Database Reference
In-Depth Information
What this new error implies is that there is a way to enable “OS debugger privileges,” but the docs and MOS do
not offer up a way to do so. Database vault has separate methods to control oradebug, but the docs do not yet offer up
a way to control these OS debugger privileges in a vanilla DB. In any event, a remote sysdba user could simply delete
the file using Java/OS or
utl_file
as discussed previously, so privileged access control is not an easy challenge.
What this entire discussion leads to is the conclusion that the best security has to include a local memory agent.
Hence the need for McAfee and AppSecInc's offerings, though these suffer from flood bypasses so a blended approach
is needed including network and native audit trails. A diverse hybrid results in less gaps, and can be complimented by
the many Oracle based log files.
Other Internal Records
Here is a list of the most common sources of information that can be used to infer previous activity:
listener.log
- logs connections to the listener, use
lsnrctl
to administrate it.
Can be found in this file:
/u01/app/oracle/oracle/product/10.2.0/db_4/network/listener.log
alert.log
- system alerts important to DB, e.g., processes starting and stopping. Can be
found in
/u01/app/oracle/admin/orcl/bdump
also logs ddl if enabled
Agntsrvc.log -
contains logs about the Oracle intelligent agent
Sqlnet.log
- failed connections e.g. “
Fatal NI connect error 12170
”
Redo logs
- current changes that have not been checkpointed
Archived redo logs
- previous redo logs that can be applied to bring back the data in the
DB to a previous state using SCN as the main sequential identifier. This can be mapped to
timestamp. Can be accessed using Log Miner or Redo Walker at
http://bit.ly/1aAJOgD
/u01/app/oracle/orada
ta/orcl/redo02.log
/u01/app/oracle/oradata/orcl/redo01.log
/u01/app/oracle/orada
ta/orcl/redo03.log
Fine-grained auditing audit logs
- viewable from
FGA_LOG$
and
DBA_FGA_AUDIT_TRAIL
VIEW
Oracle database audit -
includes
SYS.AUD$
table and
DBA_AUDIT_TRAIL VIEW
Oracle mandatory and OS audit
- stored at
/u01/app/oracle/admin/orcl/adump
Homemade trigger audit trails
- bespoke to the system
IDS, web server, and firewall logs
- should also be integrated to the incident-handling
timeline. This will rely heavily on well-synchronized time in the network as previously
mentioned.
ASH -
DBA_HIST_ACTIVE_SESS_HISTORY and DBA_HIST_SQLTEXT contain past SQL
text and session information for a default of about one week. Tim Gorman has shown how
V$RESULT_CACHE_OBJECTS
- contains SQL and objects that have been selected.
