Business SuiteSecurity AnalysisOracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault - Remedy and ArcSight Integration

Fri, 2015-01-23 06:00
Remedy Ticket System Integration

Oracle Audit Vault 12c includes a standard interface for BMC Remedy ticketing systems.  You can configure the Oracle Audit Vault to connect to BMC Remedy Action Request (AR) System Server 7.x.  This connection enables the Oracle Audit Vault to raise trouble tickets in response to Audit Vault alerts. 

Only one Remedy server can be configured for each Oracle Audit Vault installation.  After the interface has been configured, an Audit Vault auditor needs to create templates to map and handle the details of the alert.  Refer to the Oracle Audit Vault Administrator’s Guide Release 10.3, E23571-08, Oracle Corporation, August 2014, section 3.6 http://docs.oracle.com/cd/E23574_01/admin.103/e23571.pdf.

HP ArcSight Integration

HP’s ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing messages from different sources.  Oracle Audit Vault can forward messages to ArcSight SIEM.

No additional software is needed to integrate with ArcSight.  Integration is done through configurations in the Audit Vault Server console.

Messages sent to the ArcSight SIEM Server are independent of any other messages sent from the Audit Vault (e.g., other Syslog feeds). 

There are three categories of messages sent –

  • System - syslog messages from subcomponents of the Audit Vault Sever
  • Info - specific change logging from the Database Firewall component of Oracle AVDF
  • Debug - a category that should only be used under the direction of Oracle Support

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingSecurity Strategy and StandardsOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)

Thu, 2015-01-22 12:58

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU) and has been assigned the CVE tracking identifier CVE-2015-0393.  The problem may impact all Oracle E-Business Suite versions including 11.5, 12.0, 12.1, and 12.2.  Recent press reports have labeled this vulnerability as a “major misconfiguration flaw.”  The security issue is actually broader than just the INDEX privilege that is being reported in the press and there may be at least four independent attack vectors depending on the granted privileges.  Fortunately, this issue does not affect all Oracle E-Business Suite environments - Integrigy has only identified this issue in a few number of Oracle E-Business Suite environments in the last three years.

Integrigy has published information on how to validate if this security flaw exists in your environment and how to remediate the issue.  The remediation can be done without apply the January 2015 CPU.

For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.

 

Tags: Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault and Compliance Reporting

Fri, 2015-01-16 06:00

The Oracle Audit Vault has seeded reports for the following compliance and legislative requirements – no additional license is required.

  • Payment Card Industry (PCI)
  • Sarbanes-Oxley Act (SOX)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • United Kingdom Data Protection Act (DPA)

For each compliance statue, following table lists the included reports available –

Compliance Report

Description

Activity Overview

Digest of all captured audit events for a specified period of time

All Activity

Details of all captured audit events for a specified period of time

Audit Settings Changes

Details of observed user activity targeting audit settings for a specified period of time

Created Stored Procedures

Stored procedures created within a specified period of time

Data Access

Details of audited read access to data for a specified period of time

Data Modification

Details of audited data modifications for a specified period of time

Database Schema Changes

Details of audited DDL activity for a specified period of time

Deleted Stored Procedures

Stored procedures deleted within a specified period of time

Entitlements Changes

Details of audited entitlement related activity for a specified period of time

Failed Logins

Details of audited failed user logins for a specified period of time

New Stored Procedures

Latest state of stored procedures created within a specified period of time

Secured Target Startup and Shutdown

Details of observed startup and shutdown events for a specified period of time

Stored Procedure Activity Overview

Digest of all audited operations on stored procedures for a specified period of time

Stored Procedure Modification History

Details of audited stored procedure modifications for a specified period of time

User Login and Logout

Details of audited successful user logins and logouts for a specified period of time

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingComplianceSarbanes-Oxley (SOX)PCIHIPAAOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.0 - CPU Support Ends This Quarter

Wed, 2015-01-14 20:13

Oracle E-Business Suite 12.0 Extended Support ends on January 31, 2015.  Sustaining Support does not include security fixes in the form of Critical Patch Updates (CPU).  The final 12.0 CPU will be the January 2015 CPU released on January 20th.

Oracle E-Business Suite 12.0 customers should be looking to upgrade to 12.1 or 12.2 in the near future.

For those customers unable to upgrade from 12.0 in the near future, Integrigy will be including in our web application firewall product, AppDefend, virtual patching rules for web security vulnerabilities in the Oracle E-Business Suite 12.0 which are patched in other versions (i.e., 11i, 12.1, and 12.2).  This will provide at least protection from known web security vulnerabilities in un-patched 12.0 environments.

This support timeline is different than Oracle E-Business Suite 11i which is covered by an Exception to Sustaining Support (ESS) until December 31, 2015 and includes security patches for this period.  Oracle E-Business Suite 11i customers should be planning to upgrade to 12.1 or 12.2 by the end of this year in order to stay supported with security patches and to get off the ridiculously old version of the Oracle Application Server.  Some components in the 11i installation of the Oracle Application Server on the application tier are 1999 versions.

 

Tags: Oracle E-Business SuiteOracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault - Custom Reports and BI Publisher

Fri, 2015-01-09 06:00

Custom reports can be created in Oracle Audit Vault using Oracle BI Publisher.  BI Publisher is an add-on to Microsoft Word and can be used to modify or create new reports.

For example, to modify a new report, to meet specific corporate or internal audit needs, download a standard Oracle Audit Vault report that is similar (Auditor -> Reports -> Custom Reports -> Uploaded Reports).  Click on the icon to download both the template and the report definition and load both files into BI Publisher.

Once complete, upload the report definition to the same location (Auditor -> Reports -> Custom Reports -> Uploaded Reports).

If you have questions, please contact us at mailto:info@integrigy.com

Reference

 

Tags: AuditingOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault Reports

Tue, 2015-01-06 06:00

The Oracle Audit Vault by default installs over one-hundred (100) reports.  This includes core audit reports as well as compliance reports. Reporting is a key feature of the Oracle Audit Vault and one which well-built as evidenced by the use of BI Publisher to allow for easy modification and creation of new reports.

Audit Reports

The audit reporting bundle installed by the default has the following categories –

  • Activity Reports
  • Entitlement
  • Stored Procedure Audit 
  • Alerts

The following table lists the audit reports installed by default –

Type

Report

Description

Activity 

Activity Overview

Digest of all captured audit events for a specified period of time

Activity 

Data Access

Details of audited read access to data for a specified period of time

Activity 

Data Modification

Details of audited data modifications for a specified period of time

Activity 

Data Modification Before-After Values

Details of audited data modifications for a specified period of time showing before and after values

Activity 

Database Schema Changes

Details of audited DDL activity for a specified period of time

Activity 

All Activity

Details of all captured audit events for a specified period of time

Activity 

Failed Logins

Details of audited failed user logins for a specified period of time

Activity 

User Login and Logout

Details of audited successful user logins and logouts for a specified period of time

Activity 

Entitlements Changes

Details of audited entitlement related activity for a specified period of time

Activity 

Audit Settings Changes

Details of observed user activity targeting audit settings for a specified period of time

Activity 

Secured Target Startup and Shutdown

Details of observed startup and shutdown events for a specified period of time

Entitlement 

User Accounts

Details of all existing user accounts

Entitlement 

User Accounts by Secured Target

User accounts by Secured Target report

Entitlement 

User Privileges

Details of audited failed user logins for a specified period of time

Entitlement 

User Privileges by Secured Target

User privileges by Secured Target report

Entitlement 

User Profiles

Digest of all existing user profiles

Entitlement 

User Profiles by Secured Target

User profiles by Secured Target report

Entitlement 

Database Roles

Digest of all existing database roles and application roles

Entitlement 

Database Roles by Secured Target

Database roles by Secured Target report

Entitlement 

System Privileges

Details of all existing system privileges and their allocation to users

Entitlement 

System Privileges by Secured Target

System privileges by Secured Target report

Entitlement 

Object Privileges

Details of all existing object privileges and their allocation to users

Entitlement 

Object Privileges by Secured Target

Object privileges by Secured Target report

Entitlement 

Privileged Users

Details of all existing privileged users

Entitlement 

Privileged Users by Secured Target

Privileged users by Secured Target report

Stored Procedure Audit 

Stored Procedure Activity Overview

Digest of all audited operations on stored procedures for a specified period of time

Stored Procedure Audit 

Stored Procedure Modification History

Details of audited stored procedure modifications for a specified period of time

Stored Procedure Audit 

Created Stored Procedures

Stored procedures created within a specified period of time

Stored Procedure Audit 

Deleted Stored Procedures

Stored procedures deleted within a specified period of time

Stored Procedure Audit 

New Stored Procedures

Latest state of stored procedures created within a specified period of time

Alerts

All Alerts

All alerts issued within a specified period of time

Alerts

Critical Alerts

All critical alerts issued within a specified period of time

Alerts

Warning Alerts

All warning alerts issued within a specified period of time

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault Oracle Database Plug-In

Fri, 2014-12-26 06:00

The Oracle Audit Vault uses Plug-Ins to define data sources.  The following table summarizes several of the important facts about the Oracle Audit Vault database plug for Oracle databases –

Oracle Database Plug-In for the Oracle Audit Vault

Plug-in Specification

Description

Plug-in directory

AGENT_HOME/av/plugins/com.oracle.av.plugin.oracle

Secured Target Versions

Oracle 10g, 11g, 12c Release 1 (12.1)

Secured Target Platforms

Linux/x86-64

Solaris /x86-64

Solaris /SPARC64

AIX/Power64

Windows /86-64

HP-UX Itanium

Secured Target Location (Connect String)

jdbc:oracle:thin:@//hostname:port/service

AVDF Audit Trail Types

TABLE

DIRECTORY

TRANSACTION LOG

SYSLOG (Linux only)

EVENT LOG (Windows only)

NETWORK

Audit Trail Location

For TABLE audit trails: sys.aud$Sys.fga_log$dvsys.audit_trail$

unified_audit_trail

 

For DIRECTORY audit trails: Full path to the directory containing AUD or XML files.

 

For SYSLOG audit trails: Full path to the directory containing the syslog file.

 

For TRANSACTION LOG, EVENT LOG and NETWORK audit trails: no trail location required.

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit VaultOracle Database
Categories: APPS Blogs, Security Blogs

What Do Oracle Audit Vault Collection Agents Do?

Fri, 2014-12-19 06:00

The Oracle Audit Vault is installed on a server, and collector agents are installed on the hosts running the source databases.  These collector agents communicate with the audit vault server. 

If the collection agents are not active, no audit data is lost, as long as the source database continues to collect the audit data.  When the collection agent is restarted, it will capture the audit data that the source database had collected during the time the collection agent was inactive.

There are three types of agent collectors for Oracle databases.  There are other collectors for third-party database vendors such as SAP Sybase, Microsoft SQL-Server, and IBM DB2.

Audit Value Collectors for Oracle Databases*

Audit Trail Type

How Enabled

Collector Name

Database audit trail

For standard audit records: AUDIT_TRAIL initialization parameter set to: DB or DB, EXTENDED.

For fine-grained audit records: The audit trail parameter of DBMS_FGA.ADD_POLICY procedure is set to: DBMS_FGA.DB or DBMS_FGA.DB + DBMS_FGA.EXTENDED.

DBAUD

Operating system audit trail

For standard audit records: AUDIT_TRAIL initialization parameter is set to: OSXML, or XML, EXTENDED.

For syslog audit trails, AUDIT_TRAIL is set to OS and the AUDIT_SYS_OPERATIONS parameter is set to TRUE.  In addition, the AUDIT_SYSLOG_LEVEL parameter must be set.

For fine-grained audit records: The audit_trail parameter of the DBMS_FGA.ADD_POLICY procedure is set to DBMS_FGA.XML or DBMS_FGA.XML + DBMS_FGA.EXTENDED.

OSAUD

Redo log files

The table that you want to audit must be eligible.  See "Creating Capture Rules for Redo Log File Auditing" for more information.

REDO

 *Note if using Oracle 12c; the assumption is that Mixed Mode Unified Auditing is being used

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit VaultOracle Database
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Database 12c Upgrade Security Notes

Tue, 2014-12-16 23:36

When upgrading the Oracle E-Business Suite database to Oracle Database 12c (12.1), there are a number of security considerations and steps that should be included in the upgrade procedure.  Oracle Support Note ID 1524398.1 Interoperability Notes EBS 12.0 or 12.1 with RDBMS 12cR1 details the upgrade steps.  Here, we will document steps that should be included or modified to improve database security.  All references to steps are the steps in Note ID 1524398.1.

Step 8

"While not mandatory for the interoperability of Oracle E-Business Suite with the Oracle Database, customers may choose to apply Database Patch Set Updates (PSU) on their Oracle E-Business Suite Database ...".

After any database upgrade, the latest CPU patch (either PSU or SPU) should always be applied.  The database upgrade only has the latest CPU patch available at the time of release of the database upgrade patch.  In the case of 12.1.0.1, the database upgrade will be current as of July 2013 and be missing the latest five CPU patches.  Database upgrade patches reset the CPU level - so even if you had applied the latest CPU patch prior to the upgrade, the upgrade will revert the CPU patch level to July 2013.

From a security perspective, the latest PSU patch should be considered mandatory.

Step 11

It is important to note from a security perspective that Database Vault must be disable during the upgrade process.  Any protections enabled in Database Vault intended for DBAs will be disabled during the upgrade.

Step 15

The DMSYS schema is no longer used with Oracle E-Business Suite and can be safely dropped.  We recommended you drop the schema as part of this step to reduce the attack surface of the database and remove unused components.  Use the following SQL to remove the DMSYS user --

DROP USER DMSYS CASCADE;
Step 16

As part of the upgrade, it is a good time to review security related initialization parameters are set correctly.  Verify the following parameters are set -

o7_dictionary_accessibility = FALSE
audit_trail = <set to a value other than none>
sec_case_sensitive_logon = TRUE (patch 12964564 may have to be applied)
Step 20

For Oracle E-Business Suite 12.1, the sqlnet_ifile.ora should contain the following parameter to correspond with the initialization parameter sec_case_sensitive_login = true -

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 10

 

 

 

Tags: Oracle E-Business SuiteDBA
Categories: APPS Blogs, Security Blogs

What can the Oracle Audit Vault Protect?

Fri, 2014-12-12 06:00

For Oracle database customers the Oracle Audit Vault can protect the following:

  • SQL statements logs – Data Manipulation Language (DML) statement auditing such as when users are attempting to query the database or modify data, using SELECT, INSERT, UPDATE, or DELETE.
  • Database Schema Objects changes – Data Definition Language (DDL) statement auditing such as when users create or modify database structures such as tables or views.
  • Database Privileges and Changes – Auditing can be defined for the granting of system privileges, such as SELECT ANY TABLE.  With this kind of auditing, Oracle Audit Vault records SQL statements that require the audited privilege to succeed.
  • Fine-grained audit logs – Fine Grained Auditing activities stored in SYS.FGA_LOG$ such as whether an IP address from outside the corporate network is being used or if specific table columns are being modified.  For example, when the HR.SALARY table is SELECTED using direct database connection (not from the application), a condition could be to log the details of result sets where the PROPOSED_SALARY column is greater than $500,000 USD.
  • Redo log data – Database redo log file data.  The redo log files store all changes that occur in the database.  Every instance of an Oracle database has an associated redo log to protect the database in case of an instance failure.  In Oracle Audit Vault, the capture rule specifies DML and DDL changes that should be checked when Oracle Database scans the database redo log.

The Audit Vault also supports –

  • Database Vault – Database Vault settings stored in DVSYS.AUDIT_TRAIL$ such as Realm audit, factor audit and Rule Audit. 
  • System and SYS – Core changes to the database by privileged users such as DBAs as recorded by AUDIT_SYS_OPERATIONS.
  • Stored Procedure Auditing – Monitor any changes made to PL/SQL and stored procedures.  Standard reports are provided to stored procedure operations, deleted and created procedures as well as modification history.

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit VaultOracle Database
Categories: APPS Blogs, Security Blogs

What is the Oracle Audit Vault?

Fri, 2014-12-05 06:00

Oracle Audit Vault is aptly named; the Oracle Audit Vault is a vault in which data about audit logs is placed, and it is based on two key concepts.  First, Oracle Audit Vault is designed to secure data at its source.  Second, Oracle Audit Vault is designed to be a data warehouse for audit data. 

The Oracle Audit Vault by itself does not generate audit data.  Before the Oracle Audit Vault can be used, standard auditing needs to be first enabled in the source databases.  Once auditing is enabled in the source databases, the Oracle Audit Vault collects the log and audit data, but does not replicate, copy and/or collect the actual data.  This design premise of securing audit data at the source and not replicating it differentiates the Oracle Audit Vault from other centralized logging solutions. 

Once log and audit data is generated in source databases, Oracle Audit Vault agents are installed on the source database(s) to collect the log and audit data and send it to the Audit Vault server.  By removing the log and audit data from the source system and storing it in the secure Audit Vault server, the integrity of the log and audit can be ensured and proven that it has not been tampered with.  The Oracle Audit Vault is designed to be a secure data warehouse of information of log and audit data.

Application Log and Audit Data

For applications, a key advantage to the Audit Vault’s secure-at-the-source approach is that the Oracle Audit Vault is transparent.  To use the Oracle Audit Vault with applications such as the Oracle E-Business Suite or SAP, standard Oracle database auditing only needs to be enabled on the application log and audit tables.  While auditing the application audit tables might seem duplicative, the advantage is that the integrity of the application audit data can be ensured (proven that it has not been tampered with) while not having to replicate or copy the application log and audit data. 

For example, the Oracle E-Business Suite has the ability to log user login attempts, both successful and unsuccessful.  To protect the E-Business Suite login audit tables, standard Oracle database auditing first needs to be enabled.  An Oracle Audit Vault agent will then collect information about the E-Business Suite login audit tables.  If any deletes or updates occur to these tables, the Audit Vault would then alert and report the incident.  The Audit Vault is transparent to the Oracle E-Business Suite, no patches are required for the Oracle E-Business Suite to be used with the Oracle Audit Vault.

Figure 1 Secure At-Source for Application Log and Audit data

Figure 2 Vault of Log and Audit Data

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit Vault
Categories: APPS Blogs, Security Blogs

Mandatory Auditing - Oracle 12c Always-On-Auditing

Wed, 2014-11-26 06:00

Certainly from an auditing and logging perspective, one of the best new features delivered by Oracle 12c is mandatory auditing of the administrative users such as SYSDBA.  This can be described as ‘always on auditing’.  By default, the following audit related activities are now mandatorily audited -

  • CREATE AUDIT POLICY
  • ALTER AUDIT POLICY
  • DROP AUDIT POLICY
  • AUDIT
  • NOAUDIT
  • EXECUTE of the DBMS_FGA PL/SQL package
  • EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
  • All configuration changes that are made to Oracle Database Vault
  • ALTER TABLE attempts on the AUDSYS audit trail table (this table cannot be altered)
  • Top level statements by administrative users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM, until the database opens.  When the database opens, Oracle Database audits these users using the audit configurations in the system.

The audit activity resulting from mandatory auditing can be found in SYS.UNIFIED_AUDIT_TRAIL. 

Note when the database is not writable (such as during database mounting), if the database is closed, or if it is read-only, then Oracle writes the audit records to external files in the $ORACLE_BASE/audit/$ORACLE_SID directory. 

Mandatory Auditing

Integrigy Framework Event

  • CREATE AUDIT POLICY
  • ALTER AUDIT POLICY
  • DROP AUDIT POLICY
  • EXECUTE of the DBMS_FGA PL/SQL package
  • EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
  • All configuration changes that are made to Oracle Database Vault
  • ALTER TABLE attempts on the AUDSYS audit trail table (remember that this table cannot be altered)

E12 - Modify audit and logging

  • Top level statements by the administrative users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM until the database opens
  • AUDIT
  • NOAUDIT

E11 - Privileged commands

Note: Activity and be found in SYS.UNIFIED_AUDIT_TRAIL when in pure mode and to the traditional audit trails in mixed mode.

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

What Is Oracle 12 Unified Auditing? The View UNIFIED_AUDIT_TRAIL with 94 Columns

Mon, 2014-11-24 06:00

What is Oracle 12c Unified Auditing? The short answer is the view UNIFED_AUDIT_TRAIL. This view consolidates all logging and auditing information into a single source. Regardless of using either Mixed Mode or Pure Unified Auditing, the SYS.UNIFIED_AUDIT_TRAIL can be used. 

The key column in SYS.UNIFIED_AUDIT_TRAIL is AUDIT_TYPE.  This column shows from which Oracle component the log data originated -

SYS.UNIFIED_AUDIT_TRAIL Component Sources

Column AUDIT_TYPE Value

Description

Number of Columns in Table

Standard

Standard auditing including SYS audit records

44

XS

Real Application Security (RAS)and RAS auditing

17

Label Security

Oracle Label Security

14

Datapump

Oracle Data Pump

2

FineGrainedAudit

Fine grained audit(FGA)

1

Database Vault

Data Vault(DV)

10

RMAN_AUDIT

Oracle RMAN

5

Direct path API

SQL*Loader Direct Load

1

 

Total

94

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Mixed Mode

Fri, 2014-11-21 06:00

Next in our blog series on Oracle 12 Unified Auditing is a discussion of Mixed Mode. Mixed Mode is the default auditing mode for Oracle 12c.  Oracle describes Mixed Mode auditing as a means of becoming familiar with Unified Auditing prior to migrating to Pure Unified Auditing.  Mixed Mode allows for all traditional, pre-12c log and audit functionality to co-exist with Unified Auditing.  More importantly, Mixed Mode will support any current Syslog-based logging solution.

Mixed mode auditing provides the following key capabilities –

  • All existing (pre-12c) auditing initialization configurations and parameters are used such as AUDIT_TRAILAUDIT_FILE_DESTAUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL
  • The format of the audit records remains the same as in Oracle Database 11g Release 2
  • Writes mandatory audit records to the traditional audit trails
  • If the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE, writes audit records only to the traditional audit trails

With Mixed Mode, audit data can be found both in the traditional locations as well as in SYS.UNIFIED_AUDIT_TRAIL.  This is because the Unified Auditing Policy ORA_SECURECONFIG is enabled by default.  ORA_SECURECONFIG audits the same default audit settings from Oracle Database Release 11g.  Integrigy recommends to either periodically purge Unified Auditing data or disable the policy.  To disable ORA_SECURECONFIG policy follow the instructions in Oracle Support Note Doc ID 1624051.1.

The following table shows the definition of the default policy ORA_SECURECONFIG.  Note the column ‘Common’ that shows that the policy is defined for all PDBs (tenant) databases.

Mixed Mode Default Unified Policy ORA_SECURECONFIG

Audit Option

Option Type

Common

Integrigy Framework

ADMINISTER KEY MANAGEMENT

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER DATABASE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

ALTER PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

ALTER PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

ALTER ROLE

STANDARD ACTION

YES

E8 - Modify role

ALTER SYSTEM

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

ALTER USER

STANDARD ACTION

YES

E6 - Modify user account

AUDIT SYSTEM

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY LIBRARY

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

CREATE DIRECTORY

STANDARD ACTION

YES

E13 – Objects

CREATE EXTERNAL JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PROFILE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ROLE

STANDARD ACTION

YES

E7 - Create role

CREATE SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE USER

SYSTEM PRIVILEGE

YES

E5 – Create user account

DROP ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 - Objects

DROP ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

DROP DIRECTORY

STANDARD ACTION

YES

E13 – Objects

DROP PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

DROP PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

DROP PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ROLE

STANDARD ACTION

YES

E8 - Modify role

DROP USER

SYSTEM PRIVILEGE

YES

E6 - Modify user account

EXEMPT ACCESS POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

EXEMPT REDACTION POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

GRANT ANY OBJECT PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY ROLE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

LOGMINING

SYSTEM PRIVILEGE

YES

E12 - Modify audit and logging

LOGOFF

STANDARD ACTION

YES

E2 - Logoff

LOGON

STANDARD ACTION

YES

E1 - Login

PURGE DBA_RECYCLEBIN

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

SET ROLE

STANDARD ACTION

YES

E11 - Privileged commands

TRANSLATE ANY SQL

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Pure Mode

Wed, 2014-11-19 06:00

Continuing our blog series on Oracle 12 Unified Auditing is a discussion of Pure  Mode. Mixed mode is intended by Oracle to introduce Unified Auditing and provide a transition from the traditional Oracle database auditing.  Migrating to PURE Unified Auditing requires the database be stopped, the Oracle binary linked to uniaud_on, and then restarted.  This operation can be reversed if auditing needs to be changed back to Mixed Mode. 

When changing from Mixed to pure Unified Audit, two key changes occur.  The first is the audit trails are no longer written to their traditional pre-12c audit locations.  Auditing is consolidated into the Unified Audit views and stored using Oracle SecureFiles.  Oracle Secured Files use a proprietary format which means that Unified Audit logs cannot be viewed using editors such vi and may preclude or affect the use of third party logging solutions such as Splunk or HP ArcSight.  As such, Syslog auditing is not possible with Pure Unified Audit.

Unified Audit Mixed vs. Pure Mode Audit Locations

System Tables

Mixed Mode

Pure Unified Audit Impact

SYS.AUD$

Same as 11g

Exists, but will only have pre-unified audit records

SYS.FGA_LOG$

Same as 11g

Exists, but will only have pre-unified audit records

The second change is that the traditional audit configurations are no longer used.  For example, traditional auditing is largely driven by the AUDIT_TRAIL initialization parameter.  With pure Unified Audit, the initialization parameter AUDIT_TRAIL is ignored.

Unified Audit Mixed vs. Pure Mode Audit Configurations

System Parameters

Mixed Mode

Pure Unified Audit Impact

AUDIT_TRAIL

Same as 11g

Exists, but will not have any effect

AUDIT_FILE_DEST

Same as 11g

Exists, but will not have any effect

AUDIT_SYS_OPERATIONS

Same as 11g

Exists, but will not have any effect

AUDIT_SYSLOG_LEVEL

Same as 11g

Exists, but will not have any effect

UNIFIED_AUDIT_SGA_QUEUE_SIZE

Same as 11g

Yes

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs

What Mode of Oracle 12c Unified Auditing Are You Using and Default Auditing Policies?

Mon, 2014-11-17 06:00

Continuing our blog series on Oracle 12 Unified Auditing, how do you know what mode of Unified Auditing that you are using? Use the following SQL –

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

The result will be TRUE or FALSE.  If TRUE, the database is using PURE Unified Auditing.  If FALSE, the database is using Mixed Mode, which is the Oracle 12c default.  Remember that V$OPTION shows what database options are installed, and V$PARAMETER shows the startup parameters for the options which have been installed.  Unified Auditing is enabled by being installed and not by being configured in V$PARAMETER.

Unified Auditing is configured through policies.  If Oracle 12c tenant databases (PDBs) are being used, these polices can be applied to common objects in all PDBs or to individual PDBs.  The table below show the policies installed and/or enabled by default –

Unified Audit Polices Installed With Oracle 12c

Policy Name

Default Enabled

Description

ORA_SECURECONFIG

Yes

Secure configuration audit options

ORA_RAS_POLICY_MGMT

No

Oracle Real Application Security administrative actions on application users, roles, and policies.

ORA_RAS_SESSION_MGMT

No

Run-time Oracle Real Application Security session actions and namespace actions

ORA_ACCOUNT_MGMT

No

Commonly used user account and privilege settings for create user, role, and privilege grants

ORA_DATABASE_PARAMETER

No

Audits commonly used Oracle Database parameter settings, e.g., the initialization file (spfile) changes

To query what policies have been defined you may use –

SELECT * FROM SYS.AUDIT_UNIFIED_POLICIES

To query what polices have been enabled you may use –

SELECT * FROM SYS.AUDIT_UNIFIED_ENABLED_POLICIES

If you have questions, please contact us at mailto:info@integrigy.com

Reference

For more information on Unified Auditing can be found here:

Tags: AuditingOracle Database
Categories: APPS Blogs, Security Blogs