The objective of this post (The Matrix Quote in the title not withstanding) is to help the Database and the Security Team to enable log collection, processing and monitoring of Security Events of Interest with regards to a Business Critical Application Database. I have posted some articles on Overall Log Collection/Log Management here and here.
The key thing to note about DB Log Management is that the log is Non-Syslog Standard and has to have a DB connector/collector/agent/parser to collect, format and process the data in the DB for Auditing and Security Correlation purposes. Several SIEM solutions have the ability to pull audit data collected by Oracle DB regarding “Exactly at What Time, What User was responsible for executing What commands on the database”.
ORACLE AUDITING:
There are many different Oracle Audit facilities available for configuration:
- Oracle audit
- System triggers
- Update, delete, and insert triggers
- Fine-grained audit
- System logs
The best method to use is the Oracle Audit Facility with the “db_extended” option to capture Command History.
This will help in tracking the exact commands executed by the attacker. This will help in the Forensic Investigation of the attacks. Events like, privilege misuse, elevation of privilege attacks, SQL Injection, Brute Force etc can be prevented with proactive monitoring, alerting and response capabilities.
REQUIREMENTS:
- Create a Unique Tablespace for the Audit Table: The first process is to create a separate tablespace just for auditing. The Oracle audit table is stored in “sys” table space. Because Oracle generates a lot of audit messages, this fills up the audit table, which can cause the database to crash with over flow. To avoid this problem, we must move the Oracle audit table into its own table space with its own data files separate from the core Oracle tables.
- Enable Auditing on the Oracle Database The auditing can be enabled either for the entire DB or for specific Tables. Please refer to the Diagram below showing the Typical Auditing Options recommended. For business critical applications, we recommend auditing SELECTS, UPDATES, and INSERTS to critical tables, such as salary info, credit card info, patient info, financial data, intellectual property, and so on.
For High Performance Databases where auditing cannot be enabled on all the tables, we can configure the “user.table_name” with the name of the table for which we would want to enable auditing for that action (as shown highlighted in yellow in the figure). We can also configure “user_name” with the names of users whose specific actions we want to audit (as shown highlighted in yellow in the figure).
AUDIT REQUIREMENTS:
Below is a table showing the some sample requirements for Database Auditing. This is just indicative and may vary from environment to environment depending on the Business Needs of your organization.
| AUDIT_OPTION | SUCCESS | FAILURE |
| GRANT PROCEDURE | BY ACCESS | BY ACCESS |
| SYSTEM GRANT | BY ACCESS | BY ACCESS |
| ALTER SEQUENCE | BY ACCESS | BY ACCESS |
| GRANT TABLE | BY ACCESS | BY ACCESS |
| ALTER TABLE | BY ACCESS | BY ACCESS |
| TRIGGER | BY ACCESS | BY ACCESS |
| PROCEDURE | BY ACCESS | BY ACCESS |
| ROLE | BY ACCESS | BY ACCESS |
| PUBLIC DATABASE LINK | BY ACCESS | BY ACCESS |
| DATABASE LINK | BY ACCESS | BY ACCESS |
| SEQUENCE | BY ACCESS | BY ACCESS |
| VIEW | BY ACCESS | BY ACCESS |
| PUBLIC SYNONYM | BY ACCESS | BY ACCESS |
| SYNONYM | BY ACCESS | BY ACCESS |
| ALTER USER | BY ACCESS | BY ACCESS |
| TYPE | BY ACCESS | BY ACCESS |
| USER | BY ACCESS | BY ACCESS |
| TABLE | BY ACCESS | BY ACCESS |
| CREATE SESSION | BY ACCESS | BY ACCESS |
HOUSEKEEPING:
Audit Logging in the Oracle Database will cost Disk/Database space. This data can be purged over a regular schedule to keep the audit table clutter free and performing faster. Since the Audit data is being collected into a SIEM solution, retention should not be done at DB and instead at the SIEM.
In order to perform the housekeeping, the recommendation is as follows:
1. Create a Truncate Procedure
Create or replace procedure clean_audit is
Begin
— select sysdate from dual;
EXECUTE IMMEDIATE ‘truncate table aud$’;
commit;
End;
2. Schedule the Truncate Procedure
delete from dba_jobs where substr(what,1,6)=’CLEAN_’;
commit;
— it only need to run one time.
DECLARE
jobno number;
BEGIN DBMS_JOB.SUBMIT (
job => jobno,
what => ‘CLEAN_AUDIT;’,
next_date => trunc(SYSDATE+1)+2/24,
interval => ‘/*2:00AM*/ trunc(SYSDATE+1)+2/24’
);
COMMIT;
DBMS_OUTPUT.PUT_LINE( ‘Job number ‘||jobno||’ setup.’ );
END;
[pdf]Save as PDF[/pdf]
Is it alright to put part of this in my weblog if I post a reference to this web page?
Sure, please make it part of your blog
Hi, I have recently found your . In my org. we are going to deploy RSA enVision soon. The scope covers Network, Systems (Win,UX), Apps (Java), DB (oracle) etc.
For Windows systems, we use MS Exch (CAS/HT, MBX), AD (MP), FileServer. However I am not sure what level of logs or Auditing should I collect from these systems. Appreciate if you or any one can help me understanding the log levels to be collected from these systems.
Regards
Adnan
For Networks – Use Log Level 5
For DB, the post you have seen should answer that question for you
For Windows – Only Security Logs are more than enough. If you need File Attribute level logging, you may want to use additional configuration on RSA to parse those logs.
For Unix – Configure the Syslog to log Authd logs, Cron logs, Process logs and other application logs like Apache, DB etc. Here also, if you are logging the file attributes, you may want to use additional config on RSA
AD Logs – Security Logs only. However, make sure you filter them based on your needs – User Creation/Removal, Group Creation/Addition/Removal etc so that useful alerts can be generated.
MS Exch – Message Tracking is useful however it is to noisy, I would recommend just take Top Value Stats for these systems Like Top Sender, Top Subject, Top External Mails etc
DNS/DHCP logs are also necessary but DNS is notorious for huge volume logs, so you may want to just look for Blacklist Domain Queries to start with and then slowly build Intelligence on it.
Hi,
Sorry for my late response and thank you so much for your detailed information.
I have some more queries regarding Windows systems.
1) MS Exch: We are using 2010 in our environment. So far we have decided to take the OS logs (Event, Systems, Security). Also we are taking the audit logs. However I want to know,
a. Our Exch system admin alredy enabled audit in their systems. We are now working with RSA to send those logs to enVision. I need to know whether we should look for any specific level of Audit logs from Exch.
b. What logs should I collect to get Top Sender, Top Subject, Top External mails etc.
2) DNS: Yah it is true that DNS queries are really notorious. I have also got huge logs of DNS queries in my firewall. Hence like to omit those logs. Here,
a. How can I omit those logs?
b. How or which logs should I collect to get the black-listed domain queries.
Appreciate if you can share me your expert opinion. Thanks again for your information.
Regards,
Adnan
1. MS Exchange – The important things to look for are Admin Changes (Creating/Deleting/Modifying Policies, Filters, Mailbox Permissions etc) and All Mail “Traffic” Logs (RECEIVE/DELIVER events). The first one will help u build privilege misuse Use Cases and the next one will help you build SPAM use Cases.
2. Filtering is the best way to omit logs not required. I am not sure how your log management system is setup, so I am not in a position to exactly tell you how and where to filter. But general rule of the thumb is to filter as close as possible to the source.
3. For Black-Listed Domains, you need to use a custom script of integration with Abuse.ch and other BL domains to get data. With this data, you can look for traffic in an out to the domain – either using Firewall Logs or using DNS Logs or CLient Firewall Logs, IDS/IPS Logs etc or combination of each other.
Thanks a lot for the information. That’s really helpful. We have now planning with our Windows team to work on it. Thanks.
However we are facing some issue with HP Unix integration. RSA prerequisite is to have Trusted mode and Enable Audit. Almost all cases, Trusted mode is not here (due to Oracle db complexity though from security aspects I believe this is important) and also Auditing is not enabled as this is a resource greedy process. All the systems are in production and hence Unix guys are a little confuse to test it. Appreciate it if you can give me some idea on where to start from.
Thanks again for your help.