Database Reference
In-Depth Information
Native Auditing and Security Monitoring
Native auditing and security monitoring have inherent weaknesses. This section will make you aware of those
weaknesses so that you can make improvements as needed in your own environment.
1.
Stored procedures:
Dependencies
- can't monitor what objects may be called within the DB
Effective privileges
- definer or invoker privileges, and roles/privilege hierarchy within session is difficult
to calculate
Dynamic SQL
- will be the effect of an SQL statement when run. For instance, the following code
will bypass many IDS systems as the SQL statement is formed of concatenated strings that will be run
dynamically:
declare
l_cnt varchar2(20);
begin
execute immediate 'sel'||'ect pas'||'sword'||' from dba'||'_users where user'||'_id =0'
into l_cnt;
dbms_output.put_line(l_cnt);
end;
2.
Obfuscated SQL
- Will avoid pattern-matching in a security monitoring system, for
example using comments instead of white space in the following SQL statement:
SQL> GRANT/**/DBA/**/TO/**/PUBLIC;
3.
Encrypted traffic
- can't be read over the network unless keys kept in IDS, which is a
security issue and maintenance overhead
4.
Name-space overriding and synonyms
- Object A reference could point to a different
object and type (
http://www.oracleforensics.com/wordpress/wp-content/uploads/
5.
Timestamps inaccurate and changed by users
- For timestamp inaccuracy please see
this paper, which shows how LogMiner rounds timestamps to the nearest second:
To see how timestamps of objects can be changed by users see this SQL:
SQL> set serveroutput on
SQL> create or replace procedure time_test as
2 timevar varchar2(20);
3 begin
4 select sysdate into timevar from dual;
5 dbms_output.put_line(timevar);
6 end;
7 /
Procedure created.
