Enhancing Database Security: Concepts and Tools for the DBA Scripts & Source Code. Passwords in Command Lines. Peter J. Magee, CDA SQRIBE Technologies

Transcription

1 Enhancing Database Security: Concepts and Tools for the DBA Scripts & Source Code Peter J. Magee, CDA SQRIBE Technologies Passwords in Command Lines Fix for ctxctl script to eliminate appearance of CTXSYS password in command line. 1. Copy ctxctl to ctxctl.secure 2. In ctxctl.secure, replace the following command line (line 312): with these lines: $exe -user $username/$password -personality $mask >> /dev/null & CTX_PASS=$username/$password export CTX_PASS $ORACLE_HOME/bin/ctxsecure $exe $mask & CTX_PASS= export CTX_PASS 3. Create a script called ctxsecure in the $ORACLE_HOME/bin directory: # # File: ctxsecure # Location: $ORACLE_HOME/bin # # This file calls the specified ConText executable application, # but prevents the CTXSYS userid and password from appearing in # the command line. This prevents the user id and password from # being visible to a "ps -ef" command. # # Inputs: $1 Executable ConText file name # $2 Personality flag for server # $CTX_PASS An environment variable holding # the CTXSYS user id and password # $1 -personality $2 >> /dev/null <<CTXEND ${CTX_PASS} CTXEND Mini-Lesson M6, Scripts & Source Code/ Page 1

2 Note: do not place the characteristic $!/bin/sh in the first line of ctxsecure. If a new shell is opened, $CTX_PASS can not be found. ctxsecure should run in the same shell as ctxctl.secure. Once these steps are complete, use ctxctl.secure the same as you would use ctxctl. An additional process will be generated by ctxctl.secure for each ConText server, so "ps -ef" output would look something like this: oracle $ORACLE_HOME/bin/ctxsrv -personality LQ oracle /bin/sh ctxctl.secure Initialization Parameters Select values for security related initialization parameters from the data dictionary. select * from v$parameter where name in ('audit_trail', db_encrypt_login, 'resource_limit', 'remote_os_auth', 'remote_os_roles', 'os_roles', 'utl_file_dir'); SQL*Net Firewalls A sample protocol.ora file, located in the $ORACLE_HOME/network/admin directory: tcp.validnode_checking = yes tcp.invited_nodes = (drummer.us.com, , ) Application Users (OPS$ Users) Identify externally authenticated user accounts. select username, password from dba_users where password='external'; System Privileges Identify system privileges granted to users other than SYS, SYSTEM, or DBSNMP. select p.grantee, p.privilege from dba_sys_privs p, dba_users u where (u.username = p.grantee or p.grantee='public') and p.grantee not in ('SYS','SYSTEM','DBSNMP'); Identify system privileges granted to roles other than DBA, RESOURCE, IMP_FULL_DATABASE, EXP_FULL_DATABASE, CONNECT, and SNMPAGENT. select p.grantee, p.privilege from dba_sys_privs p, dba_roles r where r.role = p.grantee and r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'CONNECT','SNMPAGENT'); Mini-Lesson M6, Scripts & Source Code / Page 2

3 The following System Privileges should only be granted to administrators, never application users: ANALYZE ANY ALTER ANY ROLE SELECT ANY TABLE AUDIT ANY DROP ANY ROLE INSERT ANY TABLE AUDIT SYSTEM GRANT ANY ROLE UPDATE ANY TABLE ALTER ANY CLUSTER DROP ROLLBACK SEGMENT DELETE ANY TABLE DROP ANY CLUSTER RESTRICTED SESSION TABLESPACE ALTER DATABASE CREATE ANY SEQUENCE MANAGE TABLESPACE CREATE ANY INDEX ALTER ANY SEQUENCE UNLIMITED TABLESPACE ALTER ANY INDEX DROP ANY SEQUENCE FORCE TRANSACTION DROP ANY INDEX SELECT ANY SEQUENCE FORCE ANY TRANSACTION GRANT ANY PRIVILEGE ALTER ANY SNAPSHOT CREATE ANY TRIGGER CREATE ANY PROCEDURE DROP ANY SNAPSHOT ALTER ANY TRIGGER ALTER ANY PROCEDURE CREATE ANY SYNONYM DROP ANY TRIGGER DROP ANY PROCEDURE DROP ANY SYNONYM BECOME USER EXECUTE ANY PROCEDURE ALTER SYSTEM CREATE ANY VIEW CREATE PROFILE CREATE ANY TABLE DROP ANY VIEW ALTER PROFILE ALTER ANY TABLE CREATE DATABASE LINK DROP PROFILE BACKUP ANY TABLE CREATE PUBLIC DATABASE LINK ALTER RESOURCE COST DROP ANY TABLE DROP PUBLIC DATABASE LINK DROP PUBLIC DATABASE LINK LOCK ANY TABLE CREATE PUBLIC SYNONYM DROP PUBLIC SYNONYM COMMENT ANY TABLE DROP PUBLIC SYNONYM Object Privileges Identify users other than SYS and SYSTEM that have been granted ALTER or REFERENCES priveleges. select t.grantee, t.owner '.' t.table_name, t.privilege from dba_tab_privs t, dba_users u where (u.username = t.grantee or t.grantee = 'PUBLIC') and t.privilege in ('ALTER','REFERENCES') and t.grantee not in ('SYS','SYSTEM'); Identify roles other than DBA, RESOURCE, IMP_FULL_DATABASE, EXP_FULL_DATABASE, and CONNECT that have been granted ALTER or REFERENCES privileges. select t.grantee, t.owner '.' t.table_name, t.privilege from dba_tab_privs t, dba_roles r where r.role = t.grantee and t.privilege in ('ALTER','REFERENCES') and r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT'); Administration Privileges Identify users other than SYS and SYSTEM that have ADMIN privileges on system and object privileges. Mini-Lesson M6, Scripts & Source Code/ Page 3

4 select p.grantee, p.privilege, p.admin_option from dba_sys_privs p, dba_users u where (u.username = p.grantee or p.grantee='public') and p.admin_option='yes' and p.grantee not in ('SYS','SYSTEM'); Identify users other than SYS and SYSTEM that have ADMIN privileges on the Oracle default roles. select r.grantee, r.granted_role, r.admin_option from dba_role_privs r, dba_users u where u.username = r.grantee and r.granted_role in ('DBA','RESOURCE','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'CONNECT','SNMPAGENT') and r.admin_option='yes' and r.grantee not in ('SYS','SYSTEM'); Predefined Roles Identify users that have been granted one of the Oracle default roles. select r.grantee, r.granted_role from dba_role_privs r where r.granted_role in ('DBA','EXP_FULL_DATABASE', 'IMP_FULL_DATABASE','OSOPER','OSDBA') and r.grantee not in ('SYS','SYSTEM','DBA'); Application Roles Identify application roles and their properties. select r.role, r.password_required from dba_roles r where r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT','SNMPAGENT'); Identify users that have been assigned to application roles. select r.grantee, r.granted_role, r.admin_option from dba_role_privs r, dba_users u where u.username = r.grantee and r.granted_role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT','SNMPAGENT'); User Profiles Identify the idle time limit for each database user. select u.username, p.limit from dba_users u, dba_profiles p where u.profile = p.profile and p.resource_name='idle_time'; Alter the profile idle time. alter profile [profile name] limit idle_time [# minutes]; Mini-Lesson M6, Scripts & Source Code / Page 4

5 Oracle7 Profiles Lock a User Account: Alter encrypted password to all lowercase; Oracle can t translate so account is disabled alter user [username] identified by values disabled ; Oracle8 Profiles User Profile Creation: Create a profile that will do the following: The user will be timed out (disconnected) after 15 minutes of idle time. The account will be locked after 3 failed logins. The account can only be unlocked by the DBA. The user has 3 grace logins to change their password after expiration. The user cannot repeat passwords until they have been changed at least 10 times. The password expires after 90 days. The stored procedure verify_password will be used to verify password complexity. To create the profile execute the following script. CREATE PROFILE APP_USER LIMIT IDLE_TIME 15 FAILED_LOGIN_ATTEMPTS 3 ACCOUNT_LOCK_TIME UNLIMITED PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_MAX 10 PASSWORD_LIFE_TIME 90 PASSWORD_VERIFY_FUNCTION verify_password; Once the profile is created, it is assigned to the user with the ALTER USER command: ALTER USER username PROFILE app_user; Password Varification Function: based on sample function in Oracle documentation, but more strict. CREATE OR REPLACE FUNCTION verify_function (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; Mini-Lesson M6, Scripts & Source Code/ Page 5

6 ischar boolean; ispunct boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN digitarray:= ' '; chararray:= 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Check if the password is same as the username IF password = username THEN raise_application_error(-20001, 'Password same as user'); END IF; Check for the minimum length of the password (must be 6 or more) IF length(password) < 6 THEN raise_application_error(-20002, 'Password length less than 6'); END IF; Check if the password is too simple. A dictionary of words may be maintained and a check may be made so as not to allow the words that are too simple for the password. IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN raise_application_error(-20002, 'Password too simple'); END IF; Check if the password contains at least one letter and one digit 1. Check for the digit isdigit:=false; m := length(password); FOR i IN LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THEN isdigit:=true; GOTO findchar; END IF; Mini-Lesson M6, Scripts & Source Code / Page 6

7 END LOOP; END LOOP; IF isdigit = FALSE THEN raise_application_error(-20003, Password should contain at least one digit, one character and one punctuation'); END IF; 2. Check for the character <<findchar>> ischar:=false; FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THEN ischar:=true; GOTO findpunct; END IF; END LOOP; END LOOP; IF ischar = FALSE THEN raise_application_error(-20003,'password should contain at least one END IF; digit, one character and one punctuation'); <<endsearch>> Check if the password differs from the previous password by at least 3 letters IF old_password = '' THEN raise_application_error(-20004, 'Old password is null'); END IF; Everything is fine; return TRUE ; differ := length(old_password) - length(password); IF abs(differ) < 3 THEN IF length(password) < length(old_password) THEN m := length(password); ELSE m:= length(old_password); END IF; Mini-Lesson M6, Scripts & Source Code/ Page 7

8 differ := abs(differ); FOR i IN 1..m LOOP IF substr(password,i,1)!= substr(old_password,i,1) THEN differ := differ + 1; END IF; END LOOP; IF differ < 3 THEN raise_application_error(-20004, 'Password should differ by at \ least 3 characters'); END IF; END IF; Everything is fine; return TRUE ; RETURN(TRUE); END; Lock User Account: alter user [username] account lock; Statement Level Audits Generate a list of all statement level audits. select audit_option, success, failure from dba_stmt_audit_opts; Enable minimum required statement level audits: audit ALTER SYSTEM ; audit INDEX ; audit NOT EXISTS ; audit SYSTEM GRANT ; audit SYSTEM AUDIT ; audit TABLE ; audit TABLESPACE ; audit USER ; audit SESSION ; audit RESTRICTED SESSION ; Object Level Audits Generate a list of all object level audits. select owner, object_name, object_type from dba_obj_audit_opts where ren = '-/-'; Identify all audits on the audit trail table. select owner '.' object_name, object_type, alt aud com del gra ind ins loc ren sel upd ref exe Mini-Lesson M6, Scripts & Source Code / Page 8

9 from dba_obj_audit_opts where owner like 'SYS%' and object_name='aud$' and object_type='table'; Set audit rename by default on all objects created after command: audit rename on default; Audit actions on the audit trail: audit all on sys.aud$; or audit all on system.aud$; (if ownership has been changed) Privilege Level Audits Generate a list of all privilege level audits. select privilege, success, failure from dba_priv_audit_opts; Enable minimum required privilege level audits: audit ANALYZE ANY ; audit AUDIT ANY ; audit AUDIT SYSTEM ; audit ALTER ANY CLUSTER ; audit DROP ANY CLUSTER ; audit ALTER DATABASE ; audit CREATE ANY INDEX ; audit ALTER ANY INDEX ; audit DROP ANY INDEX ; audit GRANT ANY PRIVILEGE ; audit CREATE ANY PROCEDURE ; audit ALTER ANY PROCEDURE ; audit DROP ANY PROCEDURE ; audit EXECUTE ANY PROCEDURE ; audit CREATE PROFILE ; audit ALTER PROFILE ; audit DROP PROFILE ; audit ALTER RESOURCE COST ; audit DROP PUBLIC DATABASE LINK ; audit DROP PUBLIC SYNONYM ; audit ALTER ANY ROLE ; audit DROP ANY ROLE ; audit GRANT ANY ROLE ; audit DROP ROLLBACK SEGMENT ; audit CREATE ANY SEQUENCE ; audit ALTER ANY SEQUENCE ; audit DROP ANY SEQUENCE ; audit SELECT ANY SEQUENCE ; audit ALTER ANY SNAPSHOT ; Mini-Lesson M6, Scripts & Source Code/ Page 9

10 audit DROP ANY SNAPSHOT ; audit CREATE ANY SYNONYM ; audit DROP ANY SYNONYM ; audit CREATE ANY TABLE ; audit ALTER ANY TABLE ; audit BACKUP ANY TABLE ; audit DROP ANY TABLE ; audit LOCK ANY TABLE ; audit COMMENT ANY TABLE ; audit SELECT ANY TABLE ; audit INSERT ANY TABLE ; audit UPDATE ANY TABLE ; audit DELETE ANY TABLE ; audit MANAGE TABLESPACE ; audit UNLIMITED TABLESPACE ; audit FORCE TRANSACTION ; audit FORCE ANY TRANSACTION ; audit CREATE ANY TRIGGER ; audit ALTER ANY TRIGGER ; audit DROP ANY TRIGGER ; audit CREATE USER ; audit BECOME USER ; audit ALTER USER ; audit DROP USER ; audit CREATE ANY VIEW ; audit DROP ANY VIEW ; audit CREATE PUBLIC DATABASE LINK ; audit DROP PUBLIC DATABASE LINK ; audit CREATE PUBLIC SYNONYM ; audit DROP PUBLIC SYNONYM ; audit CREATE DATABASE LINK ; Audit Trail Maintenance Set the following init.ora parameters and restart the database to initialize the Oracle Job Queue: JOB_QUEUE_PROCESSES = 1 JOB_QUEUE_INTERVAL = 30 Create the following stored procedure as SYSTEM through Server Manager or SQL*Plus: Oracle7 Version: CREATE PROCEDURE TRIM_AUDIT_TRAIL AS BEGIN Mini-Lesson M6, Scripts & Source Code / Page 10

11 DELETE FROM SYS.AUD$ WHERE TIMESTAMP < TRUNC(SYSDATE-7); COMMIT; END TRIM_AUDIT_TRAIL; Oracle8 Version: CREATE PROCEDURE TRIM_AUDIT_TRAIL AS BEGIN DELETE FROM SYS.AUD$ WHERE TIMESTAMP# < TRUNC(SYSDATE-7); COMMIT; END TRIM_AUDIT_TRAIL; Set the job to run once per day at midnight using Server Manager or SQL*Plus: VARIABLE JOBNUM NUMBER; BEGIN DBMS_JOB.SUBMIT(:JOBNUM,'SYSTEM.TRIM_AUDIT_TRAIL; ', TRUNC(SYSDATE+1),'TRUNC(SYSDATE+1)'); END; Check on the status of the job using the DBA_JOBS or USER_JOBS views. Eagle Original Eagle DDL (by Jay Mehta, IOUG-A Select Magazine, April, 1997): REM Name: eddl.sql REM Description: Creates Objects(Tables/Indexes) in USERS and USERS_IDX tablespace REM Usage: Run this script from SQL*Plus, Use Eagle Oracle account REM CREATE TABLE WATCH ( WATCH_ID VARCHAR2(12) NOT NULL, NAME VARCHAR2(30) NOT NULL, PREPARE1_CLAUSE VARCHAR2(512) PREPARE2_CLAUSE VARCHAR2(512) NULL, NULL, INSERT_CLAUSE VARCHAR2(512) NOT NULL, SELECT_CLAUSE VARCHAR2(512) NOT NULL, WHERE_CLAUSE VARCHAR2(512) NULL, CLOSE1_CLAUSE VARCHAR2(512) NULL, CLOSE2_CLAUSE VARCHAR2(512) NULL, CONSTRAINT WATCK_PK PRIMARY KEY (WATCH_ID) USING INDEX TABLESPACE USERS_IDX STORAGE(INITIAL 16K NEXT 16K PCTINCREASE 0) ) TABLESPACE USERS STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ; Mini-Lesson M6, Scripts & Source Code/ Page 11

12 CREATE TABLE DATABASE ( DB_ID VARCHAR2(12) NOT NULL, NAME VARCHAR2(30) NOT NULL, DB_LINK VARCHAR2(30) NOT NULL, CONSTRAINT DATABASE_PK PRIMARY KEY (DB_ID) USING INDEX TABLESPACE USERS_IDX STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ) TABLESPACE USERS STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ; CREATE TABLE DB_WATCH ( DB_ID VARCHAR2(12) NOT NULL, WATCH_ID VARCHAR2(12) NOT NULL, ACTIVE_YN VARCHAR2(1), CONSTRAINT DB_WATCH_PK PRIMARY KEY (DB_ID, WATCH_ID) USING INDEX TABLESPACE USERS_IDX STORAGE(INITIAL 16K NEXT 16K PCTINCREASE 0), CONSTRAINT DB_WATCH_FK1 FOREIGN KEY (DB_ID) REFERENCES DATABASE (DB_ID), CONSTRAINT DB_WATCH_FK2 FOREIGN KEY (WATCH_ID) REFERENCES WATCH (WATCH_ID) ) TABLESPACE USERS STORAGE ( INITIAL 16K NEXT 16K PCTINCREASE 0) ; CREATE TABLE DB_WATCH_RESULT( DB_ID VARCHAR2(12) NOT NULL, WATCH_ID VARCHAR2(12) NOT NULL, RUN_TIME DATE NOT NULL, PARAMETER VARCHAR2(256) NULL, VALUE NUMBER(12,2) NOT NULL, CONSTRAINT DB_WATCH_RESULT_FK FOREIGN KEY (DB_ID,WATCH_ID) REFERENCES DB_WATCH(DB_ID, WATCH_ID) ) TABLESPACE USERS STORAGE ( INITIAL 16K NEXT 16K PCTINCREASE 0) ; Mini-Lesson M6, Scripts & Source Code / Page 12

13 Note: The sizes of the prepare, insert, select, where, and close clause fields in the WATCH table have been increased from the original 256 characters to 512 characters to accommodate the various watches described below. You may need to increase them further to support your own custom watches. You may also need to alter storage parameters to fit your particular system. Original Eagle PL/SQL Engine (by Jay Mehta, IOUG-A Select Magazine, April, 1997): REM REM Name: eplsql.sql REM Description: Create PL/SQL procudure that executes active watched REM Usage: Run from SQL*Plus, Use Eagle account REM CREATE OR REPLACE PROCEDURE EXECUTE_DB_WATCH AS BEGIN CURSOR C_DB_WATCH IS SELECT DB_ID, WATCH_ID, ACTIVE_YN FROM DB_WATCH ; db_watch_rec DB_WATCH%ROWTYPE ; watch_rec WATCH%ROWTYPE ; database_rec DATABASE%ROWTYPE ; sql_stmt VARCHAR2(1000) ; ret_val INTEGER ; cursor_id INTEGER ; c_get_data INTEGER ; temp_clause VARCHAR2(256) ; OPEN C_DB_WATCH; LOOP FETCH C_DB_WATCH INTO db_watch_rec; EXIT WHEN C_DB_WATCH%NOTFOUND ; IF db_watch_rec.active_yn = 'Y' THEN SELECT * INTO watch_rec FROM WATCH WHERE WATCH_ID = db_watch_rec.watch_id ; /* fetch database record */ SELECT * INTO database_rec FROM DATABASE WHERE DB_ID = db_watch_rec.db_id ; watch_rec.select_clause := REPLACE(watch_rec.select_clause, '<DB_ID>',database_rec.db_id); Mini-Lesson M6, Scripts & Source Code/ Page 13

14 watch_rec.select_clause := REPLACE(watch_rec.select_clause, '<DB_LINK>',database_rec.db_link); sql_stmt := watch_rec.insert_clause watch_rec.select_clause watch_rec.where_clause; IF watch_rec.prepare1_clause IS NOT NULL THEN watch_rec.prepare1_clause := REPLACE(watch_rec.prepare1_clause, '<DB_LINK>',database_rec.db_link); cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.prepare1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; IF watch_rec.prepare2_clause IS NOT NULL THEN watch_rec.prepare2_clause := REPLACE(watch_rec.prepare2_clause, '<DB_LINK>',database_rec.db_link); cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.prepare2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; c_get_data := DBMS_SQL.OPEN_CURSOR ; DBMS_SQL.PARSE(c_get_data,sql_stmt,DBMS_SQL.V7) ; ret_val := DBMS_SQL.EXECUTE(c_get_data) ; DBMS_SQL.CLOSE_CURSOR(c_get_data) ; IF watch_rec.close1_clause IS NOT NULL THEN cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.close1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; IF watch_rec.close2_clause IS NOT NULL THEN cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.close2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; END IF; Mini-Lesson M6, Scripts & Source Code / Page 14

15 END LOOP; END ; / Eagle Enhanced Replacement PL/SQL Engine for Eagle: create or replace package eagle as /* procedure run is the top-level procedure that calls all others. A DBA can specify a specific database for monitoring, or let the procedure default to all databases. */ procedure run (dbid in varchar2 default '%'); /* procedure sqlexec opens a cursor for each SQL command and executes the command. */ procedure sqlexec (querystr in varchar2, dbid in varchar2, dblink in varchar2); /* function sqlinit replaces the <DB_ID> and <DB_LINK> keywords in each SQL command with the appropriate database name and database link name. */ function sqlinit (querystr in varchar2, dbid in varchar2, dblink in varchar2) return varchar2; end eagle; / create or replace package body eagle as no_connection EXCEPTION; PRAGMA EXCEPTION_INIT(no_connection, ); procedure run (dbid in varchar2 default '%') is cursor c_db_watch (db varchar2) is select db_id, watch_id, active_yn from db_watch where db_id like db order by db_id; db_watch_rec db_watch%rowtype; watch_rec watch%rowtype; database_rec database%rowtype; sqltext varchar2(2000); begin /* Open the list of database watches for the specified database */ open c_db_watch(dbid); loop /* Get the next database watch record, exit when no more records found */ fetch c_db_watch into db_watch_rec; exit when c_db_watch%notfound; Mini-Lesson M6, Scripts & Source Code/ Page 15

16 /* If the watch is active, then execute */ if db_watch_rec.active_yn = 'Y' then /* Get the details for the watch and database */ select * into watch_rec from watch where watch_id=db_watch_rec.watch_id; select * into database_rec from database where db_id=db_watch_rec.db_id; /* Execute the prepare clauses for the watch */ sqlexec (watch_rec.prepare1_clause,database_rec.db_id,database_rec.db_link); sqlexec (watch_rec.prepare2_clause,database_rec.db_id,database_rec.db_link); /* Execute the watch insert as select command */ sqltext := watch_rec.insert_clause watch_rec.select_clause watch_rec.where_clause; sqlexec (sqltext,database_rec.db_id,database_rec.db_link); /* Execute the close clauses for the watch */ sqlexec (watch_rec.close1_clause,database_rec.db_id,database_rec.db_link); sqlexec (watch_rec.close2_clause,database_rec.db_id,database_rec.db_link); end if; end loop; end run; procedure sqlexec (querystr in varchar2, dbid in varchar2, dblink in varchar2) is sqltext varchar2(2000); ret_val integer; cursor_id integer; begin /* Determine if this SQL command is null */ if querystr is not null then /* Initialize the SQL command by replacing keywords with values for db_id and db_link */ sqltext := sqlinit (querystr, dbid, dblink); /* Open and execute the cursor for the SQL command */ cursor_id := dbms_sql.open_cursor; dbms_sql.parse(cursor_id,sqltext,dbms_sql.v7); ret_val := dbms_sql.execute(cursor_id) ; /* Close the cursor and exit */ Mini-Lesson M6, Scripts & Source Code / Page 16

17 dbms_sql.close_cursor(cursor_id); end if; exception /* When a connection to target database is not found, proceed to next watch */ when no_connection then return; end sqlexec; function sqlinit (querystr in varchar2, dbid in varchar2, dblink in varchar2) return varchar2 is sqltext varchar2(2000); begin sqltext := querystr; sqltext := replace(sqltext,'<db_id>',dbid); sqltext := replace(sqltext,'<db_link>',dblink); return sqltext; end sqlinit; end eagle; / Eagle Extended The following scripts can be used to extend Eagle to collect audit trail information. AUDIT_TRAIL DDL for Eagle in Oracle7 CREATE TABLE AUDIT_TRAIL (DB_ID VARCHAR2(12) NOT NULL, SESSIONID NUMBER NOT NULL, ENTRYID NUMBER NOT NULL, STATEMENT NUMBER NOT NULL, TIMESTAMP# DATE NOT NULL, USERID VARCHAR2(30) NULL, USERHOST VARCHAR2(255) NULL, TERMINAL VARCHAR2(255) NULL, ACTION# NUMBER NOT NULL, RETURNCODE NUMBER NOT NULL, OBJ$CREATOR VARCHAR2(30) NULL, OBJ$NAME VARCHAR2(128) NULL, AUTH$PRIVILEGES VARCHAR2(16) NULL, AUTH$GRANTEE VARCHAR2(30) NULL, NEW$OWNER VARCHAR2(30) NULL, NEW$NAME VARCHAR2(128) NULL, SES$ACTIONS VARCHAR2(19) NULL, AUDIT_TRAIL DDL for Eagle in Oracle8 CREATE TABLE AUDIT_TRAIL (DB_ID VARCHAR2(12) NOT NULL, SESSIONID NUMBER NOT NULL, ENTRYID NUMBER NOT NULL, STATEMENT NUMBER NOT NULL, TIMESTAMP# DATE NOT NULL, USERID VARCHAR2(30) NULL, USERHOST VARCHAR2(255) NULL, TERMINAL VARCHAR2(255) NULL, ACTION# NUMBER NOT NULL, RETURNCODE NUMBER NOT NULL, OBJ$CREATOR VARCHAR2(30) NULL, OBJ$NAME VARCHAR2(128) NULL, AUTH$PRIVILEGES VARCHAR2(16) NULL, AUTH$GRANTEE VARCHAR2(30) NULL, NEW$OWNER VARCHAR2(30) NULL, NEW$NAME VARCHAR2(128) NULL, SES$ACTIONS VARCHAR2(19) NULL, Mini-Lesson M6, Scripts & Source Code/ Page 17

18 SES$TID NUMBER NULL, LOGOFF$LREAD NUMBER NULL, LOGOFF$PREAD NUMBER NULL, LOGOFF$LWRITE NUMBER NULL, LOGOFF$DEAD NUMBER NULL, LOGOFF$TIME DATE NULL, COMMENT$TEXT VARCHAR2(2000) NULL, SPARE1 VARCHAR2(255) NULL, SPARE2 NUMBER NULL, OBJ$LABEL RAW(255) NULL, SES$LABEL RAW(255) NULL, PRIV$USED NUMBER NULL SES$TID NUMBER NULL, LOGOFF$LREAD NUMBER NULL, LOGOFF$PREAD NUMBER NULL, LOGOFF$LWRITE NUMBER NULL, LOGOFF$DEAD NUMBER NULL, LOGOFF$TIME DATE NULL, COMMENT$TEXT VARCHAR2(4000) NULL, SPARE1 VARCHAR2(255) NULL, SPARE2 NUMBER NULL, OBJ$LABEL RAW(255) NULL, SES$LABEL RAW(255) NULL, PRIV$USED NUMBER NULL ) STORAGE ( INITIAL 1M NEXT 1M MINEXTENTS 1 PCTINCREASE 0) TABLESPACE "DBAUDIT"; Notes: ) STORAGE ( INITIAL 1M NEXT 1M MINEXTENTS 1 PCTINCREASE 0) TABLESPACE "DBAUDIT"; Notes: The COMMENT$TEXT field from an Oracle8 database must be trimmed from varchar2(4000) to varchar2(2000). All data from Oracle7 and Oracle8 audit trails can be stored in this table without being trimmed or altered. The SES$ACTIONS field was expanded from varchar2(16) to varchar2(19) to accommodate Oracle8 values. The USERHOST field was expanded from varchar2(128) to varchar2(255) to accommodate Oracle7 values. The TIMESTAMP and ACTION fields have been renamed, adding a '#' character to the end of each. Copy the AUDIT_ACTIONS table into the Eagle schema for use in reports and views: CREATE TABLE EAGLE.AUDIT_ACTIONS TABLESPACE USERS AS SELECT * FROM SYS.AUDIT_ACTIONS; There are three (3) different watches that can be used to collect audit trail data, depending on the version numbers of the Eagle database and the target database. Each watch will do the following: Copy all audit entries from AUD$ in the target database to AUDIT_TRAIL in the Eagle database, adding the DB_ID field as a source identifier. Only those entries made since the last time Eagle has run will be copied (no duplicates). Automatically delete any entries more than 365 days old. Use the following table to determine which audit watch to use for your systems. Mini-Lesson M6, Scripts & Source Code / Page 18

19 Target Database Eagle Database Database Version Oracle7 Oracle8 Oracle7 AUDIT_7_TO_8 AUDIT_8_TO_7 Oracle8 AUDIT_7_TO_8 AUDIT_TRAIL AUDIT_TRAIL Watch SQL: This watch can be used when both the Eagle and target databases are both Oracle8 insert into watch (watch_id, name, prepare1_clause, insert_clause, select_clause, where_clause, close1_clause) values ('AUDIT_TRAIL','Database Audit Trail', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from sys.aud$ a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit'); AUDIT_7_TO_8 Watch DDL: This watch is used when the target database is Oracle7 (the Eagle database can be either Oracle7 or Oracle8) insert into watch (watch_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause) values ('AUDIT_7_TO_8','Database Audit Trail (Oracle7)', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'CREATE OR REPLACE VIEW AUD$_V8 AS SELECT SESSIONID, ENTRYID, STATEMENT, TIMESTAMP TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION ACTION#, RETURNCODE, OBJ$CREATOR, Mini-Lesson M6, Scripts & Source Code/ Page 19

20 OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, COMMENT$TEXT, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED FROM 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from aud$_v8 a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit', 'drop view aud$_v8'); AUDIT_8_TO_7 Watch DDL: This watch is used when the Eagle database is in Oracle7 and the target database is Oracle8 insert into watch (watch_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause) values ('AUDIT_8_TO_7','Database Audit Trail (Oracle8)', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'CREATE OR REPLACE VIEW AUD$_V7 AS SELECT SESSIONID, ENTRYID, STATEMENT, TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION#, RETURNCODE, OBJ$CREATOR, OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, SUBSTR(COMMENT$TEXT,1,2000) COMMENT$TEXT, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED FROM SYS.AUD$@<DB_LINK>', 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from aud$_v7 a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit', 'drop view aud$_v7'); Mini-Lesson M6, Scripts & Source Code / Page 20

21 EAGLE_AUDIT_TRAIL VIEW DDL: create or replace view eagle_audit_trail as select db_id /* DB_ID */, spare1 /* OS_USERNAME */, userid /* USERNAME */, userhost /* USERHOST */, terminal /* TERMINAL */, timestamp# /* TIMESTAMP */, obj$creator /* OWNER */, obj$name /* OBJECT_NAME */, aud.action# /* ACTION */, act.name /* ACTION_NAME */, new$owner /* NEW_OWNER */, new$name /* NEW_NAME */, decode(aud.action#, 108 /* grant sys_priv */, null, 109 /* revoke sys_priv */, null, 114 /* grant role */, null, 115 /* revoke role */, null, auth$privileges) /* OBJ_PRIVILEGE */, decode(aud.action#, 108 /* grant sys_priv */, spm.name, 109 /* revoke sys_priv */, spm.name, null) /* SYS_PRIVILEGE */, decode(aud.action#, 108 /* grant sys_priv */, substr(auth$privileges,1,1), 109 /* revoke sys_priv */, substr(auth$privileges,1,1), 114 /* grant role */, substr(auth$privileges,1,1), 115 /* revoke role */, substr(auth$privileges,1,1), null) /* ADMIN_OPTION */, auth$grantee /* GRANTEE */, decode(aud.action#, 104 /* audit */, aom.name, 105 /* noaudit */, aom.name, null) /* AUDIT_OPTION */, ses$actions /* SES_ACTIONS */, Mini-Lesson M6, Scripts & Source Code/ Page 21

22 logoff$time /* LOGOFF_TIME */, logoff$lread /* LOGOFF_LREAD */, logoff$pread /* LOGOFF_PREAD */, logoff$lwrite /* LOGOFF_LWRITE */, decode(aud.action#, 104 /* audit */, null, 105 /* noaudit */, null, 108 /* grant sys_priv */, null, 109 /* revoke sys_priv */, null, 114 /* grant role */, null, 115 /* revoke role */, null, aud.logoff$dead) /* LOGOFF_DLOCK */, comment$text /* COMMENT_TEXT */, sessionid /* SESSIONID */, entryid /* ENTRYID */, statement /* STATEMENTID */, returncode /* RETURNCODE */, spx.name /* PRIVILEGE */, rawtolab(obj$label) /* OBJECT_LABEL */, rawtolab(ses$label) /* SESSION_LABEL */ from eagle.audit_trail aud, sys.system_privilege_map spm, sys.system_privilege_map spx, sys.stmt_audit_option_map aom, eagle.audit_actions act where aud.action# = act.action (+) and - aud.logoff$dead = spm.privilege (+) and aud.logoff$dead = aom.option# (+) and - aud.priv$used = spx.privilege (+); EAGLE_AUDIT_SESSION VIEW DDL: create or replace view eagle_audit_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, logoff_time, logoff_lread, logoff_pread, logoff_lwrite, logoff_dlock, sessionid, returncode, session_label from eagle_audit_trail where action between 100 and 102; EAGLE_AUDIT_OBJECT VIEW DDL: create or replace view eagle_audit_object as select DB_ID, OS_USERNAME, USERNAME, USERHOST, TERMINAL, TIMESTAMP, OWNER, OBJ_NAME, ACTION_NAME, NEW_OWNER, NEW_NAME, SES_ACTIONS, COMMENT_TEXT, SESSIONID, ENTRYID, STATEMENTID, RETURNCODE, PRIV_USED, OBJECT_LABEL, SESSION_LABEL Mini-Lesson M6, Scripts & Source Code / Page 22

23 from eagle_audit_trail where (action between 1 and 16) or (action between 19 and 29) or (action between 32 and 41) or (action = 43) or (action between 51 and 99) or (action = 103) or (action between 110 and 113) or (action between 116 and 121) or (action between 123 and 128); EAGLE_AUDIT_STATEMENT VIEW DDL: create or replace view eagle_audit_statement as select DB_ID, OS_USERNAME, USERNAME, USERHOST, TERMINAL, TIMESTAMP, OWNER, OBJ_NAME, ACTION_NAME, NEW_NAME, OBJ_PRIVILEGE, SYS_PRIVILEGE, ADMIN_OPTION, GRANTEE, AUDIT_OPTION, SES_ACTIONS, COMMENT_TEXT, SESSIONID, ENTRYID, STATEMENTID, RETURNCODE, PRIV_USED, SESSION_LABEL from eagle_audit_trail where action in ( 17 /* GRANT OBJECT */, 18 /* REVOKE OBJECT */, 30 /* AUDIT OBJECT */, 31 /* NOAUDIT OBJECT */, 49 /* ALTER SYSTEM */, 104 /* SYSTEM AUDIT */, 105 /* SYSTEM NOAUDIT */, 106 /* AUDIT DEFAULT */, 107 /* NOAUDIT DEFAULT */, 108 /* SYSTEM GRANT */, 109 /* SYSTEM REVOKE */, 114 /* GRANT ROLE */, 115 /* REVOKE ROLE */ ); EAGLE_AUDIT_CLIENT_SESSION VIEW DDL: create or replace view eagle_audit_client_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, logoff_time, logoff_lread, logoff_pread, logoff_lwrite, logoff_dlock, sessionid, returncode, comment_text, session_label, substr(substr(comment_text,instr(comment_text,'host=',1)+5, instr(comment_text,')',instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address Mini-Lesson M6, Scripts & Source Code/ Page 23

24 from eagle_audit_trail where action between 100 and 102; EAGLE_AUDIT_FAILED_SESSION VIEW DDL: create or replace view eagle_audit_failed_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, sessionid, returncode, comment_text, substr(substr(comment_text,instr(comment_text,'host=',1)+5, instr(comment_text,')',instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address from eagle_audit_trail where returncode in (1017,1005) and action between 100 and 102; Audit Trail Reports The following sample reports were designed using Oracle WebServer 2.0 and the PL/SQL Agent. The are included only as an example of the types of reports that can be generated with the centralized audit trail data collected by Eagle. DBAUDIT PACKAGE DDL: create or replace package dbaudit as end; procedure query; procedure report (rptcode in varchar2 default 'session', db_nm in varchar2 default 'ALL', user_nm in varchar2, object_nm in varchar2, action_nm in varchar2, code in varchar2, day in varchar2, month in varchar2, year in varchar2); procedure auditrpt (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rt_code in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2); procedure dataheader (rptcode in varchar2); procedure datafooter; procedure getdata (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rtcode in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2); create or replace package body dbaudit as Procedure query presents the initial report request form procedure query is cursor dblist is select distinct db_id from eagle.audit_trail order by db_id; cursor userlist is Mini-Lesson M6, Scripts & Source Code / Page 24

25 select distinct userid from eagle.audit_trail order by userid; cursor objlist is select distinct obj$name from eagle.audit_trail order by obj$name; cursor actionlist is select name, action from sys.audit_actions order by name; cursor codelist is begin select distinct returncode from eagle.audit_trail order by returncode; htp.htmlopen; htp.headopen; htp.title('stats Database Audit History'); htp.headclose; htp.bodyopen('','bgcolor="#000066" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff" BACKGROUND="/images/back10.jpg"'); htp.header(1,'stats Database Audit History'); htp.hr; htp.formopen('/webaudit/owa/dbaudit.report','post'); htp.print('<b>select Report Criteria:</B><P>'); htp.tableopen; htp.print('<tr><td WIDTH="150">Select Audit Report:</TD><TD>'); htp.formradio('rptcode','session','checked'); htp.print('session Audits '); htp.formradio('rptcode','object'); htp.print('object/statement Audits'); htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Database Name:</TD><TD>'); htp.formselectopen('db_nm'); htp.formselectoption('all','selected','value="all"'); for dc in dblist loop htp.formselectoption(dc.db_id,'','value="' dc.db_id '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Database User Name:</TD><TD>'); htp.formselectopen('user_nm'); htp.formselectoption('all','selected','value="all"'); for uc in userlist loop htp.formselectoption(uc.userid,'','value="' uc.userid '"'); Mini-Lesson M6, Scripts & Source Code/ Page 25

26 end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Object Name:</TD><TD>'); htp.formselectopen('object_nm'); htp.formselectoption('all','selected','value="all"'); for oc in objlist loop htp.formselectoption(oc.obj$name,'','value="' oc.obj$name '"'); end loop; htp.formselectclose; htp.print(' (Object/Statement Audits only)</td></tr>'); htp.print('<tr><td WIDTH="150">Action Name:</TD><TD>'); htp.formselectopen('action_nm'); htp.formselectoption('all','selected','value="all"'); for ac in actionlist loop htp.formselectoption(ac.name,'','value="' ac.action '"'); end loop; htp.formselectclose; htp.print(' (Object/Statement Audits only)</td></tr>'); htp.print('<tr><td WIDTH="150">Return Code:</TD><TD>'); htp.formselectopen('code'); htp.formselectoption('all','selected','value="all"'); for rc in codelist loop htp.formselectoption(rc.returncode,'','value="' rc.returncode '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Day:</TD><TD>'); htp.formselectopen('day'); htp.formselectoption('all','selected','value="all"'); for ctr in loop htp.formselectoption(ctr,'','value="' ctr '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); Mini-Lesson M6, Scripts & Source Code / Page 26

27 htp.print('<tr><td WIDTH="150">Month:</TD><TD>'); htp.formselectopen('month'); htp.formselectoption('all','selected','value="all"'); htp.formselectoption('january','','value="january "'); htp.formselectoption('february','','value="february "'); htp.formselectoption('march','','value="march htp.formselectoption('april','','value="april htp.formselectoption('may','','value="may htp.formselectoption('june','','value="june htp.formselectoption('july','','value="july htp.formselectoption('august','','value="august "'); "'); "'); "'); "'); "'); htp.formselectoption('september','','value="september"'); htp.formselectoption('october','','value="october "'); htp.formselectoption('november','','value="november "'); htp.formselectoption('december','','value="december "'); htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Year:</TD><TD>'); htp.formselectopen('year'); htp.formselectoption('all','','value="all"'); htp.formselectoption('1997','','value="1997"'); htp.formselectoption('1998','selected','value="1998"'); htp.formselectclose; htp.print('</td></tr>'); htp.tableclose; htp.para; htp.formsubmit('','submit'); htp.formreset('reset'); htp.formclose; htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); htp.bodyclose; Mini-Lesson M6, Scripts & Source Code/ Page 27

28 htp.htmlclose; end query; Procedure report parses the initial report request and calls the specified report procedure. procedure report (rptcode in varchar2 default 'session', db_nm in varchar2 default 'ALL', user_nm in varchar2, object_nm in varchar2, action_nm in varchar2, code in varchar2, day in varchar2, month in varchar2, year in varchar2) is header_text varchar2(50); db_name varchar2(10); user_name varchar2(32); object_name varchar2(32); action_name varchar2(64); rtcode varchar2(10); webday varchar2(3); webmnth varchar2(20); webyear varchar2(4); begin if db_nm = 'ALL' then db_name := '%'; else db_name := db_nm; end if; if user_nm = 'ALL' then user_name := '%'; else user_name := user_nm; end if; if object_nm = 'ALL' then object_name := '%'; else object_name := object_nm; end if; if action_nm = 'ALL' then action_name := '%'; else Mini-Lesson M6, Scripts & Source Code / Page 28

29 action_name := action_nm; end if; if code = 'ALL' then rtcode := '%'; else rtcode := code; end if; webday := day; if length(webday) < 2 then webday := '0' webday; end if; if webday = 'ALL' then webday := '%'; end if; if month = 'ALL' then webmnth := '%'; else webmnth := rtrim(month) '%'; end if; if year = 'ALL' then webyear := '%'; else webyear := year; end if; htp.htmlopen; htp.headopen; htp.title('stats Database Audit History'); htp.headclose; htp.bodyopen('','bgcolor="#ffffff" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff" BACKGROUND="/images/back10.jpg"'); htp.header(1,'stats Database Audit History'); htp.tableopen('border','','','','width="100%"'); htp.tablerowopen; Mini-Lesson M6, Scripts & Source Code/ Page 29

30 htp.tableheader('database'); htp.tableheader('user Name'); htp.tableheader('object Name'); htp.tableheader('action'); htp.tableheader('return Code'); htp.tableheader('day'); htp.tableheader('month'); htp.tableheader('year'); htp.tablerowclose; htp.tablerowopen; htp.tabledata(db_nm); htp.tabledata(user_nm); htp.tabledata(object_nm); htp.tabledata(action_nm); htp.tabledata(code); htp.tabledata(day); htp.tabledata(month); htp.tabledata(year); htp.tablerowclose; htp.tableclose; htp.hr; auditrpt (rptcode, db_name, user_name, object_name, action_name, rtcode, webday, webmnth, webyear); htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); htp.anchor('/webstats/owa/webstats.query','<img BORDER=0 SRC="/images/up-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); htp.bodyclose; htp.htmlclose; end report; Procedure auditrpt generates the Server Audit History Report procedure auditrpt (rptcode in varchar2, db_name in varchar2, user_name in varchar2, Mini-Lesson M6, Scripts & Source Code / Page 30

31 object_name in varchar2, action_name in varchar2, rt_code in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2) is begin dataheader(rptcode); getdata (rptcode, db_name, user_name, object_name, action_name, rt_code, webday, webmonth, webyear); datafooter; htp.para; end auditrpt; Procedure dataheader creates the table header for report data procedure dataheader (rptcode in varchar2) is begin htp.tableopen('border','','','','width="100%"'); if rptcode = 'session' then else htp.tablecaption('<b>user Session History</B>'); htp.tablerowopen; htp.tableheader('database',cattributes=>'valign="bottom" width='); htp.tableheader('timestamp',cattributes=>'valign="bottom" width='); htp.tableheader('sid',cattributes=>'valign="bottom" width='); htp.tableheader('user Name',cattributes=>'valign="bottom" width='); htp.tableheader('os User Name',cattributes=>'valign="bottom" width='); htp.tableheader('action Name',cattributes=>'valign="bottom" width='); htp.tableheader('return Code',cattributes=>'valign="bottom" width='); htp.tableheader('ip Address',cattributes=>'valign="bottom" width='); htp.tablerowclose; htp.tablecaption('<b>object/statement History</B>'); htp.tablerowopen; htp.tableheader('database',cattributes=>'valign="bottom" width='); htp.tableheader('timestamp',cattributes=>'valign="bottom" width='); htp.tableheader('sid',cattributes=>'valign="bottom" width='); htp.tableheader('user Name',cattributes=>'valign="bottom" width='); htp.tableheader('action Name',cattributes=>'valign="bottom" width='); htp.tableheader('object Owner',cattributes=>'valign="bottom" width='); htp.tableheader('object Name',cattributes=>'valign="bottom" width='); htp.tableheader('return Code',cattributes=>'valign="bottom" width='); htp.tablerowclose; Mini-Lesson M6, Scripts & Source Code/ Page 31

32 end if; end dataheader; Procedure datafooter creates the table footer for report data procedure datafooter is begin htp.tableclose; end datafooter; Procedure getdata generates the data tables for the reports procedure getdata (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rtcode in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2) is querystr varchar2(2000); begin if rptcode = 'session' then querystr := 'select db_id, to_char(timestamp,''dd-mon-yy HH24:MI:SS''), sessionid, username, os_username, action_name, returncode, ip_address from eagle.audit_client_session where db_id like :db_nm and username like :user_nm and returncode like :code and to_char(timestamp,''dd'') like :webday and to_char(timestamp,''month'') like :webmnth and to_char(timestamp,''yyyy'') like :webyear order by timestamp'; owa_sql.cells_from_query( owa_sql.init(querystr, ':db_nm',db_name, ':user_nm',user_name, ':code',rtcode, ':webday',webday, ':webmnth',webmonth, ':webyear',webyear), Mini-Lesson M6, Scripts & Source Code / Page 32

33 10000,'Yes'); else querystr := 'select db_id, to_char(timestamp,''dd-mon-yy HH24:MI:SS''), sessionid, username, action_name, owner, object_name, returncode from eagle.audit_trail_view where action like :action_nm and db_id like :db_nm and username like :user_nm and object_name like :object_nm and returncode like :code and to_char(timestamp,''dd'') like :webday and to_char(timestamp,''month'') like :webmnth and to_char(timestamp,''yyyy'') like :webyear order by timestamp'; owa_sql.cells_from_query( owa_sql.init(querystr, ':action_nm',action_name, ':db_nm',db_name, ':user_nm',user_name, ':object_nm',object_name, ':code',rtcode, ':webday',webday, ':webmnth',webmonth, ':webyear',webyear), 10000,'Yes'); end if; end getdata; end ; Audit Trail Configuration Identify the tablespace in which the audit trail table is located. select table_name, tablespace_name from dba_tables where table_name='aud$' and owner like 'SYS%'; The following instructions are excerpts from Conference Paper 139: Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager. Mini-Lesson M6, Scripts & Source Code/ Page 33

34 Special Note Changing either the location or the ownership of AUD$ is a configuration change that is not supported by Oracle Technical Support. Take care when performing the following steps to ensure the procedures are followed exactly. While the authors have tested these scripts on a variety of Oracle versions and OS platforms, no warranty, expressed or implicit, is given that you will have the same results. Step 1 If auditing is already enabled in the database, it will need to temporarily be disabled while these changes are made. In the init.ora file, make sure that the audit trail parameter is turned off. Make sure that the value of this parameter is set to none. If the value of this parameter is changed, the database will need to be restarted for the change to take effect. Step 2 Check to see if there is already an auditing tablespace in the database. Connect internal using Server Manager and run the following command. select tablespace_name from dba_tablespaces; TABLESPACE_NAME - SYSTEM USER_DATA ROLLBACK_DATA TEMPORARY_DATA Step 3 If an auditing tablespace does not exist, execute the following commands as SYS (or internal). Substitute a file name appropriate to the local operating system, and enter storage parameters consistent with the rest of the database. create tablespace "DBAUDIT" datafile '<use appropriate file name>' size 1m default storage (initial 128k next 128k pctincrease 0); Repeat the query from Step 2 to verify that the auditing tablespace has been correctly created. Step 4 Create the new audit trail table by executing the following commands as SYS (or internal). Substitute storage parameters consistent with the rest of the database. rename aud$ to aud$_temp; create table system.aud$ tablespace "DBAUDIT" storage (initial 64k next 64k pctincrease 0) as select * from aud$_temp; Step 5 Connect as SYSTEM and execute the following commands to index and set permissions on the new audit trail (again substituting appropriate storage parameters): create index i_aud1 on aud$(sessionid,ses$tid) tablespace "DBAUDIT" storage (initial 64k next 64k pctincrease 0); Mini-Lesson M6, Scripts & Source Code / Page 34

35 grant all on aud$ to sys with grant option; Step 6 Connect internal from Server Manager and run these commands to reset and rebuild the auditing portions of Oracle s data dictionary: create view aud$ as select * from (if you are using Oracle for Windows95 or WindowsNT, then run %ORACLE_HOME%\rdbms73\admin\cataudit.sql or %ORACLE_HOME%\rdbms80\admin\cataudit.sql) WatchDog Installation The following instructions are excerpts from Conference Paper 139: Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager. Step 7 SYSTEM now owns the audit trail. Stop the database and set the following initialization parameters, then restart: audit_trail = db utl_file_dir = /your/alert/log/directory/path where the directory in utl_file_dir is the directory which contains the database alert log; this will allow the audit trail trigger to update the alert log when an audited event is detected. Any previously existing audits should be unaffected; all new entries will be written to the new table owned by SYSTEM. The WatchDog trigger can now be written against AUD$ to automate responses to various events that may show up, like failed logins or other unusual activities. Step 8 Make sure any audits that need to be monitored are in place. The following examples will use the session audit to determine when a login to the database has failed. The session audit is enabled by a DBA with the following command, issued from Server Manager. AUDIT SESSION; Securing the UTL_FILE Package Before the WatchDog trigger is created, there are some additional security enhancements that can be made to the database. The UTL_FILE package available in Oracle 7.3 and higher allows stored procedures to have access to operating system files and directories on the server machine. This package will allow the WatchDog audit trail trigger to access the database alert log. UTL_FILE access to operating system directories is controlled by the UTL_FILE_DIR parameter in the init.ora file for the database. Only files in designated directories can be accessed by UTL_FILE. By default, execute on UTL_FILE is granted to public, which means that any user in the database has potential read-write access as the Oracle software owner to the UTL_FILE directories (including the alert log, when the WatchDog configuration changes in Step 7 are made). This is true even if the user has no other privileges or no user account on the server operating system. Execute on UTL_FILE should only be granted on an individual basis to trusted and approved users (preferably only DBAs or trusted software administrators). Mini-Lesson M6, Scripts & Source Code/ Page 35