Enhancing Database Security: Concepts and Tools for the DBA Scripts & Source Code. Passwords in Command Lines. Peter J. Magee, CDA SQRIBE Technologies

Transcription

1 Enhancing Database Security: Concepts and Tools for the DBA Scripts & Source Code Peter J. Magee, CDA SQRIBE Technologies Passwords in Command Lines Fix for ctxctl script to eliminate appearance of CTXSYS password in command line. 1. Copy ctxctl to ctxctl.secure 2. In ctxctl.secure, replace the following command line (line 312): with these lines: $exe -user $username/$password -personality $mask >> /dev/null & CTX_PASS=$username/$password export CTX_PASS $ORACLE_HOME/bin/ctxsecure $exe $mask & CTX_PASS= export CTX_PASS 3. Create a script called ctxsecure in the $ORACLE_HOME/bin directory: # # File: ctxsecure # Location: $ORACLE_HOME/bin # # This file calls the specified ConText executable application, # but prevents the CTXSYS userid and password from appearing in # the command line. This prevents the user id and password from # being visible to a "ps -ef" command. # # Inputs: $1 Executable ConText file name # $2 Personality flag for server # $CTX_PASS An environment variable holding # the CTXSYS user id and password # $1 -personality $2 >> /dev/null <<CTXEND ${CTX_PASS} CTXEND Mini-Lesson M6, Scripts & Source Code/ Page 1

2 Note: do not place the characteristic $!/bin/sh in the first line of ctxsecure. If a new shell is opened, $CTX_PASS can not be found. ctxsecure should run in the same shell as ctxctl.secure. Once these steps are complete, use ctxctl.secure the same as you would use ctxctl. An additional process will be generated by ctxctl.secure for each ConText server, so "ps -ef" output would look something like this: oracle $ORACLE_HOME/bin/ctxsrv -personality LQ oracle /bin/sh ctxctl.secure Initialization Parameters Select values for security related initialization parameters from the data dictionary. select * from v$parameter where name in ('audit_trail', db_encrypt_login, 'resource_limit', 'remote_os_auth', 'remote_os_roles', 'os_roles', 'utl_file_dir'); SQL*Net Firewalls A sample protocol.ora file, located in the $ORACLE_HOME/network/admin directory: tcp.validnode_checking = yes tcp.invited_nodes = (drummer.us.com, , ) Application Users (OPS$ Users) Identify externally authenticated user accounts. select username, password from dba_users where password='external'; System Privileges Identify system privileges granted to users other than SYS, SYSTEM, or DBSNMP. select p.grantee, p.privilege from dba_sys_privs p, dba_users u where (u.username = p.grantee or p.grantee='public') and p.grantee not in ('SYS','SYSTEM','DBSNMP'); Identify system privileges granted to roles other than DBA, RESOURCE, IMP_FULL_DATABASE, EXP_FULL_DATABASE, CONNECT, and SNMPAGENT. select p.grantee, p.privilege from dba_sys_privs p, dba_roles r where r.role = p.grantee and r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'CONNECT','SNMPAGENT'); Mini-Lesson M6, Scripts & Source Code / Page 2

3 The following System Privileges should only be granted to administrators, never application users: ANALYZE ANY ALTER ANY ROLE SELECT ANY TABLE AUDIT ANY DROP ANY ROLE INSERT ANY TABLE AUDIT SYSTEM GRANT ANY ROLE UPDATE ANY TABLE ALTER ANY CLUSTER DROP ROLLBACK SEGMENT DELETE ANY TABLE DROP ANY CLUSTER RESTRICTED SESSION TABLESPACE ALTER DATABASE CREATE ANY SEQUENCE MANAGE TABLESPACE CREATE ANY INDEX ALTER ANY SEQUENCE UNLIMITED TABLESPACE ALTER ANY INDEX DROP ANY SEQUENCE FORCE TRANSACTION DROP ANY INDEX SELECT ANY SEQUENCE FORCE ANY TRANSACTION GRANT ANY PRIVILEGE ALTER ANY SNAPSHOT CREATE ANY TRIGGER CREATE ANY PROCEDURE DROP ANY SNAPSHOT ALTER ANY TRIGGER ALTER ANY PROCEDURE CREATE ANY SYNONYM DROP ANY TRIGGER DROP ANY PROCEDURE DROP ANY SYNONYM BECOME USER EXECUTE ANY PROCEDURE ALTER SYSTEM CREATE ANY VIEW CREATE PROFILE CREATE ANY TABLE DROP ANY VIEW ALTER PROFILE ALTER ANY TABLE CREATE DATABASE LINK DROP PROFILE BACKUP ANY TABLE CREATE PUBLIC DATABASE LINK ALTER RESOURCE COST DROP ANY TABLE DROP PUBLIC DATABASE LINK DROP PUBLIC DATABASE LINK LOCK ANY TABLE CREATE PUBLIC SYNONYM DROP PUBLIC SYNONYM COMMENT ANY TABLE DROP PUBLIC SYNONYM Object Privileges Identify users other than SYS and SYSTEM that have been granted ALTER or REFERENCES priveleges. select t.grantee, t.owner '.' t.table_name, t.privilege from dba_tab_privs t, dba_users u where (u.username = t.grantee or t.grantee = 'PUBLIC') and t.privilege in ('ALTER','REFERENCES') and t.grantee not in ('SYS','SYSTEM'); Identify roles other than DBA, RESOURCE, IMP_FULL_DATABASE, EXP_FULL_DATABASE, and CONNECT that have been granted ALTER or REFERENCES privileges. select t.grantee, t.owner '.' t.table_name, t.privilege from dba_tab_privs t, dba_roles r where r.role = t.grantee and t.privilege in ('ALTER','REFERENCES') and r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT'); Administration Privileges Identify users other than SYS and SYSTEM that have ADMIN privileges on system and object privileges. Mini-Lesson M6, Scripts & Source Code/ Page 3

4 select p.grantee, p.privilege, p.admin_option from dba_sys_privs p, dba_users u where (u.username = p.grantee or p.grantee='public') and p.admin_option='yes' and p.grantee not in ('SYS','SYSTEM'); Identify users other than SYS and SYSTEM that have ADMIN privileges on the Oracle default roles. select r.grantee, r.granted_role, r.admin_option from dba_role_privs r, dba_users u where u.username = r.grantee and r.granted_role in ('DBA','RESOURCE','IMP_FULL_DATABASE','EXP_FULL_DATABASE', 'CONNECT','SNMPAGENT') and r.admin_option='yes' and r.grantee not in ('SYS','SYSTEM'); Predefined Roles Identify users that have been granted one of the Oracle default roles. select r.grantee, r.granted_role from dba_role_privs r where r.granted_role in ('DBA','EXP_FULL_DATABASE', 'IMP_FULL_DATABASE','OSOPER','OSDBA') and r.grantee not in ('SYS','SYSTEM','DBA'); Application Roles Identify application roles and their properties. select r.role, r.password_required from dba_roles r where r.role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT','SNMPAGENT'); Identify users that have been assigned to application roles. select r.grantee, r.granted_role, r.admin_option from dba_role_privs r, dba_users u where u.username = r.grantee and r.granted_role not in ('DBA','RESOURCE','IMP_FULL_DATABASE', 'EXP_FULL_DATABASE','CONNECT','SNMPAGENT'); User Profiles Identify the idle time limit for each database user. select u.username, p.limit from dba_users u, dba_profiles p where u.profile = p.profile and p.resource_name='idle_time'; Alter the profile idle time. alter profile [profile name] limit idle_time [# minutes]; Mini-Lesson M6, Scripts & Source Code / Page 4

5 Oracle7 Profiles Lock a User Account: Alter encrypted password to all lowercase; Oracle can t translate so account is disabled alter user [username] identified by values disabled ; Oracle8 Profiles User Profile Creation: Create a profile that will do the following: The user will be timed out (disconnected) after 15 minutes of idle time. The account will be locked after 3 failed logins. The account can only be unlocked by the DBA. The user has 3 grace logins to change their password after expiration. The user cannot repeat passwords until they have been changed at least 10 times. The password expires after 90 days. The stored procedure verify_password will be used to verify password complexity. To create the profile execute the following script. CREATE PROFILE APP_USER LIMIT IDLE_TIME 15 FAILED_LOGIN_ATTEMPTS 3 ACCOUNT_LOCK_TIME UNLIMITED PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_MAX 10 PASSWORD_LIFE_TIME 90 PASSWORD_VERIFY_FUNCTION verify_password; Once the profile is created, it is assigned to the user with the ALTER USER command: ALTER USER username PROFILE app_user; Password Varification Function: based on sample function in Oracle documentation, but more strict. CREATE OR REPLACE FUNCTION verify_function (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; Mini-Lesson M6, Scripts & Source Code/ Page 5

6 ischar boolean; ispunct boolean; digitarray varchar2(20); punctarray varchar2(25); chararray varchar2(52); BEGIN digitarray:= ' '; chararray:= 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; Check if the password is same as the username IF password = username THEN raise_application_error(-20001, 'Password same as user'); END IF; Check for the minimum length of the password (must be 6 or more) IF length(password) < 6 THEN raise_application_error(-20002, 'Password length less than 6'); END IF; Check if the password is too simple. A dictionary of words may be maintained and a check may be made so as not to allow the words that are too simple for the password. IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN raise_application_error(-20002, 'Password too simple'); END IF; Check if the password contains at least one letter and one digit 1. Check for the digit isdigit:=false; m := length(password); FOR i IN LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(digitarray,i,1) THEN isdigit:=true; GOTO findchar; END IF; Mini-Lesson M6, Scripts & Source Code / Page 6

7 END LOOP; END LOOP; IF isdigit = FALSE THEN raise_application_error(-20003, Password should contain at least one digit, one character and one punctuation'); END IF; 2. Check for the character <<findchar>> ischar:=false; FOR i IN 1..length(chararray) LOOP FOR j IN 1..m LOOP IF substr(password,j,1) = substr(chararray,i,1) THEN ischar:=true; GOTO findpunct; END IF; END LOOP; END LOOP; IF ischar = FALSE THEN raise_application_error(-20003,'password should contain at least one END IF; digit, one character and one punctuation'); <<endsearch>> Check if the password differs from the previous password by at least 3 letters IF old_password = '' THEN raise_application_error(-20004, 'Old password is null'); END IF; Everything is fine; return TRUE ; differ := length(old_password) - length(password); IF abs(differ) < 3 THEN IF length(password) < length(old_password) THEN m := length(password); ELSE m:= length(old_password); END IF; Mini-Lesson M6, Scripts & Source Code/ Page 7

8 differ := abs(differ); FOR i IN 1..m LOOP IF substr(password,i,1)!= substr(old_password,i,1) THEN differ := differ + 1; END IF; END LOOP; IF differ < 3 THEN raise_application_error(-20004, 'Password should differ by at \ least 3 characters'); END IF; END IF; Everything is fine; return TRUE ; RETURN(TRUE); END; Lock User Account: alter user [username] account lock; Statement Level Audits Generate a list of all statement level audits. select audit_option, success, failure from dba_stmt_audit_opts; Enable minimum required statement level audits: audit ALTER SYSTEM ; audit INDEX ; audit NOT EXISTS ; audit SYSTEM GRANT ; audit SYSTEM AUDIT ; audit TABLE ; audit TABLESPACE ; audit USER ; audit SESSION ; audit RESTRICTED SESSION ; Object Level Audits Generate a list of all object level audits. select owner, object_name, object_type from dba_obj_audit_opts where ren = '-/-'; Identify all audits on the audit trail table. select owner '.' object_name, object_type, alt aud com del gra ind ins loc ren sel upd ref exe Mini-Lesson M6, Scripts & Source Code / Page 8

9 from dba_obj_audit_opts where owner like 'SYS%' and object_name='aud$' and object_type='table'; Set audit rename by default on all objects created after command: audit rename on default; Audit actions on the audit trail: audit all on sys.aud$; or audit all on system.aud$; (if ownership has been changed) Privilege Level Audits Generate a list of all privilege level audits. select privilege, success, failure from dba_priv_audit_opts; Enable minimum required privilege level audits: audit ANALYZE ANY ; audit AUDIT ANY ; audit AUDIT SYSTEM ; audit ALTER ANY CLUSTER ; audit DROP ANY CLUSTER ; audit ALTER DATABASE ; audit CREATE ANY INDEX ; audit ALTER ANY INDEX ; audit DROP ANY INDEX ; audit GRANT ANY PRIVILEGE ; audit CREATE ANY PROCEDURE ; audit ALTER ANY PROCEDURE ; audit DROP ANY PROCEDURE ; audit EXECUTE ANY PROCEDURE ; audit CREATE PROFILE ; audit ALTER PROFILE ; audit DROP PROFILE ; audit ALTER RESOURCE COST ; audit DROP PUBLIC DATABASE LINK ; audit DROP PUBLIC SYNONYM ; audit ALTER ANY ROLE ; audit DROP ANY ROLE ; audit GRANT ANY ROLE ; audit DROP ROLLBACK SEGMENT ; audit CREATE ANY SEQUENCE ; audit ALTER ANY SEQUENCE ; audit DROP ANY SEQUENCE ; audit SELECT ANY SEQUENCE ; audit ALTER ANY SNAPSHOT ; Mini-Lesson M6, Scripts & Source Code/ Page 9

10 audit DROP ANY SNAPSHOT ; audit CREATE ANY SYNONYM ; audit DROP ANY SYNONYM ; audit CREATE ANY TABLE ; audit ALTER ANY TABLE ; audit BACKUP ANY TABLE ; audit DROP ANY TABLE ; audit LOCK ANY TABLE ; audit COMMENT ANY TABLE ; audit SELECT ANY TABLE ; audit INSERT ANY TABLE ; audit UPDATE ANY TABLE ; audit DELETE ANY TABLE ; audit MANAGE TABLESPACE ; audit UNLIMITED TABLESPACE ; audit FORCE TRANSACTION ; audit FORCE ANY TRANSACTION ; audit CREATE ANY TRIGGER ; audit ALTER ANY TRIGGER ; audit DROP ANY TRIGGER ; audit CREATE USER ; audit BECOME USER ; audit ALTER USER ; audit DROP USER ; audit CREATE ANY VIEW ; audit DROP ANY VIEW ; audit CREATE PUBLIC DATABASE LINK ; audit DROP PUBLIC DATABASE LINK ; audit CREATE PUBLIC SYNONYM ; audit DROP PUBLIC SYNONYM ; audit CREATE DATABASE LINK ; Audit Trail Maintenance Set the following init.ora parameters and restart the database to initialize the Oracle Job Queue: JOB_QUEUE_PROCESSES = 1 JOB_QUEUE_INTERVAL = 30 Create the following stored procedure as SYSTEM through Server Manager or SQL*Plus: Oracle7 Version: CREATE PROCEDURE TRIM_AUDIT_TRAIL AS BEGIN Mini-Lesson M6, Scripts & Source Code / Page 10

11 DELETE FROM SYS.AUD$ WHERE TIMESTAMP < TRUNC(SYSDATE-7); COMMIT; END TRIM_AUDIT_TRAIL; Oracle8 Version: CREATE PROCEDURE TRIM_AUDIT_TRAIL AS BEGIN DELETE FROM SYS.AUD$ WHERE TIMESTAMP# < TRUNC(SYSDATE-7); COMMIT; END TRIM_AUDIT_TRAIL; Set the job to run once per day at midnight using Server Manager or SQL*Plus: VARIABLE JOBNUM NUMBER; BEGIN DBMS_JOB.SUBMIT(:JOBNUM,'SYSTEM.TRIM_AUDIT_TRAIL; ', TRUNC(SYSDATE+1),'TRUNC(SYSDATE+1)'); END; Check on the status of the job using the DBA_JOBS or USER_JOBS views. Eagle Original Eagle DDL (by Jay Mehta, IOUG-A Select Magazine, April, 1997): REM Name: eddl.sql REM Description: Creates Objects(Tables/Indexes) in USERS and USERS_IDX tablespace REM Usage: Run this script from SQL*Plus, Use Eagle Oracle account REM CREATE TABLE WATCH ( WATCH_ID VARCHAR2(12) NOT NULL, NAME VARCHAR2(30) NOT NULL, PREPARE1_CLAUSE VARCHAR2(512) PREPARE2_CLAUSE VARCHAR2(512) NULL, NULL, INSERT_CLAUSE VARCHAR2(512) NOT NULL, SELECT_CLAUSE VARCHAR2(512) NOT NULL, WHERE_CLAUSE VARCHAR2(512) NULL, CLOSE1_CLAUSE VARCHAR2(512) NULL, CLOSE2_CLAUSE VARCHAR2(512) NULL, CONSTRAINT WATCK_PK PRIMARY KEY (WATCH_ID) USING INDEX TABLESPACE USERS_IDX STORAGE(INITIAL 16K NEXT 16K PCTINCREASE 0) ) TABLESPACE USERS STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ; Mini-Lesson M6, Scripts & Source Code/ Page 11

12 CREATE TABLE DATABASE ( DB_ID VARCHAR2(12) NOT NULL, NAME VARCHAR2(30) NOT NULL, DB_LINK VARCHAR2(30) NOT NULL, CONSTRAINT DATABASE_PK PRIMARY KEY (DB_ID) USING INDEX TABLESPACE USERS_IDX STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ) TABLESPACE USERS STORAGE (INITIAL 16K NEXT 16K PCTINCREASE 0) ; CREATE TABLE DB_WATCH ( DB_ID VARCHAR2(12) NOT NULL, WATCH_ID VARCHAR2(12) NOT NULL, ACTIVE_YN VARCHAR2(1), CONSTRAINT DB_WATCH_PK PRIMARY KEY (DB_ID, WATCH_ID) USING INDEX TABLESPACE USERS_IDX STORAGE(INITIAL 16K NEXT 16K PCTINCREASE 0), CONSTRAINT DB_WATCH_FK1 FOREIGN KEY (DB_ID) REFERENCES DATABASE (DB_ID), CONSTRAINT DB_WATCH_FK2 FOREIGN KEY (WATCH_ID) REFERENCES WATCH (WATCH_ID) ) TABLESPACE USERS STORAGE ( INITIAL 16K NEXT 16K PCTINCREASE 0) ; CREATE TABLE DB_WATCH_RESULT( DB_ID VARCHAR2(12) NOT NULL, WATCH_ID VARCHAR2(12) NOT NULL, RUN_TIME DATE NOT NULL, PARAMETER VARCHAR2(256) NULL, VALUE NUMBER(12,2) NOT NULL, CONSTRAINT DB_WATCH_RESULT_FK FOREIGN KEY (DB_ID,WATCH_ID) REFERENCES DB_WATCH(DB_ID, WATCH_ID) ) TABLESPACE USERS STORAGE ( INITIAL 16K NEXT 16K PCTINCREASE 0) ; Mini-Lesson M6, Scripts & Source Code / Page 12

13 Note: The sizes of the prepare, insert, select, where, and close clause fields in the WATCH table have been increased from the original 256 characters to 512 characters to accommodate the various watches described below. You may need to increase them further to support your own custom watches. You may also need to alter storage parameters to fit your particular system. Original Eagle PL/SQL Engine (by Jay Mehta, IOUG-A Select Magazine, April, 1997): REM REM Name: eplsql.sql REM Description: Create PL/SQL procudure that executes active watched REM Usage: Run from SQL*Plus, Use Eagle account REM CREATE OR REPLACE PROCEDURE EXECUTE_DB_WATCH AS BEGIN CURSOR C_DB_WATCH IS SELECT DB_ID, WATCH_ID, ACTIVE_YN FROM DB_WATCH ; db_watch_rec DB_WATCH%ROWTYPE ; watch_rec WATCH%ROWTYPE ; database_rec DATABASE%ROWTYPE ; sql_stmt VARCHAR2(1000) ; ret_val INTEGER ; cursor_id INTEGER ; c_get_data INTEGER ; temp_clause VARCHAR2(256) ; OPEN C_DB_WATCH; LOOP FETCH C_DB_WATCH INTO db_watch_rec; EXIT WHEN C_DB_WATCH%NOTFOUND ; IF db_watch_rec.active_yn = 'Y' THEN SELECT * INTO watch_rec FROM WATCH WHERE WATCH_ID = db_watch_rec.watch_id ; /* fetch database record */ SELECT * INTO database_rec FROM DATABASE WHERE DB_ID = db_watch_rec.db_id ; watch_rec.select_clause := REPLACE(watch_rec.select_clause, '<DB_ID>',database_rec.db_id); Mini-Lesson M6, Scripts & Source Code/ Page 13

14 watch_rec.select_clause := REPLACE(watch_rec.select_clause, '<DB_LINK>',database_rec.db_link); sql_stmt := watch_rec.insert_clause watch_rec.select_clause watch_rec.where_clause; IF watch_rec.prepare1_clause IS NOT NULL THEN watch_rec.prepare1_clause := REPLACE(watch_rec.prepare1_clause, '<DB_LINK>',database_rec.db_link); cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.prepare1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; IF watch_rec.prepare2_clause IS NOT NULL THEN watch_rec.prepare2_clause := REPLACE(watch_rec.prepare2_clause, '<DB_LINK>',database_rec.db_link); cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.prepare2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; c_get_data := DBMS_SQL.OPEN_CURSOR ; DBMS_SQL.PARSE(c_get_data,sql_stmt,DBMS_SQL.V7) ; ret_val := DBMS_SQL.EXECUTE(c_get_data) ; DBMS_SQL.CLOSE_CURSOR(c_get_data) ; IF watch_rec.close1_clause IS NOT NULL THEN cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.close1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; IF watch_rec.close2_clause IS NOT NULL THEN cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,watch_rec.close2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); END IF; END IF; Mini-Lesson M6, Scripts & Source Code / Page 14

15 END LOOP; END ; / Eagle Enhanced Replacement PL/SQL Engine for Eagle: create or replace package eagle as /* procedure run is the top-level procedure that calls all others. A DBA can specify a specific database for monitoring, or let the procedure default to all databases. */ procedure run (dbid in varchar2 default '%'); /* procedure sqlexec opens a cursor for each SQL command and executes the command. */ procedure sqlexec (querystr in varchar2, dbid in varchar2, dblink in varchar2); /* function sqlinit replaces the <DB_ID> and <DB_LINK> keywords in each SQL command with the appropriate database name and database link name. */ function sqlinit (querystr in varchar2, dbid in varchar2, dblink in varchar2) return varchar2; end eagle; / create or replace package body eagle as no_connection EXCEPTION; PRAGMA EXCEPTION_INIT(no_connection, ); procedure run (dbid in varchar2 default '%') is cursor c_db_watch (db varchar2) is select db_id, watch_id, active_yn from db_watch where db_id like db order by db_id; db_watch_rec db_watch%rowtype; watch_rec watch%rowtype; database_rec database%rowtype; sqltext varchar2(2000); begin /* Open the list of database watches for the specified database */ open c_db_watch(dbid); loop /* Get the next database watch record, exit when no more records found */ fetch c_db_watch into db_watch_rec; exit when c_db_watch%notfound; Mini-Lesson M6, Scripts & Source Code/ Page 15

16 /* If the watch is active, then execute */ if db_watch_rec.active_yn = 'Y' then /* Get the details for the watch and database */ select * into watch_rec from watch where watch_id=db_watch_rec.watch_id; select * into database_rec from database where db_id=db_watch_rec.db_id; /* Execute the prepare clauses for the watch */ sqlexec (watch_rec.prepare1_clause,database_rec.db_id,database_rec.db_link); sqlexec (watch_rec.prepare2_clause,database_rec.db_id,database_rec.db_link); /* Execute the watch insert as select command */ sqltext := watch_rec.insert_clause watch_rec.select_clause watch_rec.where_clause; sqlexec (sqltext,database_rec.db_id,database_rec.db_link); /* Execute the close clauses for the watch */ sqlexec (watch_rec.close1_clause,database_rec.db_id,database_rec.db_link); sqlexec (watch_rec.close2_clause,database_rec.db_id,database_rec.db_link); end if; end loop; end run; procedure sqlexec (querystr in varchar2, dbid in varchar2, dblink in varchar2) is sqltext varchar2(2000); ret_val integer; cursor_id integer; begin /* Determine if this SQL command is null */ if querystr is not null then /* Initialize the SQL command by replacing keywords with values for db_id and db_link */ sqltext := sqlinit (querystr, dbid, dblink); /* Open and execute the cursor for the SQL command */ cursor_id := dbms_sql.open_cursor; dbms_sql.parse(cursor_id,sqltext,dbms_sql.v7); ret_val := dbms_sql.execute(cursor_id) ; /* Close the cursor and exit */ Mini-Lesson M6, Scripts & Source Code / Page 16

17 dbms_sql.close_cursor(cursor_id); end if; exception /* When a connection to target database is not found, proceed to next watch */ when no_connection then return; end sqlexec; function sqlinit (querystr in varchar2, dbid in varchar2, dblink in varchar2) return varchar2 is sqltext varchar2(2000); begin sqltext := querystr; sqltext := replace(sqltext,'<db_id>',dbid); sqltext := replace(sqltext,'<db_link>',dblink); return sqltext; end sqlinit; end eagle; / Eagle Extended The following scripts can be used to extend Eagle to collect audit trail information. AUDIT_TRAIL DDL for Eagle in Oracle7 CREATE TABLE AUDIT_TRAIL (DB_ID VARCHAR2(12) NOT NULL, SESSIONID NUMBER NOT NULL, ENTRYID NUMBER NOT NULL, STATEMENT NUMBER NOT NULL, TIMESTAMP# DATE NOT NULL, USERID VARCHAR2(30) NULL, USERHOST VARCHAR2(255) NULL, TERMINAL VARCHAR2(255) NULL, ACTION# NUMBER NOT NULL, RETURNCODE NUMBER NOT NULL, OBJ$CREATOR VARCHAR2(30) NULL, OBJ$NAME VARCHAR2(128) NULL, AUTH$PRIVILEGES VARCHAR2(16) NULL, AUTH$GRANTEE VARCHAR2(30) NULL, NEW$OWNER VARCHAR2(30) NULL, NEW$NAME VARCHAR2(128) NULL, SES$ACTIONS VARCHAR2(19) NULL, AUDIT_TRAIL DDL for Eagle in Oracle8 CREATE TABLE AUDIT_TRAIL (DB_ID VARCHAR2(12) NOT NULL, SESSIONID NUMBER NOT NULL, ENTRYID NUMBER NOT NULL, STATEMENT NUMBER NOT NULL, TIMESTAMP# DATE NOT NULL, USERID VARCHAR2(30) NULL, USERHOST VARCHAR2(255) NULL, TERMINAL VARCHAR2(255) NULL, ACTION# NUMBER NOT NULL, RETURNCODE NUMBER NOT NULL, OBJ$CREATOR VARCHAR2(30) NULL, OBJ$NAME VARCHAR2(128) NULL, AUTH$PRIVILEGES VARCHAR2(16) NULL, AUTH$GRANTEE VARCHAR2(30) NULL, NEW$OWNER VARCHAR2(30) NULL, NEW$NAME VARCHAR2(128) NULL, SES$ACTIONS VARCHAR2(19) NULL, Mini-Lesson M6, Scripts & Source Code/ Page 17

18 SES$TID NUMBER NULL, LOGOFF$LREAD NUMBER NULL, LOGOFF$PREAD NUMBER NULL, LOGOFF$LWRITE NUMBER NULL, LOGOFF$DEAD NUMBER NULL, LOGOFF$TIME DATE NULL, COMMENT$TEXT VARCHAR2(2000) NULL, SPARE1 VARCHAR2(255) NULL, SPARE2 NUMBER NULL, OBJ$LABEL RAW(255) NULL, SES$LABEL RAW(255) NULL, PRIV$USED NUMBER NULL SES$TID NUMBER NULL, LOGOFF$LREAD NUMBER NULL, LOGOFF$PREAD NUMBER NULL, LOGOFF$LWRITE NUMBER NULL, LOGOFF$DEAD NUMBER NULL, LOGOFF$TIME DATE NULL, COMMENT$TEXT VARCHAR2(4000) NULL, SPARE1 VARCHAR2(255) NULL, SPARE2 NUMBER NULL, OBJ$LABEL RAW(255) NULL, SES$LABEL RAW(255) NULL, PRIV$USED NUMBER NULL ) STORAGE ( INITIAL 1M NEXT 1M MINEXTENTS 1 PCTINCREASE 0) TABLESPACE "DBAUDIT"; Notes: ) STORAGE ( INITIAL 1M NEXT 1M MINEXTENTS 1 PCTINCREASE 0) TABLESPACE "DBAUDIT"; Notes: The COMMENT$TEXT field from an Oracle8 database must be trimmed from varchar2(4000) to varchar2(2000). All data from Oracle7 and Oracle8 audit trails can be stored in this table without being trimmed or altered. The SES$ACTIONS field was expanded from varchar2(16) to varchar2(19) to accommodate Oracle8 values. The USERHOST field was expanded from varchar2(128) to varchar2(255) to accommodate Oracle7 values. The TIMESTAMP and ACTION fields have been renamed, adding a '#' character to the end of each. Copy the AUDIT_ACTIONS table into the Eagle schema for use in reports and views: CREATE TABLE EAGLE.AUDIT_ACTIONS TABLESPACE USERS AS SELECT * FROM SYS.AUDIT_ACTIONS; There are three (3) different watches that can be used to collect audit trail data, depending on the version numbers of the Eagle database and the target database. Each watch will do the following: Copy all audit entries from AUD$ in the target database to AUDIT_TRAIL in the Eagle database, adding the DB_ID field as a source identifier. Only those entries made since the last time Eagle has run will be copied (no duplicates). Automatically delete any entries more than 365 days old. Use the following table to determine which audit watch to use for your systems. Mini-Lesson M6, Scripts & Source Code / Page 18

19 Target Database Eagle Database Database Version Oracle7 Oracle8 Oracle7 AUDIT_7_TO_8 AUDIT_8_TO_7 Oracle8 AUDIT_7_TO_8 AUDIT_TRAIL AUDIT_TRAIL Watch SQL: This watch can be used when both the Eagle and target databases are both Oracle8 insert into watch (watch_id, name, prepare1_clause, insert_clause, select_clause, where_clause, close1_clause) values ('AUDIT_TRAIL','Database Audit Trail', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from sys.aud$ a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit'); AUDIT_7_TO_8 Watch DDL: This watch is used when the target database is Oracle7 (the Eagle database can be either Oracle7 or Oracle8) insert into watch (watch_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause) values ('AUDIT_7_TO_8','Database Audit Trail (Oracle7)', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'CREATE OR REPLACE VIEW AUD$_V8 AS SELECT SESSIONID, ENTRYID, STATEMENT, TIMESTAMP TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION ACTION#, RETURNCODE, OBJ$CREATOR, Mini-Lesson M6, Scripts & Source Code/ Page 19

20 OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, COMMENT$TEXT, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED FROM 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from aud$_v8 a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit', 'drop view aud$_v8'); AUDIT_8_TO_7 Watch DDL: This watch is used when the Eagle database is in Oracle7 and the target database is Oracle8 insert into watch (watch_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause) values ('AUDIT_8_TO_7','Database Audit Trail (Oracle8)', 'delete from audit_trail where db_id=''<db_id>'' and timestamp < (sysdate-365)', 'CREATE OR REPLACE VIEW AUD$_V7 AS SELECT SESSIONID, ENTRYID, STATEMENT, TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION#, RETURNCODE, OBJ$CREATOR, OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, SUBSTR(COMMENT$TEXT,1,2000) COMMENT$TEXT, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED FROM SYS.AUD$@<DB_LINK>', 'insert into audit_trail ', 'select ''<DB_ID>'', a.* from aud$_v7 a ', 'where a.timestamp > (select nvl(max(timestamp),sysdate-1) from audit_trail where db_id=''<db_id>'')', 'commit', 'drop view aud$_v7'); Mini-Lesson M6, Scripts & Source Code / Page 20

21 EAGLE_AUDIT_TRAIL VIEW DDL: create or replace view eagle_audit_trail as select db_id /* DB_ID */, spare1 /* OS_USERNAME */, userid /* USERNAME */, userhost /* USERHOST */, terminal /* TERMINAL */, timestamp# /* TIMESTAMP */, obj$creator /* OWNER */, obj$name /* OBJECT_NAME */, aud.action# /* ACTION */, act.name /* ACTION_NAME */, new$owner /* NEW_OWNER */, new$name /* NEW_NAME */, decode(aud.action#, 108 /* grant sys_priv */, null, 109 /* revoke sys_priv */, null, 114 /* grant role */, null, 115 /* revoke role */, null, auth$privileges) /* OBJ_PRIVILEGE */, decode(aud.action#, 108 /* grant sys_priv */, spm.name, 109 /* revoke sys_priv */, spm.name, null) /* SYS_PRIVILEGE */, decode(aud.action#, 108 /* grant sys_priv */, substr(auth$privileges,1,1), 109 /* revoke sys_priv */, substr(auth$privileges,1,1), 114 /* grant role */, substr(auth$privileges,1,1), 115 /* revoke role */, substr(auth$privileges,1,1), null) /* ADMIN_OPTION */, auth$grantee /* GRANTEE */, decode(aud.action#, 104 /* audit */, aom.name, 105 /* noaudit */, aom.name, null) /* AUDIT_OPTION */, ses$actions /* SES_ACTIONS */, Mini-Lesson M6, Scripts & Source Code/ Page 21

22 logoff$time /* LOGOFF_TIME */, logoff$lread /* LOGOFF_LREAD */, logoff$pread /* LOGOFF_PREAD */, logoff$lwrite /* LOGOFF_LWRITE */, decode(aud.action#, 104 /* audit */, null, 105 /* noaudit */, null, 108 /* grant sys_priv */, null, 109 /* revoke sys_priv */, null, 114 /* grant role */, null, 115 /* revoke role */, null, aud.logoff$dead) /* LOGOFF_DLOCK */, comment$text /* COMMENT_TEXT */, sessionid /* SESSIONID */, entryid /* ENTRYID */, statement /* STATEMENTID */, returncode /* RETURNCODE */, spx.name /* PRIVILEGE */, rawtolab(obj$label) /* OBJECT_LABEL */, rawtolab(ses$label) /* SESSION_LABEL */ from eagle.audit_trail aud, sys.system_privilege_map spm, sys.system_privilege_map spx, sys.stmt_audit_option_map aom, eagle.audit_actions act where aud.action# = act.action (+) and - aud.logoff$dead = spm.privilege (+) and aud.logoff$dead = aom.option# (+) and - aud.priv$used = spx.privilege (+); EAGLE_AUDIT_SESSION VIEW DDL: create or replace view eagle_audit_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, logoff_time, logoff_lread, logoff_pread, logoff_lwrite, logoff_dlock, sessionid, returncode, session_label from eagle_audit_trail where action between 100 and 102; EAGLE_AUDIT_OBJECT VIEW DDL: create or replace view eagle_audit_object as select DB_ID, OS_USERNAME, USERNAME, USERHOST, TERMINAL, TIMESTAMP, OWNER, OBJ_NAME, ACTION_NAME, NEW_OWNER, NEW_NAME, SES_ACTIONS, COMMENT_TEXT, SESSIONID, ENTRYID, STATEMENTID, RETURNCODE, PRIV_USED, OBJECT_LABEL, SESSION_LABEL Mini-Lesson M6, Scripts & Source Code / Page 22

23 from eagle_audit_trail where (action between 1 and 16) or (action between 19 and 29) or (action between 32 and 41) or (action = 43) or (action between 51 and 99) or (action = 103) or (action between 110 and 113) or (action between 116 and 121) or (action between 123 and 128); EAGLE_AUDIT_STATEMENT VIEW DDL: create or replace view eagle_audit_statement as select DB_ID, OS_USERNAME, USERNAME, USERHOST, TERMINAL, TIMESTAMP, OWNER, OBJ_NAME, ACTION_NAME, NEW_NAME, OBJ_PRIVILEGE, SYS_PRIVILEGE, ADMIN_OPTION, GRANTEE, AUDIT_OPTION, SES_ACTIONS, COMMENT_TEXT, SESSIONID, ENTRYID, STATEMENTID, RETURNCODE, PRIV_USED, SESSION_LABEL from eagle_audit_trail where action in ( 17 /* GRANT OBJECT */, 18 /* REVOKE OBJECT */, 30 /* AUDIT OBJECT */, 31 /* NOAUDIT OBJECT */, 49 /* ALTER SYSTEM */, 104 /* SYSTEM AUDIT */, 105 /* SYSTEM NOAUDIT */, 106 /* AUDIT DEFAULT */, 107 /* NOAUDIT DEFAULT */, 108 /* SYSTEM GRANT */, 109 /* SYSTEM REVOKE */, 114 /* GRANT ROLE */, 115 /* REVOKE ROLE */ ); EAGLE_AUDIT_CLIENT_SESSION VIEW DDL: create or replace view eagle_audit_client_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, logoff_time, logoff_lread, logoff_pread, logoff_lwrite, logoff_dlock, sessionid, returncode, comment_text, session_label, substr(substr(comment_text,instr(comment_text,'host=',1)+5, instr(comment_text,')',instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address Mini-Lesson M6, Scripts & Source Code/ Page 23

24 from eagle_audit_trail where action between 100 and 102; EAGLE_AUDIT_FAILED_SESSION VIEW DDL: create or replace view eagle_audit_failed_session as select db_id, os_username, username, userhost, terminal, timestamp, action_name, sessionid, returncode, comment_text, substr(substr(comment_text,instr(comment_text,'host=',1)+5, instr(comment_text,')',instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address from eagle_audit_trail where returncode in (1017,1005) and action between 100 and 102; Audit Trail Reports The following sample reports were designed using Oracle WebServer 2.0 and the PL/SQL Agent. The are included only as an example of the types of reports that can be generated with the centralized audit trail data collected by Eagle. DBAUDIT PACKAGE DDL: create or replace package dbaudit as end; procedure query; procedure report (rptcode in varchar2 default 'session', db_nm in varchar2 default 'ALL', user_nm in varchar2, object_nm in varchar2, action_nm in varchar2, code in varchar2, day in varchar2, month in varchar2, year in varchar2); procedure auditrpt (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rt_code in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2); procedure dataheader (rptcode in varchar2); procedure datafooter; procedure getdata (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rtcode in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2); create or replace package body dbaudit as Procedure query presents the initial report request form procedure query is cursor dblist is select distinct db_id from eagle.audit_trail order by db_id; cursor userlist is Mini-Lesson M6, Scripts & Source Code / Page 24

25 select distinct userid from eagle.audit_trail order by userid; cursor objlist is select distinct obj$name from eagle.audit_trail order by obj$name; cursor actionlist is select name, action from sys.audit_actions order by name; cursor codelist is begin select distinct returncode from eagle.audit_trail order by returncode; htp.htmlopen; htp.headopen; htp.title('stats Database Audit History'); htp.headclose; htp.bodyopen('','bgcolor="#000066" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff" BACKGROUND="/images/back10.jpg"'); htp.header(1,'stats Database Audit History'); htp.hr; htp.formopen('/webaudit/owa/dbaudit.report','post'); htp.print('<b>select Report Criteria:</B><P>'); htp.tableopen; htp.print('<tr><td WIDTH="150">Select Audit Report:</TD><TD>'); htp.formradio('rptcode','session','checked'); htp.print('session Audits '); htp.formradio('rptcode','object'); htp.print('object/statement Audits'); htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Database Name:</TD><TD>'); htp.formselectopen('db_nm'); htp.formselectoption('all','selected','value="all"'); for dc in dblist loop htp.formselectoption(dc.db_id,'','value="' dc.db_id '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Database User Name:</TD><TD>'); htp.formselectopen('user_nm'); htp.formselectoption('all','selected','value="all"'); for uc in userlist loop htp.formselectoption(uc.userid,'','value="' uc.userid '"'); Mini-Lesson M6, Scripts & Source Code/ Page 25

26 end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Object Name:</TD><TD>'); htp.formselectopen('object_nm'); htp.formselectoption('all','selected','value="all"'); for oc in objlist loop htp.formselectoption(oc.obj$name,'','value="' oc.obj$name '"'); end loop; htp.formselectclose; htp.print(' (Object/Statement Audits only)</td></tr>'); htp.print('<tr><td WIDTH="150">Action Name:</TD><TD>'); htp.formselectopen('action_nm'); htp.formselectoption('all','selected','value="all"'); for ac in actionlist loop htp.formselectoption(ac.name,'','value="' ac.action '"'); end loop; htp.formselectclose; htp.print(' (Object/Statement Audits only)</td></tr>'); htp.print('<tr><td WIDTH="150">Return Code:</TD><TD>'); htp.formselectopen('code'); htp.formselectoption('all','selected','value="all"'); for rc in codelist loop htp.formselectoption(rc.returncode,'','value="' rc.returncode '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Day:</TD><TD>'); htp.formselectopen('day'); htp.formselectoption('all','selected','value="all"'); for ctr in loop htp.formselectoption(ctr,'','value="' ctr '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); Mini-Lesson M6, Scripts & Source Code / Page 26

27 htp.print('<tr><td WIDTH="150">Month:</TD><TD>'); htp.formselectopen('month'); htp.formselectoption('all','selected','value="all"'); htp.formselectoption('january','','value="january "'); htp.formselectoption('february','','value="february "'); htp.formselectoption('march','','value="march htp.formselectoption('april','','value="april htp.formselectoption('may','','value="may htp.formselectoption('june','','value="june htp.formselectoption('july','','value="july htp.formselectoption('august','','value="august "'); "'); "'); "'); "'); "'); htp.formselectoption('september','','value="september"'); htp.formselectoption('october','','value="october "'); htp.formselectoption('november','','value="november "'); htp.formselectoption('december','','value="december "'); htp.formselectclose; htp.print('</td></tr>'); htp.print('<tr><td WIDTH="150">Year:</TD><TD>'); htp.formselectopen('year'); htp.formselectoption('all','','value="all"'); htp.formselectoption('1997','','value="1997"'); htp.formselectoption('1998','selected','value="1998"'); htp.formselectclose; htp.print('</td></tr>'); htp.tableclose; htp.para; htp.formsubmit('','submit'); htp.formreset('reset'); htp.formclose; htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); htp.bodyclose; Mini-Lesson M6, Scripts & Source Code/ Page 27

28 htp.htmlclose; end query; Procedure report parses the initial report request and calls the specified report procedure. procedure report (rptcode in varchar2 default 'session', db_nm in varchar2 default 'ALL', user_nm in varchar2, object_nm in varchar2, action_nm in varchar2, code in varchar2, day in varchar2, month in varchar2, year in varchar2) is header_text varchar2(50); db_name varchar2(10); user_name varchar2(32); object_name varchar2(32); action_name varchar2(64); rtcode varchar2(10); webday varchar2(3); webmnth varchar2(20); webyear varchar2(4); begin if db_nm = 'ALL' then db_name := '%'; else db_name := db_nm; end if; if user_nm = 'ALL' then user_name := '%'; else user_name := user_nm; end if; if object_nm = 'ALL' then object_name := '%'; else object_name := object_nm; end if; if action_nm = 'ALL' then action_name := '%'; else Mini-Lesson M6, Scripts & Source Code / Page 28

29 action_name := action_nm; end if; if code = 'ALL' then rtcode := '%'; else rtcode := code; end if; webday := day; if length(webday) < 2 then webday := '0' webday; end if; if webday = 'ALL' then webday := '%'; end if; if month = 'ALL' then webmnth := '%'; else webmnth := rtrim(month) '%'; end if; if year = 'ALL' then webyear := '%'; else webyear := year; end if; htp.htmlopen; htp.headopen; htp.title('stats Database Audit History'); htp.headclose; htp.bodyopen('','bgcolor="#ffffff" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff" BACKGROUND="/images/back10.jpg"'); htp.header(1,'stats Database Audit History'); htp.tableopen('border','','','','width="100%"'); htp.tablerowopen; Mini-Lesson M6, Scripts & Source Code/ Page 29

30 htp.tableheader('database'); htp.tableheader('user Name'); htp.tableheader('object Name'); htp.tableheader('action'); htp.tableheader('return Code'); htp.tableheader('day'); htp.tableheader('month'); htp.tableheader('year'); htp.tablerowclose; htp.tablerowopen; htp.tabledata(db_nm); htp.tabledata(user_nm); htp.tabledata(object_nm); htp.tabledata(action_nm); htp.tabledata(code); htp.tabledata(day); htp.tabledata(month); htp.tabledata(year); htp.tablerowclose; htp.tableclose; htp.hr; auditrpt (rptcode, db_name, user_name, object_name, action_name, rtcode, webday, webmnth, webyear); htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); htp.anchor('/webstats/owa/webstats.query','<img BORDER=0 SRC="/images/up-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); htp.bodyclose; htp.htmlclose; end report; Procedure auditrpt generates the Server Audit History Report procedure auditrpt (rptcode in varchar2, db_name in varchar2, user_name in varchar2, Mini-Lesson M6, Scripts & Source Code / Page 30

31 object_name in varchar2, action_name in varchar2, rt_code in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2) is begin dataheader(rptcode); getdata (rptcode, db_name, user_name, object_name, action_name, rt_code, webday, webmonth, webyear); datafooter; htp.para; end auditrpt; Procedure dataheader creates the table header for report data procedure dataheader (rptcode in varchar2) is begin htp.tableopen('border','','','','width="100%"'); if rptcode = 'session' then else htp.tablecaption('<b>user Session History</B>'); htp.tablerowopen; htp.tableheader('database',cattributes=>'valign="bottom" width='); htp.tableheader('timestamp',cattributes=>'valign="bottom" width='); htp.tableheader('sid',cattributes=>'valign="bottom" width='); htp.tableheader('user Name',cattributes=>'valign="bottom" width='); htp.tableheader('os User Name',cattributes=>'valign="bottom" width='); htp.tableheader('action Name',cattributes=>'valign="bottom" width='); htp.tableheader('return Code',cattributes=>'valign="bottom" width='); htp.tableheader('ip Address',cattributes=>'valign="bottom" width='); htp.tablerowclose; htp.tablecaption('<b>object/statement History</B>'); htp.tablerowopen; htp.tableheader('database',cattributes=>'valign="bottom" width='); htp.tableheader('timestamp',cattributes=>'valign="bottom" width='); htp.tableheader('sid',cattributes=>'valign="bottom" width='); htp.tableheader('user Name',cattributes=>'valign="bottom" width='); htp.tableheader('action Name',cattributes=>'valign="bottom" width='); htp.tableheader('object Owner',cattributes=>'valign="bottom" width='); htp.tableheader('object Name',cattributes=>'valign="bottom" width='); htp.tableheader('return Code',cattributes=>'valign="bottom" width='); htp.tablerowclose; Mini-Lesson M6, Scripts & Source Code/ Page 31

32 end if; end dataheader; Procedure datafooter creates the table footer for report data procedure datafooter is begin htp.tableclose; end datafooter; Procedure getdata generates the data tables for the reports procedure getdata (rptcode in varchar2, db_name in varchar2, user_name in varchar2, object_name in varchar2, action_name in varchar2, rtcode in varchar2, webday in varchar2, webmonth in varchar2, webyear in varchar2) is querystr varchar2(2000); begin if rptcode = 'session' then querystr := 'select db_id, to_char(timestamp,''dd-mon-yy HH24:MI:SS''), sessionid, username, os_username, action_name, returncode, ip_address from eagle.audit_client_session where db_id like :db_nm and username like :user_nm and returncode like :code and to_char(timestamp,''dd'') like :webday and to_char(timestamp,''month'') like :webmnth and to_char(timestamp,''yyyy'') like :webyear order by timestamp'; owa_sql.cells_from_query( owa_sql.init(querystr, ':db_nm',db_name, ':user_nm',user_name, ':code',rtcode, ':webday',webday, ':webmnth',webmonth, ':webyear',webyear), Mini-Lesson M6, Scripts & Source Code / Page 32

33 10000,'Yes'); else querystr := 'select db_id, to_char(timestamp,''dd-mon-yy HH24:MI:SS''), sessionid, username, action_name, owner, object_name, returncode from eagle.audit_trail_view where action like :action_nm and db_id like :db_nm and username like :user_nm and object_name like :object_nm and returncode like :code and to_char(timestamp,''dd'') like :webday and to_char(timestamp,''month'') like :webmnth and to_char(timestamp,''yyyy'') like :webyear order by timestamp'; owa_sql.cells_from_query( owa_sql.init(querystr, ':action_nm',action_name, ':db_nm',db_name, ':user_nm',user_name, ':object_nm',object_name, ':code',rtcode, ':webday',webday, ':webmnth',webmonth, ':webyear',webyear), 10000,'Yes'); end if; end getdata; end ; Audit Trail Configuration Identify the tablespace in which the audit trail table is located. select table_name, tablespace_name from dba_tables where table_name='aud$' and owner like 'SYS%'; The following instructions are excerpts from Conference Paper 139: Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager. Mini-Lesson M6, Scripts & Source Code/ Page 33

34 Special Note Changing either the location or the ownership of AUD$ is a configuration change that is not supported by Oracle Technical Support. Take care when performing the following steps to ensure the procedures are followed exactly. While the authors have tested these scripts on a variety of Oracle versions and OS platforms, no warranty, expressed or implicit, is given that you will have the same results. Step 1 If auditing is already enabled in the database, it will need to temporarily be disabled while these changes are made. In the init.ora file, make sure that the audit trail parameter is turned off. Make sure that the value of this parameter is set to none. If the value of this parameter is changed, the database will need to be restarted for the change to take effect. Step 2 Check to see if there is already an auditing tablespace in the database. Connect internal using Server Manager and run the following command. select tablespace_name from dba_tablespaces; TABLESPACE_NAME - SYSTEM USER_DATA ROLLBACK_DATA TEMPORARY_DATA Step 3 If an auditing tablespace does not exist, execute the following commands as SYS (or internal). Substitute a file name appropriate to the local operating system, and enter storage parameters consistent with the rest of the database. create tablespace "DBAUDIT" datafile '<use appropriate file name>' size 1m default storage (initial 128k next 128k pctincrease 0); Repeat the query from Step 2 to verify that the auditing tablespace has been correctly created. Step 4 Create the new audit trail table by executing the following commands as SYS (or internal). Substitute storage parameters consistent with the rest of the database. rename aud$ to aud$_temp; create table system.aud$ tablespace "DBAUDIT" storage (initial 64k next 64k pctincrease 0) as select * from aud$_temp; Step 5 Connect as SYSTEM and execute the following commands to index and set permissions on the new audit trail (again substituting appropriate storage parameters): create index i_aud1 on aud$(sessionid,ses$tid) tablespace "DBAUDIT" storage (initial 64k next 64k pctincrease 0); Mini-Lesson M6, Scripts & Source Code / Page 34

35 grant all on aud$ to sys with grant option; Step 6 Connect internal from Server Manager and run these commands to reset and rebuild the auditing portions of Oracle s data dictionary: create view aud$ as select * from (if you are using Oracle for Windows95 or WindowsNT, then run %ORACLE_HOME%\rdbms73\admin\cataudit.sql or %ORACLE_HOME%\rdbms80\admin\cataudit.sql) WatchDog Installation The following instructions are excerpts from Conference Paper 139: Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager. Step 7 SYSTEM now owns the audit trail. Stop the database and set the following initialization parameters, then restart: audit_trail = db utl_file_dir = /your/alert/log/directory/path where the directory in utl_file_dir is the directory which contains the database alert log; this will allow the audit trail trigger to update the alert log when an audited event is detected. Any previously existing audits should be unaffected; all new entries will be written to the new table owned by SYSTEM. The WatchDog trigger can now be written against AUD$ to automate responses to various events that may show up, like failed logins or other unusual activities. Step 8 Make sure any audits that need to be monitored are in place. The following examples will use the session audit to determine when a login to the database has failed. The session audit is enabled by a DBA with the following command, issued from Server Manager. AUDIT SESSION; Securing the UTL_FILE Package Before the WatchDog trigger is created, there are some additional security enhancements that can be made to the database. The UTL_FILE package available in Oracle 7.3 and higher allows stored procedures to have access to operating system files and directories on the server machine. This package will allow the WatchDog audit trail trigger to access the database alert log. UTL_FILE access to operating system directories is controlled by the UTL_FILE_DIR parameter in the init.ora file for the database. Only files in designated directories can be accessed by UTL_FILE. By default, execute on UTL_FILE is granted to public, which means that any user in the database has potential read-write access as the Oracle software owner to the UTL_FILE directories (including the alert log, when the WatchDog configuration changes in Step 7 are made). This is true even if the user has no other privileges or no user account on the server operating system. Execute on UTL_FILE should only be granted on an individual basis to trusted and approved users (preferably only DBAs or trusted software administrators). Mini-Lesson M6, Scripts & Source Code/ Page 35

36 Step 9 This security risk is eliminated by revoking the execute grant from public with the following command, executed as SYS from Server Manager: REVOKE EXECUTE ON UTL_FILE FROM PUBLIC; Step 10 Next, regrant the privilege explicitly to SYSTEM. GRANT EXECUTE ON UTL_FILE TO SYSTEM; Expanding the Audit Trail Views Some additional WatchDog views will enhance the quality of information available to the database administrator. These views make use of information stored in the AUD$ table, but not broken out in the default DBA_AUDIT views. WD_AUDIT_CLIENT_SESSION adds two extra columns to the standard DBA_AUDIT_SESSION view: COMMENT_TEXT, which contains information about the client connection passed on from the SQL*Net listener, and IP_ADDRESS, which is stripped from COMMENT_TEXT for TCP protocol connections. WD_AUDIT_FAILED_SESSION is a subset of WD_AUDIT_CLIENT_SESSION that displays information only on failed access attempts. This information is very useful when tracking the source of invalid access attempts. Special Note If you are using a connection protocol other than TCP, you may need to modify the WatchDog views below to successfully extract the network address of the database client. Step 11 To create these views, connect internal to the database using Server Manager, then run the following scripts: create or replace view wd_audit_client_session as select os_username, username, userhost, terminal, timestamp, action_name, logoff_time, logoff_lread, logoff_pread, logoff_lwrite, logoff_dlock, sessionid, returncode, comment_text, session_label, substr(substr(comment_text,instr(comment_text,'host=',1)+5,instr(comment_text,')', instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address from dba_audit_trail where action between 100 and 102; create or replace view wd_audit_failed_session as select os_username, username, userhost, terminal, timestamp, action_name, sessionid, returncode, comment_text, substr(substr(comment_text,instr(comment_text,'host=',1)+5,instr(comment_text,')', instr(comment_text,'host=',1)) - (instr(comment_text,'host=',1)+5)),1,15) ip_address from dba_audit_trail where returncode in (1017,1005,28000) and action between 100 and 102; create public synonym wd_audit_client_session for sys.wd_audit_client_session; Mini-Lesson M6, Scripts & Source Code / Page 36

37 create public synonym wd_audit_failed_session for sys.wd_audit_failed_session; grant select on wd_audit_client_session to dba; grant select on wd_audit_failed_session to dba; Creating the Trigger Sample versions of the WatchDog trigger are shown below. These WatchDog triggers report access violations that return codes 1017 or 1005 during a login attempt (invalid userid/password, or null password). To use these WatchDogs, insert an appropriate alert file name and directory path where indicated. WatchDog triggers can be easily modified to record other audited events as well. Step 12 As SYS, modify and run the appropriate version of the trigger script to create the WatchDog trigger on system.aud$. Replace the <name of log file> and <path to log file> markers with appropriate values like alertsid.ora and /your/alert/log/directory/path. Oracle7 Version of WatchDog CREATE OR REPLACE TRIGGER WATCHDOG AFTER INSERT ON SYSTEM.AUD$ FOR EACH ROW DECLARE FILE_HANDLE UTL_FILE.FILE_TYPE; ALERT_FILE ALERT_PATH VARCHAR2(20); VARCHAR2(50); CURRENT_DATE VARCHAR2(30); IP_ADDRESS PROTOCOL VARCHAR2(15); VARCHAR2(10); BEGIN /* Check if latest connection is invalid Code 1005 = Null password, 1017 = Invalid userid/password Event 100 = LOGON, 101 = LOGOFF, 102 = LOGOFF BY CLEANUP */ IF (:NEW.RETURNCODE IN (1005, 1017)) AND (:NEW.ACTION IN (100,101,102)) THEN /* Initialize path and file names */ ALERT_FILE := '<name of log file>'; ALERT_PATH := '<path to log file>'; /* Format timestamp for alert log */ CURRENT_DATE := TO_CHAR(:NEW.TIMESTAMP,'Dy Mon DD HH24:MI:SS YYYY'); /* Determine IP Address of client */ IP_ADDRESS := SUBSTR(SUBSTR(:NEW.COMMENT$TEXT,INSTR(:NEW.COMMENT$TEXT,'HOST=',1)+5, INSTR(:NEW.COMMENT$TEXT,')',INSTR(:NEW.COMMENT$TEXT,'HOST=',1)) (INSTR(:NEW.COMMENT$TEXT,'HOST=',1)+5)),1,15); /* Determine connection protocol of client */ Mini-Lesson M6, Scripts & Source Code/ Page 37

38 PROTOCOL := NVL(SUBSTR(SUBSTR(:NEW.COMMENT$TEXT,INSTR(:NEW.COMMENT$TEXT, 'PROTOCOL=',1)+9, INSTR(:NEW.COMMENT$TEXT,')',INSTR(:NEW.COMMENT$TEXT,'PROTOCOL=',1)) - (INSTR(:NEW.COMMENT$TEXT,'PROTOCOL=',1)+9)),1,10),'ipc'); /* Open alert log for append */ FILE_HANDLE := UTL_FILE.FOPEN(ALERT_PATH,ALERT_FILE,'A'); /* Write alert log entry with [DB User][Terminal][OS User][Protocol][IP Address] */ UTL_FILE.PUT_LINE(FILE_HANDLE,CURRENT_DATE); UTL_FILE.PUT_LINE(FILE_HANDLE,'ORA-0' :NEW.RETURNCODE ': Logon denied [' :NEW.USERID '] [' :NEW.TERMINAL '] [' :NEW.SPARE1 '] [' PROTOCOL '] [' IP_ADDRESS ']'); /* Close alert log */ UTL_FILE.FCLOSE (FILE_HANDLE); END IF; EXCEPTION WHEN NO_DATA_FOUND THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.INVALID_PATH THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.READ_ERROR THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.WRITE_ERROR THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN OTHERS THEN UTL_FILE.FCLOSE(FILE_HANDLE); END; Oracle8 Version of WatchDog CREATE OR REPLACE TRIGGER WATCHDOG AFTER INSERT ON SYSTEM.AUD$ FOR EACH ROW DECLARE FILE_HANDLE UTL_FILE.FILE_TYPE; ALERT_FILE ALERT_PATH VARCHAR2(20); VARCHAR2(50); CURRENT_DATE VARCHAR2(30); IP_ADDRESS PROTOCOL VARCHAR2(15); VARCHAR2(10); BEGIN /* Check if connection attempt is invalid Code 1005 = Null password, 1017 = Invalid userid/password, = Account locked (v8 only) Event 100 = LOGON, 101 = LOGOFF, 102 = LOGOFF BY CLEANUP */ IF (:NEW.RETURNCODE IN (1005, 1017, 28000)) AND (:NEW.ACTION# IN (100,101,102)) THEN /* Initialize path and file names */ ALERT_FILE := '<name of log file>'; ALERT_PATH := '<path to log file>'; /* Format timestamp for alert log */ Mini-Lesson M6, Scripts & Source Code / Page 38

39 CURRENT_DATE := TO_CHAR(:NEW.TIMESTAMP#,'Dy Mon DD HH24:MI:SS YYYY'); /* Determine IP Address of client, if available */ IP_ADDRESS := SUBSTR(SUBSTR(:NEW.COMMENT$TEXT,INSTR(:NEW.COMMENT$TEXT,'HOST=',1)+5, INSTR(:NEW.COMMENT$TEXT,')',INSTR(:NEW.COMMENT$TEXT,'HOST=',1)) - (INSTR(:NEW.COMMENT$TEXT,'HOST=',1)+5)),1,15); /* Determine connection protocol of client */ PROTOCOL := NVL(SUBSTR(SUBSTR(:NEW.COMMENT$TEXT,INSTR(:NEW.COMMENT$TEXT,'PROTOCOL=',1)+9, INSTR(:NEW.COMMENT$TEXT,')',INSTR(:NEW.COMMENT$TEXT,'PROTOCOL=',1)) - (INSTR(:NEW.COMMENT$TEXT,'PROTOCOL=',1)+9)),1,10),'ipc'); /* Open alert log for append */ FILE_HANDLE := UTL_FILE.FOPEN(ALERT_PATH,ALERT_FILE,'A'); /* Write alert log entry with [DB User][Terminal][OS User][Protocol][IP Address] */ UTL_FILE.PUT_LINE (FILE_HANDLE,CURRENT_DATE); UTL_FILE.PUT_LINE (FILE_HANDLE,'ORA-0' :NEW.RETURNCODE ': Logon denied [' :NEW.USERID '] [' :NEW.TERMINAL '] [' :NEW.SPARE1 '] [' PROTOCOL '] [' IP_ADDRESS ']'); /* Close alert log */ UTL_FILE.FCLOSE (FILE_HANDLE); END IF; EXCEPTION WHEN NO_DATA_FOUND THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.INVALID_PATH THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.READ_ERROR THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN UTL_FILE.WRITE_ERROR THEN UTL_FILE.FCLOSE(FILE_HANDLE); WHEN OTHERS THEN UTL_FILE.FCLOSE(FILE_HANDLE); END; Special Note Be sure to create the WatchDog trigger as SYS. Otherwise you may encounter an ORA ( end-of-file on communication channel ) error on the client (i.e. SQL*Plus), and generate an ORA ( exception encountered: core dump [%s] ) error or ORA ( internal message code, arguments: [num] ) error on the server when you try to log in. OEM Configuration The following instructions are excerpts from Conference Paper 139: Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager. Step 13 It is assumed that the Oracle Enterprise Manager (OEM) and Diagnostics Pack have been installed, and that the OEM console is running. It is also assumed that the DBSNMP services for each monitored database have been correctly configured and started on each host platform (see the Oracle Enterprise Manager Installation Guide, Chapters 1 and 2 for complete instructions). Select the Event Set Library tab in the Event pane. From the Event menu, select Create Event Set. Mini-Lesson M6, Scripts & Source Code/ Page 39

40 Step 14 In the General tab of the Create Event Set dialog box, enter the name of the new event set, WatchDog Security. Make sure that the Service Type field is set to Database. Enter a description of the event set, Custom Database Security Event Set. In the Events tab of the Create Event Set dialog box, double click on the Alert event in the Available Events list. It should move to the Selected Events list. In the Parameters tab of the Create Event Set dialog box, set the frequency with which the alert log should be checked for new messages. A time of several minutes is generally sufficient. When the frequency has been correctly set, click the OK button at the bottom of the dialog box. Step 15 Select the new event set from the list of event sets in the Event Set Library. Select Register Event Set from the Event menu. In the Register Event Set dialog box, select the databases to be registered from the Available Destinations. Each database should appear in the Selected Destinations list as it is selected. When the desired databases have been selected, click the OK button at the bottom of the dialog box. Each selected database should now be registered to report any ORA error messages that appear in the alert log directly to the OEM console. Modifications to Eagle GuardDog DDL: /* Script 1: GuardDog DDL This script creates the objects required to support GuardDog. Note: If you are installing GuardDog into an existing Eagle system you may skip all of the DDL commands between this comment the one below */ CREATE TABLE DATABASE ( DB_ID DB_NAME DB_LINK VARCHAR2(12) NOT NULL, VARCHAR2(30) NOT NULL, VARCHAR2(30) NOT NULL ) PCTFREE 5 PCTUSED 95 INITRANS 1 MAXTRANS 255 TABLESPACE USERS STORAGE ( INITIAL 16K NEXT 16K MINEXTENTS 1 Mini-Lesson M6, Scripts & Source Code / Page 40

41 MAXEXTENTS 121 PCTINCREASE 0 ) ; ALTER TABLE DATABASE ADD ( PRIMARY KEY (DB_ID) USING INDEX PCTFREE 5 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 16K NEXT 16K MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 ) ) ; /* The previous DDL commands can be skipped when installing Guard Dog into an existing Eagle schema. All DDL from this point on must be run when installing Guard Dog in any schema. */ CREATE TABLE MONITOR ( MONITOR_ID NAME PREPARE1_CLAUSE PREPARE2_CLAUSE INSERT_CLAUSE SELECT_CLAUSE WHERE_CLAUSE CLOSE1_CLAUSE CLOSE2_CLAUSE COMMENT_TEXT VARCHAR2(12) NOT NULL, VARCHAR2(50) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(500) NULL, VARCHAR2(256) NULL, VARCHAR2(2000) NULL ); ALTER TABLE MONITOR ADD ( PRIMARY KEY (MONITOR_ID) Mini-Lesson M6, Scripts & Source Code/ Page 41

42 USING INDEX PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 50k NEXT 50k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ) ; CREATE TABLE DB_MONITOR ( DB_ID MONITOR_ID ACTIVE_YN VARCHAR2(12) NOT NULL, VARCHAR2(12) NOT NULL, VARCHAR2(1) NULL ) PCTFREE 5 PCTUSED 95 INITRANS 1 MAXTRANS 255 TABLESPACE USERS STORAGE ( INITIAL 50k NEXT 50k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 ) ; CREATE INDEX XIF19DB_MONITOR ON DB_MONITOR ( DB_ID ) PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 50k Mini-Lesson M6, Scripts & Source Code / Page 42

43 NEXT 50k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ; CREATE INDEX XIF20DB_MONITOR ON DB_MONITOR ( MONITOR_ID ) PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 50k NEXT 50k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ; ALTER TABLE DB_MONITOR ADD ( PRIMARY KEY (DB_ID, MONITOR_ID) ) ; CREATE TABLE DB_MONITOR_CRITERIA ( DB_ID MONITOR_ID CRITERIA_TYPE PARAMETER VALUE1 VALUE2 SCORE COMMENT_TEXT VARCHAR2(12) NULL, VARCHAR2(12) NULL, VARCHAR2(10) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, NUMBER NULL, VARCHAR2(2000) NULL ) PCTFREE 5 PCTUSED 95 INITRANS 1 MAXTRANS 255 TABLESPACE USERS STORAGE ( Mini-Lesson M6, Scripts & Source Code/ Page 43

44 INITIAL 128k NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 ) ; CREATE INDEX XIF22DB_MONITOR_EXCEPTION ON DB_MONITOR_CRITERIA ( DB_ID, MONITOR_ID ) PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 128k NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ; CREATE TABLE DB_MONITOR_REPORT ( DB_ID MONITOR_ID RUN_TIME PARAMETER VALUE1 VALUE2 SCORE COMMENT_TEXT VARCHAR2(12) NULL, VARCHAR2(12) NULL, DATE NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, NUMBER NULL, VARCHAR2(2000) NULL ) PCTFREE 5 PCTUSED 95 INITRANS 1 MAXTRANS 255 TABLESPACE USERS STORAGE ( INITIAL 128k Mini-Lesson M6, Scripts & Source Code / Page 44

45 NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 ) ; CREATE INDEX XIF23DB_MONITOR_REPORT ON DB_MONITOR_REPORT ( DB_ID, MONITOR_ID ) PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 128k NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ; CREATE TABLE DB_MONITOR_RESULT ( DB_ID MONITOR_ID RUN_TIME PARAMETER VALUE1 VALUE2 VARCHAR2(12) NULL, VARCHAR2(12) NULL, DATE NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL, VARCHAR2(256) NULL ) PCTFREE 5 PCTUSED 95 INITRANS 1 MAXTRANS 255 TABLESPACE USERS STORAGE ( INITIAL 512k NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 Mini-Lesson M6, Scripts & Source Code/ Page 45

46 PCTINCREASE 0 ) ; CREATE INDEX XIF21DB_MONITOR_RESULT ON DB_MONITOR_RESULT ( DB_ID, MONITOR_ID ) PCTFREE 1 INITRANS 2 MAXTRANS 255 TABLESPACE USER_IDX STORAGE ( INITIAL 128k NEXT 128k MINEXTENTS 1 MAXEXTENTS 121 PCTINCREASE 0 FREELISTS 2 ) ; ALTER TABLE DB_MONITOR ADD ( FOREIGN KEY (MONITOR_ID) REFERENCES MONITOR ) ; ALTER TABLE DB_MONITOR ADD ( FOREIGN KEY (DB_ID) REFERENCES DATABASE ) ; ALTER TABLE DB_MONITOR_REPORT ADD ( FOREIGN KEY (DB_ID, MONITOR_ID) REFERENCES DB_MONITOR ) ; ALTER TABLE DB_MONITOR_RESULT ADD ( FOREIGN KEY (DB_ID, MONITOR_ID) REFERENCES DB_MONITOR ) ; GuardDog PL/SQL GuardDog PL/SQL Package: /* Script 2: GuardDog PL/SQL Package This script creates the GUARD_DOG package which is the core of the GuardDog system. This package requires that all of the GuardDog objects have already been created using Script 1. This script should be run in the GuardDog schema. Mini-Lesson M6, Scripts & Source Code / Page 46

47 The GUARD_DOG package is composed of two procedures. FETCH_DATA selects all information for the evaluation from the target database. PARSE_DATA compares the selected data against the predefined evaluation criteria. */ CREATE OR REPLACE PACKAGE GUARD_DOG AS procedure fetch_data (DBID in VARCHAR2); procedure parse_data (DBID in VARCHAR2); END GUARD_DOG; CREATE OR REPLACE PACKAGE BODY GUARD_DOG AS /* Procedure FETCH_DATA gathers the audit evaluation data from the designated Oracle instance. Active monitor information is read from the monitor table and raw data is inserted into the db_monitor_results table. All previous raw data for the current database/monitor is generally deleted before new data is inserted. */ PROCEDURE FETCH_DATA (DBID in VARCHAR2) AS no_connection EXCEPTION; PRAGMA EXCEPTION_INIT(no_connection, ); CURSOR C_DB_MONITOR (DB VARCHAR2) IS SELECT DB_ID, MONITOR_ID, ACTIVE_YN FROM DB_MONITOR WHERE DB_ID LIKE DB ORDER BY DB_ID; db_monitor_rec DB_MONITOR%ROWTYPE ; monitor_rec MONITOR%ROWTYPE ; database_rec DATABASE%ROWTYPE ; sql_stmt VARCHAR2(1000) ; ret_val INTEGER ; cursor_id INTEGER ; c_get_data INTEGER ; temp_clause VARCHAR2(256) ; BEGIN /* Open list of monitors for processing */ OPEN C_DB_MONITOR(DBID); LOOP Mini-Lesson M6, Scripts & Source Code/ Page 47

48 FETCH C_DB_MONITOR INTO db_monitor_rec; EXIT WHEN C_DB_MONITOR%NOTFOUND ; /* If the current monitor is active, then process */ IF db_monitor_rec.active_yn = 'Y' THEN /* Get monitor record */ select * into monitor_rec from monitor where monitor_id = db_monitor_rec.monitor_id ; /* Get database record */ select * into database_rec from database where db_id = db_monitor_rec.db_id ; /* Substiture database and link names into monitor queries */ monitor_rec.select_clause := REPLACE(monitor_rec.select_clause, '<DB_ID>',database_rec.db_id); monitor_rec.select_clause := REPLACE(monitor_rec.select_clause, '<DB_LINK>',database_rec.db_link); monitor_rec.where_clause := REPLACE(monitor_rec.where_clause, '<DB_ID>',database_rec.db_id); /* Construct final insert / select statement */ sql_stmt := monitor_rec.insert_clause monitor_rec.select_clause monitor_rec.where_clause; /* Process first prepare clause */ if monitor_rec.prepare1_clause is not null then /* Substitute database and link names into first prepare statement */ monitor_rec.prepare1_clause := REPLACE(monitor_rec.prepare1_clause, '<DB_ID>',database_rec.db_id); monitor_rec.prepare1_clause := REPLACE(monitor_rec.prepare1_clause, '<DB_LINK>',database_rec.db_link); /* Execute first prepare clause */ cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,monitor_rec.prepare1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; Mini-Lesson M6, Scripts & Source Code / Page 48

49 DBMS_SQL.CLOSE_CURSOR(cursor_id); end if; /* Process second prepare clause */ if monitor_rec.prepare2_clause is not null then /* Substitute database and link names into second prepare statement */ monitor_rec.prepare2_clause := REPLACE(monitor_rec.prepare2_clause, '<DB_ID>',database_rec.db_id); monitor_rec.prepare2_clause := REPLACE(monitor_rec.prepare2_clause, '<DB_LINK>',database_rec.db_link); /* Execute second prepare clause */ cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,monitor_rec.prepare2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); end if; /* Execute monitor insert / select statement */ c_get_data := DBMS_SQL.OPEN_CURSOR ; DBMS_SQL.PARSE(c_get_data,sql_stmt,DBMS_SQL.V7) ; ret_val := DBMS_SQL.EXECUTE(c_get_data) ; DBMS_SQL.CLOSE_CURSOR(c_get_data) ; /* Process first close clause */ if monitor_rec.close1_clause is not null then /* Substitute database and link names into first close clause */ monitor_rec.close1_clause := REPLACE(monitor_rec.close1_clause, '<DB_ID>',database_rec.db_id); monitor_rec.close1_clause := REPLACE(monitor_rec.close1_clause, '<DB_LINK>',database_rec.db_link); /* Execute first close clause */ cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,monitor_rec.close1_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); end if; Mini-Lesson M6, Scripts & Source Code/ Page 49

50 /* Process second close clause */ if monitor_rec.close2_clause is not null then /* Substitute database and link names into second close clause */ monitor_rec.close2_clause := REPLACE(monitor_rec.close2_clause, '<DB_ID>',database_rec.db_id); monitor_rec.close2_clause := REPLACE(monitor_rec.close2_clause, '<DB_LINK>',database_rec.db_link); /* Execute second close clause */ cursor_id := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(cursor_id,monitor_rec.close2_clause,DBMS_SQL.V7); ret_val := DBMS_SQL.EXECUTE(cursor_id) ; DBMS_SQL.CLOSE_CURSOR(cursor_id); end if; commit; end if; end loop; END FETCH_DATA; /* Procedure PARSE_DATA compares the data gathered by FETCH_DATA with the criteria designated in the db_monitor_criteria table for the given monitor and/or database. First, each piece of raw data is compared to the required, forbidden, or suppressed criteria to look for violations. Second, all required criteria are compared to the raw data to determine if any are missing. Results of the comparison are inserted into the db_monitor_report table. Any previous report for the designated database is deleted before the comparison begins. */ PROCEDURE PARSE_DATA (DBID in VARCHAR2) AS cursor C_DB_MONITOR_RESULT (DB VARCHAR2) is select r.* from db_monitor_result r, db_monitor m where r.db_id like DB and r.db_id = m.db_id and r.monitor_id = m.monitor_id and m.active_yn='y' order by r.db_id, r.monitor_id; cursor C_DB_MONITOR_CRITERIA (MON_ID VARCHAR2, PRM_ID VARCHAR2) is select * from db_monitor_criteria where db_id='default' and Mini-Lesson M6, Scripts & Source Code / Page 50

51 monitor_id=mon_id and parameter in (PRM_ID,'%'); cursor C_DB_MONITOR_SUPRESS (DBID VARCHAR2, MON_ID VARCHAR2, PRM_ID VARCHAR2, VAL1 VARCHAR2, VAL2 VARCHAR2) is select * from db_monitor_criteria where db_id = DBID and monitor_id = MON_ID and criteria_type = 'SUPPRESSED' and parameter like PRM_ID and nvl(value1,'null') like nvl(val1,'null') and nvl(value2,'null') like nvl(val2,'null'); cursor C_DB_MONITOR_REQUIRED is select * from db_monitor_criteria where db_id='default' and criteria_type='required'; cursor C_DB_MONITOR_MISSING (DBID VARCHAR2, MON_ID VARCHAR2, PRM_ID VARCHAR2) is select * from db_monitor_report where db_id = DBID and monitor_id = MON_ID and parameter like PRM_ID; db_mon_result_rec DB_MONITOR_RESULT%ROWTYPE ; criteria_rec DB_MONITOR_CRITERIA%ROWTYPE ; suppressed_rec DB_MONITOR_CRITERIA%ROWTYPE ; required_rec DB_MONITOR_CRITERIA%ROWTYPE ; missing_rec DB_MONITOR_REPORT%ROWTYPE ; BEGIN delete from db_monitor_report where db_id like DBID; commit; /* open set of raw data gathered from database and compare to basic criteria */ open C_DB_MONITOR_RESULT(DBID); loop fetch C_DB_MONITOR_RESULT into db_mon_result_rec; exit when C_DB_MONITOR_RESULT%NOTFOUND ; /* Compare current result record against basic criteria */ open C_DB_MONITOR_CRITERIA(db_mon_result_rec.monitor_id, db_mon_result_rec.parameter); fetch C_DB_MONITOR_CRITERIA into criteria_rec; Mini-Lesson M6, Scripts & Source Code/ Page 51

52 /* If no criteria is found then current record is EXTRA */ if C_DB_MONITOR_CRITERIA%NOTFOUND then insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.run_time, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2, 0, 'No evaluation criteria exist for this parameter'); /* If criteria indicates a required value, compare to recorded value */ elsif criteria_rec.criteria_type = 'REQUIRED' then /* If values match or criteria null then OK */ if (nvl(db_mon_result_rec.value1,'null') like nvl(criteria_rec.value1,'%') and nvl(db_mon_result_rec.value2,'null') like nvl(criteria_rec.value2,'%')) or (criteria_rec.value1 is null and criteria_rec.value2 is null) then insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.run_time, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2, 0, 'OK'); /* If values do not match then NOT OK or SUPPRESSED */ else /* Check list of suppressed values */ open C_DB_MONITOR_SUPRESS(db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2); fetch C_DB_MONITOR_SUPRESS into suppressed_rec; /* If not on suppressed list then NOT OK */ if C_DB_MONITOR_SUPRESS%NOTFOUND then insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.run_time, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2, criteria_rec.score, criteria_rec.comment_text); end if; close C_DB_MONITOR_SUPRESS; end if; Mini-Lesson M6, Scripts & Source Code / Page 52

53 /* If criteria indicates a forbidden value then compare to recorded value */ elsif criteria_rec.criteria_type = 'FORBIDDEN' then /* If values match or criteria null then NOT OK or SUPPRESSED */ if (nvl(db_mon_result_rec.value1,'null') like nvl(criteria_rec.value1,'%') and nvl(db_mon_result_rec.value2,'null') like nvl(criteria_rec.value2,'%')) or (criteria_rec.value1 is null and criteria_rec.value2 is null) then /* Check list of suppressed values */ open C_DB_MONITOR_SUPRESS(db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2); fetch C_DB_MONITOR_SUPRESS into suppressed_rec; /* If not on suppressed list then NOT OK */ if C_DB_MONITOR_SUPRESS%NOTFOUND then insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.run_time, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2, criteria_rec.score, criteria_rec.comment_text); end if; close C_DB_MONITOR_SUPRESS; /* If values do not match then OK */ else insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (db_mon_result_rec.db_id, db_mon_result_rec.monitor_id, db_mon_result_rec.run_time, db_mon_result_rec.parameter, db_mon_result_rec.value1, db_mon_result_rec.value2, 0, 'OK'); end if; end if; close C_DB_MONITOR_CRITERIA; end loop; open C_DB_MONITOR_REQUIRED; loop fetch C_DB_MONITOR_REQUIRED into required_rec; Mini-Lesson M6, Scripts & Source Code/ Page 53

54 exit when C_DB_MONITOR_REQUIRED%NOTFOUND ; /* Compare current required criteria against result records from database */ open C_DB_MONITOR_MISSING(DBID, required_rec.monitor_id, required_rec.parameter); fetch C_DB_MONITOR_MISSING into missing_rec; /* If no matching record is found then criteria is MISSING or SUPPRESSED */ if C_DB_MONITOR_MISSING%NOTFOUND then open C_DB_MONITOR_SUPRESS(DBID, required_rec.monitor_id, required_rec.parameter, '%', '%'); fetch C_DB_MONITOR_SUPRESS into suppressed_rec; /* If not on suppressed list then MISSING */ if C_DB_MONITOR_SUPRESS%NOTFOUND then insert into db_monitor_report (db_id, monitor_id, run_time, parameter, value1, value2, score, comment_text) values (DBID, required_rec.monitor_id, sysdate, required_rec.parameter, required_rec.value1, required_rec.value2, required_rec.score, required_rec.comment_text); end if; close C_DB_MONITOR_SUPRESS; end if; close C_DB_MONITOR_MISSING; end loop; commit; END PARSE_DATA; END GUARD_DOG; GuardDog Configuration Standard Monitors: /* Script 5: GuardDog Standard Monitors This script creates the GuardDog standard monitors. A definition for each monitor is inserted into the MONITOR table. You may wish to modify these monitors to meet specific requirements of your system. For example, by default each monitor deletes the data selected in its last run before beginning a new one. */ /* The IDLE_TIME monitor selects the idle time for each user */ insert into monitor Mini-Lesson M6, Scripts & Source Code / Page 54

55 (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('IDLE_TIME','User Idle Time Limit', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''idle_time'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''IDLE_TIME'', sysdate, u.username, p.limit from u, p ', 'where u.profile = p.profile and p.resource_name=''idle_time'' ','commit ','', 'User Idle Time - Idle time must be set for all database users - The Oracle "default" profile must be altered or a new profile created'); /* The INIT_PARAM monitor selects all initialization parameters for the instance */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('INIT_PARAM','Initialization Parameters', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''init_param'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''INIT_PARAM'', sysdate, name, value, isdefault from v$parameter@<db_link> ',' ','commit ','', 'Initialization Parameters - The UTL_FILE_DIR parameter must not be set to "*" - The audit_trail parameter must be set to "db" - The resource_limit parameter must be set to "true" - The remote_os_authent parameter must be set to "false" - The remote_os_roles parameter must be set to "false" - The os_roles parameter must be set to "false" - The dblink_encrypt_login parameter must be set to "true"'); /* The OBJ_PRIVS1 monitor selects Alter and References privileges granted to users other than SYS and SYSTEM */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values Mini-Lesson M6, Scripts & Source Code/ Page 55

56 ('OBJ_PRIVS1','Object Privileges Granted to Users', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''obj_privs1'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2)', 'select ''<DB_ID>'', ''OBJ_PRIVS1'', sysdate, t.grantee, t.owner ''.'' t.table_name, t.privilege from t, u ', 'where (u.username = t.grantee or t.grantee = ''PUBLIC'') and t.privilege in (''ALTER'',''REFERENCES'') and t.grantee not in (''SYS'',''SYSTEM'') ', 'commit ','', 'Object Privileges - No application user may be granted "ALTER" object privilege - No application user may be granted "REFERENCES" object privilege'); /* The OBJ_PRIVS2 monitor selects Alter and References privileges granted to non-std roles */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('OBJ_PRIVS2','Object Privileges Granted to Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''obj_privs2'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''OBJ_PRIVS2'', sysdate, t.grantee, t.owner ''.'' t.table_name, t.privilege from dba_tab_privs@<db_link> t, dba_roles@<db_link> r ', 'where r.role = t.grantee and t.privilege in (''ALTER'',''REFERENCES'') and r.role not in (''DBA'',''RESOURCE'',''IMP_FULL_DATABASE'',''EXP_FULL_DATABASE'',''CONNECT'') ', 'commit ','', 'Object Privileges - No application user may be granted "ALTER" object privilege - No application user may be granted "REFERENCES" object privilege'); /* The ORACLE_ROLES monitor selects standard Oracle roles that are granted to users other than SYS, SYSTEM, and DBA */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('ORACLE_ROLES','Oracle Roles Granted to Users and Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''oracle_roles'' ', '', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', Mini-Lesson M6, Scripts & Source Code / Page 56

57 'select ''<DB_ID>'', ''ORACLE_ROLES'', sysdate, r.grantee, r.granted_role from r ', 'where r.granted_role in (''DBA'',''EXP_FULL_DATABASE'',''IMP_FULL_DATABASE'',''OSOPER'', ''OSDBA'') and r.grantee not in (''SYS'',''SYSTEM'',''DBA'') ','commit ','', 'Oracle Predefined Roles - No application user may be granted DBA, EXP_FULL_DATABASE, IMP_FULL_DATABASE - These roles must not be granted to PUBLIC'); /* The SYS_ADMIN1 monitor selects users with ADMIN priveleges on system/object privileges */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_ADMIN1','Users with ADMIN on System/Object Privileges', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_admin1'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_ADMIN1'', sysdate, p.grantee, p.privilege, p.admin_option from dba_sys_privs@<db_link> p, dba_users@<db_link> u ', 'where (u.username = p.grantee or p.grantee=''public'') and p.admin_option=''yes'' and p.grantee not in (''SYS'',''SYSTEM'') ','commit ','', 'Oracle Privilege Administration - No application user may have ADMIN option of any system or object privilege - No application user may have ADMIN option on any predefined role'); /* The SYS_ADMIN2 monitor selects users with ADMIN privileges on standard roles */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_ADMIN2','Users with ADMIN on Oracle Predefined Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_admin2'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_ADMIN2'', sysdate, r.grantee, r.granted_role, r.admin_option from dba_role_privs@<db_link> r, dba_users@<db_link> u ', 'where u.username = r.grantee and r.granted_role in (''DBA'',''RESOURCE'', ''IMP_FULL_DATABASE'', ''EXP_FULL_DATABASE'', ''CONNECT'',''SNMPAGENT'') and r.admin_option=''yes'' and r.grantee not in (''SYS'',''SYSTEM'') ','commit ','', 'Oracle Privilege Administration Mini-Lesson M6, Scripts & Source Code/ Page 57

58 - No application user may have ADMIN option of any system or object privilege - No application user may have ADMIN option on any predefined role'); /* The SYS_AUDIT2 monitor selects statement level audits that have been enabled */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_AUDIT2','Audit Statement Options', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_audit2'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_AUDIT2'', sysdate, audit_option, success, failure from dba_stmt_audit_opts@<db_link> ',' ','commit ','', 'Mandatory Auditing'); /* The SYS_PRIVS1 monitor selects system privileges granted to users other than SYS and SYSTEM */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_PRIVS1','System Privileges Granted to Users', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_privs1'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''SYS_PRIVS1'', sysdate, p.grantee, p.privilege from dba_sys_privs@<db_link> p, dba_users@<db_link> u ', 'where (u.username = p.grantee or p.grantee=''public'') and p.grantee not in (''SYS'',''SYSTEM'',''DBSNMP'') ','commit ','', 'System Privileges - Oracle system privileges must not be granted to PUBLIC - No "ANY" system privilege may be granted to an application user - No application user may have ALTER USER privilege - No application user may be allowed to disable auditing'); /* The SYS_PRIVS2 monitor selects system privileges granted to non-std roles */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) Mini-Lesson M6, Scripts & Source Code / Page 58

59 values ('SYS_PRIVS2','System Privileges Granted to Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_privs2'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''SYS_PRIVS2'', sysdate, p.grantee, p.privilege from p, r ', 'where r.role = p.grantee and r.role not in (''DBA'',''RESOURCE'',''IMP_FULL_DATABASE'', ''EXP_FULL_DATABASE'',''CONNECT'',''SNMPAGENT'') ','commit ','', 'System Privileges - Oracle system privileges must not be granted to PUBLIC - No "ANY" system privilege may be granted to an application user - No application user may have ALTER USER privilege - No application user may be allowed to disable auditing'); /* The APP_ROLES1 monitor selects all non-standard (application) roles */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('APP_ROLES1','Non-Predefined Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''app_roles1'' ', '','insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''APP_ROLES1'', sysdate, r.role, r.password_required from dba_roles@<db_link> r ', 'where r.role not in (''DBA'', ''RESOURCE'', ''IMP_FULL_DATABASE'',''EXP_FULL_DATABASE'', ''CONNECT'', ''SNMPAGENT'') ','commit ','', 'Application Roles - Every application must create distinct roles containing all necessary privileges for application users and administrators - All roles created and used by an application must be password protected - All application users must be granted the appropriate application role - No user may have an application role assigned as the default role'); /* The APP_ROLES2 monitor selects all users assigned to non-standard roles */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values Mini-Lesson M6, Scripts & Source Code/ Page 59

60 ('APP_ROLES2','Users Assigned to Non-Predefined Roles', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''app_roles2'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''APP_ROLES2'', sysdate, r.grantee, r.granted_role, r.admin_option from r, u ', 'where u.username = r.grantee and r.granted_role not in (''DBA'', ''RESOURCE'', ''IMP_FULL_DATABASE'',''EXP_FULL_DATABASE'',''CONNECT'',''SNMPAGENT'') ','commit ','', 'Application Roles - Every application must create distinct roles containing all necessary privileges for application users and administrators - All roles created and used by an application must be password protected - All application users must be granted the appropriate application role - No user may have an application role assigned as the default role'); /* The OPS_USERS monitor selectes all users that are authenticated externally */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('OPS_USERS','Users Using External Authentication', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''ops_users'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'',''OPS_USERS'',sysdate,username, password from dba_users@<db_link> ', 'where password=''external'' ','commit ','', 'OPS$ Accounts - OPS$ accounts should not be used.'); /* The SYS_AUDIT1 monitor selects the location of the AUD$ table */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_AUDIT1','Audit Trail Location', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_audit1'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''SYS_AUDIT1'', sysdate, owner ''.'' table_name, tablespace_name from dba_tables@<db_link> ', 'where table_name=''aud$'' and owner like ''SYS%'' ','commit ','', Mini-Lesson M6, Scripts & Source Code / Page 60

61 'Database Auditing Configuration - The audit trail must be created in a separate and individual tablespace, it cannot be stored in the SYSTEM tablespace.'); /* The SYS_AUDIT3 monitor selects all objects which are not audited for rename actions */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_AUDIT3','Audit Object Rename Options', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_audit3'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_AUDIT3'', sysdate, owner, object_name, object_type from dba_obj_audit_opts@<db_link> ', 'where ren = ''-/-'' ','commit ','', 'Mandatory Auditing'); /* The SYS_AUDIT4 monitor selects the object level auditing options enabled on AUD$ */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_AUDIT4','Audit AUD$ Options', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_audit4'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_AUDIT4'', sysdate, owner ''.'' object_name, object_type, alt aud com del gra ind ins loc ren sel upd ref exe from dba_obj_audit_opts@<db_link> ', 'where owner like ''SYS%'' and object_name=''aud$'' and object_type=''table'' ', 'commit ','', 'Mandatory Auditing'); /* The SYS_AUDIT5 monitor selects all privilege level audits enabled in the instance */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('SYS_AUDIT5','Audit Privilege Options', Mini-Lesson M6, Scripts & Source Code/ Page 61

62 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''sys_audit5'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1, value2) ', 'select ''<DB_ID>'', ''SYS_AUDIT5'', sysdate, privilege, success, failure from ',' ','commit ','', 'Mandatory Auditing'); /* The UTL_FILE monitor selects all users with EXECUTE privileges on the UTL_FILE package */ insert into monitor (monitor_id, name, prepare1_clause, prepare2_clause, insert_clause, select_clause, where_clause, close1_clause, close2_clause, comment_text) values ('UTL_FILE','Execute Privileges on UTL_FILE', 'delete from db_monitor_result where db_id=''<db_id>'' and monitor_id=''utl_file'' ','', 'insert into db_monitor_result (db_id, monitor_id, run_time, parameter, value1) ', 'select ''<DB_ID>'', ''UTL_FILE'', sysdate, grantee, table_name from ', 'where table_name=''utl_file'' ','commit ','', 'Stored Procedures - The UTL_FILE package must not be granted to PUBLIC'); Standard Criteria: /* Script 6: GuardDog Standard Criteria This script creates the GuardDog standard criteria. A definition for each criteria is inserted into the DB_MONITOR_CRITERIA table. to meet specific requirements of your system. You may wish to modify these criteria For instance, you may wish to change the "score" for each violation. */ /* Check users for unlimited idle time */ score, comment_text) values ('DEFAULT','IDLE_TIME','FORBIDDEN','%','UNLIMITED','','5', 'User has no idle timeout'); /* Make sure the audit_trail parameter is set to "db" */ score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','audit_trail','DB','FALSE','10', 'The audit_trail parameter must be set to ''db'' '); /* Make sure the utl_file_dir parameter is not set to "*" */ score, comment_text) values ('DEFAULT','INIT_PARAM','FORBIDDEN','utl_file_dir','*','','10', 'UTL_FILE_DIR is set to ''*'' '); /* Make sure the remote_os_authent parameter is set to "false" */ Mini-Lesson M6, Scripts & Source Code / Page 62

63 score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','remote_os_authent','FALSE','TRUE','10', 'The remote_os_authent parameter must be set to ''false'' '); /* Make sure the resource_limit parameter is set to "true" */ score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','resource_limit','TRUE','FALSE','10', 'The resource_limit parameter must be set to ''true'' '); /* Make sure the os_roles parameter is set to "false" */ score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','os_roles','FALSE','TRUE','10', 'The os_roles parameter must be set to ''false'' '); /* Make sure the dblink_encrypt_login parameter is set to "false" */ score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','dblink_encrypt_login','TRUE','FALSE','10', 'The dblink_encrypt_login parameter must be set to ''true'' '); /* Make sure the remote_os_roles parameter is set to "false" */ score, comment_text) values ('DEFAULT','INIT_PARAM','REQUIRED','remote_os_roles','FALSE','TRUE','10', 'The remote_os_roles parameter must be set to ''false'' '); /* Check for any users assigned Alter or References privileges */ score, comment_text) values ('DEFAULT','OBJ_PRIVS1','FORBIDDEN','%','','','10', 'User has ALTER or REFERENCES privilege'); /* Check for any roles assigned Alter or References privileges */ score, comment_text) values ('DEFAULT','OBJ_PRIVS2','FORBIDDEN','%','','','5', 'Role has ALTER or REFERENCES privilege'); /* Check for any users assigned default Oracle roles */ score, comment_text) values ('DEFAULT','ORACLE_ROLES','FORBIDDEN','%','','','10', 'User/Role has restricted role'); /* Check for users with Admin privileges on system privileges/objects */ score, comment_text) values ('DEFAULT','SYS_ADMIN1','FORBIDDEN','%','','','10', 'User has ADMIN option on privilege/object'); /* Check for users with Admin privileges on default Oracle roles */ score, comment_text) values ('DEFAULT','SYS_ADMIN2','FORBIDDEN','%','','','10', 'User has ADMIN option on restricted role'); /* Check for required statement level audits */ score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'ALTER SYSTEM','','','10','The ALTER SYSTEM statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'NOT EXISTS','','','10','The NOT EXISTS statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'SYSTEM AUDIT','','','10','The SYSTEM AUDIT statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED','TABLESPACE','','','10', 'The TABLESPACE statement must be audited'); Mini-Lesson M6, Scripts & Source Code/ Page 63

64 score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED','TABLE','','','10', 'The TABLE statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'DROP DATABASE LINK','','','5','The DROP DATABASE LINK privilege must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'GRANT TABLE','','','5','The GRANT TABLE privilege must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'DELETE TABLE','','','5','The DELETE TABLE privilege must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'CREATE SESSION','','','10','The CREATE SESSION statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED','USER','','','10', 'The USER statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED', 'SYSTEM GRANT','','','10','The SYSTEM GRANT statement must be audited'); score, comment_text) values ('DEFAULT','SYS_AUDIT2','REQUIRED','INDEX','','','10', 'The INDEX statement must be audited'); /* Check for password protection on application roles */ score, comment_text) values ('DEFAULT','APP_ROLES1','REQUIRED','%','YES','','10', 'Application role is not password protected or missing'); /* Check for default enable on application roles, roles with no users assigned */ score, comment_text) values ('DEFAULT','APP_ROLES2','REQUIRED','%','','NO','5', 'No users assigned to application roles or role is enabled by default'); /* Check for users authenticated externally */ score, comment_text) values ('DEFAULT','OPS_USERS','FORBIDDEN','%','','','5', 'User is authenticated externally'); /* Check for presence of AUD$ in the SYSTEM tablespace */ score, comment_text) values ('DEFAULT','SYS_AUDIT1','FORBIDDEN','%','SYSTEM','','10', 'The audit trail table is located in the SYSTEM tablespace '); /* Check for objects not audited for rename */ score, comment_text) values ('DEFAULT','SYS_AUDIT3','FORBIDDEN','%','','','1', 'This object is not audited for RENAME '); /* Check for access level audits on the AUD$ table */ score, comment_text) values ('DEFAULT','SYS_AUDIT4','REQUIRED','%','TABLE', 'A/AA/AA/AA/AA/AA/AA/AA/AA/AA/AA/A-//-','10','The audit trail table AUD$ must be audited'); /* Check for required privilege level audits */ 'ANALYZE ANY','','','5','The ANALYZE ANY privilege must be audited'); Mini-Lesson M6, Scripts & Source Code / Page 64

65 'SELECT ANY SEQUENCE','','','5','The SELECT ANY SEQUENCE privilege must be audited'); 'DROP ANY SEQUENCE','','','5','The DROP ANY SEQUENCE privilege must be audited'); 'ALTER ANY SEQUENCE','','','5','The ALTER ANY SEQUENCE privilege must be audited'); 'CREATE ANY SEQUENCE','','','5','The CREATE ANY SEQUENCE privilege must be audited'); 'CREATE SESSION','','','5','The CREATE SESSION privilege must be audited'); 'RESTRICTED SESSION','','','5','The RESTRICTED SESSION privilege must be audited'); 'DROP ROLLBACK SEGMENT','','','5','The DROP ROLLBACK SEGMENT privilege must be audited'); 'GRANT ANY ROLE','','','5','The GRANT ANY ROLE privilege must be audited'); 'MANAGE TABLESPACE','','','5','The MANAGE TABLESPACE privilege must be audited'); 'DELETE ANY TABLE','','','5','The DELETE ANY TABLE privilege must be audited'); 'UPDATE ANY TABLE','','','5','The UPDATE ANY TABLE privilege must be audited'); 'INSERT ANY TABLE','','','5','The INSERT ANY TABLE privilege must be audited'); 'SELECT ANY TABLE','','','5','The SELECT ANY TABLE privilege must be audited'); 'COMMENT ANY TABLE','','','5','The COMMENT ANY TABLE privilege must be audited'); 'LOCK ANY TABLE','','','5','The LOCK ANY TABLE privilege must be audited'); 'DROP ANY TABLE','','','5','The DROP ANY TABLE privilege must be audited'); 'DROP PUBLIC SYNONYM','','','5','The DROP PUBLIC SYNONYM privilege must be audited'); 'CREATE PUBLIC SYNONYM','','','5','The CREATE PUBLIC SYNONYM privilege must be audited'); Mini-Lesson M6, Scripts & Source Code/ Page 65

66 'CREATE PUBLIC DATABASE LINK','','','5', 'The CREATE PUBLIC DATABASE LINK privilege must be audited'); 'CREATE DATABASE LINK','','','5','The CREATE DATABASE LINK privilege must be audited'); 'DROP ANY VIEW','','','5','The DROP ANY VIEW privilege must be audited'); 'CREATE ANY VIEW','','','5','The CREATE ANY VIEW privilege must be audited'); 'DROP USER','','','5','The DROP USER privilege must be audited'); 'ALTER USER','','','5','The ALTER USER privilege must be audited'); 'BECOME USER','','','5','The BECOME USER privilege must be audited'); 'CREATE USER','','','5','The CREATE USER privilege must be audited'); 'DROP ANY TRIGGER','','','5','The DROP ANY TRIGGER privilege must be audited'); 'ALTER ANY TRIGGER','','','5','The ALTER ANY TRIGGER privilege must be audited'); 'CREATE ANY TRIGGER','','','5','The CREATE ANY TRIGGER privilege must be audited'); 'FORCE ANY TRANSACTION','','','5','The FORCE ANY TRANSACTION privilege must be audited'); 'FORCE TRANSACTION','','','5','The FORCE TRANSACTION privilege must be audited'); 'UNLIMITED TABLESPACE','','','5','The UNLIMITED TABLESPACE privilege must be audited'); 'BACKUP ANY TABLE','','','5','The BACKUP ANY TABLE privilege must be audited'); 'ALTER ANY TABLE','','','5','The ALTER ANY TABLE privilege must be audited'); 'CREATE ANY TABLE','','','5','The CREATE ANY TABLE privilege must be audited'); 'ALTER SYSTEM','','','5','The ALTER SYSTEM privilege must be audited'); 'DROP ANY SYNONYM','','','5','The DROP ANY SYNONYM privilege must be audited'); Mini-Lesson M6, Scripts & Source Code / Page 66

67 'CREATE ANY SYNONYM','','','5','The CREATE ANY SYNONYM privilege must be audited'); 'DROP ANY SNAPSHOT','','','5','The DROP ANY SNAPSHOT privilege must be audited'); 'ALTER ANY SNAPSHOT','','','5','The ALTER ANY SNAPSHOT privilege must be audited'); 'DROP ANY ROLE','','','5','The DROP ANY ROLE privilege must be audited'); 'ALTER ANY ROLE','','','5','The ALTER ANY ROLE privilege must be audited'); 'DROP PUBLIC SYNONYM','','','5','The DROP PUBLIC SYNONYM privilege must be audited'); 'DROP PUBLIC DATABASE LINK','','','5','The DROP PUBLIC DATABASE LINK privilege must be audited'); 'ALTER RESOURCE COST','','','5','The ALTER RESOURCE COST privilege must be audited'); 'DROP PROFILE','','','5','The DROP PROFILE privilege must be audited'); 'ALTER PROFILE','','','5','The ALTER PROFILE privilege must be audited'); 'CREATE PROFILE','','','5','The CREATE PROFILE privilege must be audited'); 'EXECUTE ANY PROCEDURE','','','5','The EXECUTE ANY PROCEDURE privilege must be audited'); 'DROP ANY PROCEDURE','','','5','The DROP ANY PROCEDURE privilege must be audited'); 'ALTER ANY PROCEDURE','','','5','The ALTER ANY PROCEDURE privilege must be audited'); 'CREATE ANY PROCEDURE','','','5','The CREATE ANY PROCEDURE privilege must be audited'); 'GRANT ANY PRIVILEGE','','','5','The GRANT ANY PRIVILEGE privilege must be audited'); 'DROP ANY INDEX','','','5', 'The DROP ANY INDEX privilege must be audited'); 'ALTER ANY INDEX','','','5', 'The ALTER ANY INDEX privilege must be audited'); Mini-Lesson M6, Scripts & Source Code/ Page 67

68 'CREATE ANY INDEX','','','5', 'The CREATE ANY INDEX privilege must be audited'); 'ALTER ANY CLUSTER','','','5', 'The ALTER ANY CLUSTER privilege must be audited'); 'DROP ANY CLUSTER','','','5', 'The DROP ANY CLUSTER privilege must be audited'); 'AUDIT ANY','','','5', 'The AUDIT ANY privilege must be audited'); 'ALTER DATABASE','','','5', 'The ALTER DATABASE privilege must be audited'); /* Check for users with restricted privileges */ score, comment_text) values ('DEFAULT','SYS_PRIVS1','FORBIDDEN','%','','','10', 'User has restricted privilege'); /* Check for roles with restricted privileges */ score, comment_text) values ('DEFAULT','SYS_PRIVS2','FORBIDDEN','%','','','5', 'Role has restricted privilege'); /* Check for users with Execute privileges on UTL_FILE */ score, comment_text) values ('DEFAULT','UTL_FILE','FORBIDDEN','%','','','5', 'User has EXECUTE on UTL_FILE'); Sample Criteria Exceptions: Provided as an example of how to define exceptions for an actual database. /* */ Script 7: GuardDog Sample Criteria Exceptions This script is a sample of rows that can be inserted into the DB_MONITOR_CRITERIA table to suppress violations from the final report or explain exceptions to basic security policy. Use these samples as a guide to creating your own exceptions. Note that the score column for each exception is set to "0". /* The following two exceptions are for users who have been granted standard Oracle roles like DBA and EXP_FULL_DATABASE */ insert into db_monitor_criteria (db_id, monitor_id, criteria_type, parameter, value1, value2, score, comment_text) values ('TEST_DB','ORACLE_ROLES','SUPPRESSED','FRED1','DBA','','0', 'FRED1 is an authorized DBA account'); insert into db_monitor_criteria (db_id, monitor_id, criteria_type, parameter, value1, value2, score, comment_text) values ('TEST_DB','ORACLE_ROLES','SUPPRESSED','OPS$ORACLE','EXP_FULL_DATABASE','','0', 'OPS$ORACLE is used to perform automated backups'); /* The following three exceptions are for users with special system privileges */ Mini-Lesson M6, Scripts & Source Code / Page 68

69 insert into db_monitor_criteria (db_id, monitor_id, criteria_type, parameter, value1, value2, score, comment_text) values ('TEST_DB','SYS_PRIVS1','SUPPRESSED','OPS$ORACLE','SELECT ANY TABLE','','0', 'OPS$ORACLE is used to perform automated DBA procedures'); insert into db_monitor_criteria (db_id, monitor_id, criteria_type, parameter, value1, value2, score, comment_text) values ('TEST_DB','SYS_PRIVS1','SUPPRESSED','CONSOLE1','UNLIMITED TABLESPACE','','0', 'CONSOLE1 is an authorized DBA account'); insert into db_monitor_criteria (db_id, monitor_id, criteria_type, parameter, value1, value2, score, comment_text) values ('TEST_DB','SYS_PRIVS1','SUPPRESSED','EAGLE1','CREATE SESSION','','0', 'EAGLE1 is used to perform automated DBA procedures'); GuardDog Reports On Screen and ASCII File Reports PL/SQL Package: /* Script 3: GuardDog Report PL/SQL Package This script creates the GUARD_DOG_REPORT package which produces the basic GuardDog evaluation reports. This package requires that all of the GuardDog objects have already been created using Script 1. This script should be run in the GuardDog schema, although you may grant execute privileges on this package to other users. The GUARD_DOG_REPORT package is composed of two procedures. PRINT_RPT produces the print-to-screen version of the report. PRINT_FILE produces the write-to-file version of the report. */ CREATE OR REPLACE PACKAGE GUARD_DOG_REPORT AS procedure print_rpt (DBID in VARCHAR2); procedure print_file (DBID in VARCHAR2, FILENM in VARCHAR2, FILEPATH in VARCHAR2); END GUARD_DOG_REPORT; CREATE OR REPLACE PACKAGE BODY GUARD_DOG_REPORT AS /* Procedure PRINT_RPT retrieves and formats the data in the db_monitor_report table for the designated database. To view the report, you must set SERVEROUTPUT on in SQL*Plus, Server Manager, or SQL Worksheet. */ PROCEDURE PRINT_RPT (DBID in VARCHAR2) AS cursor C_DB_MONITOR_SECTION is Mini-Lesson M6, Scripts & Source Code/ Page 69

70 select distinct substr(m.comment_text,1,500) from monitor m, db_monitor d where m.monitor_id = d.monitor_id and d.active_yn='y'; cursor C_DB_MONITOR_PARA (COMMENT_TXT VARCHAR2) is select * from monitor where substr(comment_text,1,500)=comment_txt; cursor C_DB_MONITOR_REPORT (DBID VARCHAR2, MON_ID VARCHAR2) is select * from db_monitor_report where db_id=dbid and monitor_id=mon_id and comment_text <> 'No evaluation criteria exist for this parameter'; cursor C_DB_MONITOR_SUPRESS (DBID VARCHAR2, MON_ID VARCHAR2) is select * from db_monitor_criteria where db_id=dbid and monitor_id=mon_id and criteria_type='suppressed'; monitor_rec MONITOR%ROWTYPE; report_rec DB_MONITOR_REPORT%ROWTYPE; supress_rec DB_MONITOR_CRITERIA%ROWTYPE; section_header varchar2(500); pos number; rpt_date varchar2(30); audit_score number; BEGIN select to_char(max(run_time),'dd-mon-yy HH24:MI:SS') into rpt_date from db_monitor_result where db_id=dbid; /* Print report header */ dbms_output.put_line('audit Evaluation Summary Report for ' DBID); dbms_output.put_line('as of: ' rpt_date); dbms_output.new_line; /* Get list of section headers (comments in monitor table) */ open C_DB_MONITOR_SECTION; loop fetch C_DB_MONITOR_SECTION into section_header; exit when C_DB_MONITOR_SECTION%NOTFOUND; /* Print section header */ pos := instr(section_header,chr(10),200); dbms_output.put_line(substr(section_header,1,pos-1)); dbms_output.put_line(substr(section_header,pos+1,pos+255)); dbms_output.new_line; Mini-Lesson M6, Scripts & Source Code / Page 70

71 /* Get list of monitors that belong in section */ open C_DB_MONITOR_PARA(section_header); loop fetch C_DB_MONITOR_PARA into monitor_rec; exit when C_DB_MONITOR_PARA%NOTFOUND; /* Get report data for each monitor */ open C_DB_MONITOR_REPORT (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_REPORT into report_rec; exit when C_DB_MONITOR_REPORT%NOTFOUND; /* Print formatted report data for current monitor */ dbms_output.put_line (rpad(nvl(substr(report_rec.parameter,1,30),' '),33) rpad(nvl(substr(report_rec.value1,1,20),' '),23) rpad(nvl(substr(report_rec.value2,1,20),' '),23) substr(report_rec.comment_text,1,100)); end loop; close C_DB_MONITOR_REPORT; dbms_output.new_line; open C_DB_MONITOR_SUPRESS (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_SUPRESS into supress_rec; exit when C_DB_MONITOR_SUPRESS%NOTFOUND; /* Print formatted report data for current monitor */ dbms_output.put_line (rpad(nvl(substr(supress_rec.parameter,1,30),' '),33) rpad(nvl(substr(supress_rec.value1,1,20),' '),23) rpad(nvl(substr(supress_rec.value2,1,20),' '),23) substr(supress_rec.comment_text,1,100)); end loop; close C_DB_MONITOR_SUPRESS; dbms_output.new_line; end loop; close C_DB_MONITOR_PARA; dbms_output.new_line; /* Display section total vulnerability score */ select sum(score) into audit_score from db_monitor_report r, monitor m where r.db_id=dbid and r.monitor_id=m.monitor_id and Mini-Lesson M6, Scripts & Source Code/ Page 71

72 m.comment_text=section_header; dbms_output.put_line(' Section Score: ' nvl(audit_score,'0')); dbms_output.new_line; end loop; /* Display database total vulnerability score */ select sum(score) into audit_score from db_monitor_report where db_id=dbid; dbms_output.put_line('total Score: ' nvl(audit_score,'0')); dbms_output.new_line; END PRINT_RPT; /* Procedure PRINT_FILE retrieves and formats the data in the db_monitor_report table for the designated database. The report is written directly into a specified file by the UTL_FILE package. */ PROCEDURE PRINT_FILE (DBID in VARCHAR2, FILENM in VARCHAR2, FILEPATH in VARCHAR2) AS file_handle UTL_FILE.FILE_TYPE; cursor C_DB_MONITOR_SECTION is select distinct substr(m.comment_text,1,500) from monitor m, db_monitor d where m.monitor_id = d.monitor_id and d.active_yn='y'; cursor C_DB_MONITOR_PARA (COMMENT_TXT VARCHAR2) is select * from monitor where substr(comment_text,1,500)=comment_txt; cursor C_DB_MONITOR_REPORT (DBID VARCHAR2, MON_ID VARCHAR2) is select * from db_monitor_report where db_id=dbid and monitor_id=mon_id and comment_text <> 'No evaluation criteria exist for this parameter'; cursor C_DB_MONITOR_SUPRESS (DBID VARCHAR2, MON_ID VARCHAR2) is select * from db_monitor_criteria where db_id=dbid and monitor_id=mon_id and criteria_type='suppressed'; monitor_rec MONITOR%ROWTYPE; report_rec DB_MONITOR_REPORT%ROWTYPE; supress_rec DB_MONITOR_CRITERIA%ROWTYPE; section_header varchar2(500); pos number; rpt_date varchar2(30); Mini-Lesson M6, Scripts & Source Code / Page 72

73 audit_score number; BEGIN /* Open file for output */ file_handle := utl_file.fopen (FILEPATH,FILENM,'W'); select to_char(max(run_time),'dd-mon-yy HH24:MI:SS') into rpt_date from db_monitor_result where db_id=dbid; /* Print report header */ utl_file.put_line(file_handle,'audit Evaluation Summary Report for ' DBID); utl_file.put_line(file_handle,'as of: ' rpt_date); utl_file.new_line(file_handle); /* Get list of section headers (comments in monitor table) */ open C_DB_MONITOR_SECTION; loop fetch C_DB_MONITOR_SECTION into section_header; exit when C_DB_MONITOR_SECTION%NOTFOUND; /* Print section header */ pos := instr(section_header,chr(10),200); utl_file.put_line(file_handle,substr(section_header,1,pos-1)); utl_file.put_line(file_handle,substr(section_header,pos+1,pos+255)); utl_file.new_line(file_handle); /* Get list of monitors that belong in section */ open C_DB_MONITOR_PARA(section_header); loop fetch C_DB_MONITOR_PARA into monitor_rec; exit when C_DB_MONITOR_PARA%NOTFOUND; /* Get report data for each monitor */ open C_DB_MONITOR_REPORT (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_REPORT into report_rec; exit when C_DB_MONITOR_REPORT%NOTFOUND; /* Print formatted report data for current monitor */ utl_file.put_line (file_handle, rpad(nvl(substr(report_rec.parameter,1,30),' '),33) rpad(nvl(substr(report_rec.value1,1,20),' '),23) Mini-Lesson M6, Scripts & Source Code/ Page 73

74 rpad(nvl(substr(report_rec.value2,1,20),' '),23) substr(report_rec.comment_text,1,100)); end loop; close C_DB_MONITOR_REPORT; utl_file.new_line(file_handle); open C_DB_MONITOR_SUPRESS (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_SUPRESS into supress_rec; exit when C_DB_MONITOR_SUPRESS%NOTFOUND; /* Print formatted report data for current monitor */ utl_file.put_line (file_handle, rpad(nvl(substr(supress_rec.parameter,1,30),' '),33) rpad(nvl(substr(supress_rec.value1,1,20),' '),23) rpad(nvl(substr(supress_rec.value2,1,20),' '),23) substr(supress_rec.comment_text,1,100)); end loop; close C_DB_MONITOR_SUPRESS; utl_file.new_line(file_handle); end loop; close C_DB_MONITOR_PARA; utl_file.new_line(file_handle); /* Display section total vulnerability score */ select sum(score) into audit_score from db_monitor_report r, monitor m where r.db_id=dbid and r.monitor_id=m.monitor_id and m.comment_text=section_header; utl_file.put_line(file_handle,' Section Score: ' nvl(audit_score,'0')); utl_file.new_line(file_handle); end loop; /* Display database total vulnerability score */ select sum(score) into audit_score from db_monitor_report where db_id=dbid; utl_file.put_line(file_handle,'total Score: ' nvl(audit_score,'0')); utl_file.new_line(file_handle); utl_file.fclose(file_handle); EXCEPTION WHEN UTL_FILE.INVALID_PATH THEN utl_file.fclose(file_handle); WHEN UTL_FILE.READ_ERROR THEN Mini-Lesson M6, Scripts & Source Code / Page 74

75 utl_file.fclose(file_handle); WHEN UTL_FILE.WRITE_ERROR THEN utl_file.fclose(file_handle); WHEN OTHERS THEN utl_file.fclose(file_handle); END PRINT_RPT_FILE; END GUARD_DOG_REPORT; Web PL/SQL Package: /* Script 4: GuardDog Web PL/SQL Package This script creates the GUARD_DOG_WEB package which produces the HTML GuardDog evaluation reports. This package requires that all of the GuardDog objects have already been created using Script 1. This package also requires the prior installation of the Oracle WebServer PL/SQL Web Toolkit and the OWA_CHART package. This script should be run in the GuardDog schema, although you may grant execute privileges on this package to other users (specifically the web server schema). The GUARD_DOG_WEB package is composed of three procedures. QUERY_WEB produces a drop-down list style query that allows users to generate a detailed report on the selected database. SUMMARY_WEB produces a bar chart summary of total scores for all evaluated databases, and also allows access to database details. PRINT_WEB generates the same detailed evaluation report as GUARD_DOG_REPORT. */ CREATE OR REPLACE PACKAGE GUARD_DOG_WEB AS procedure query_web; procedure summary_web; procedure print_web (DBID in VARCHAR2); END GUARD_DOG_WEB; CREATE OR REPLACE PACKAGE BODY GUARD_DOG_WEB AS /* Procedure QUERY_WEB presents the user with a drop-down list of all databases listed in the database table. The user selects the desired database from the list and clicks on the the "Submit" button. "Submit" called the print_web procedure which prints a detailed report for the selected database. */ PROCEDURE QUERY_WEB AS Mini-Lesson M6, Scripts & Source Code/ Page 75

76 cursor dblist is select distinct db_id, db_name from eagle.database order by db_name; cursor score_sum is select d.db_name, sum(r.score) totscore from eagle.database d, eagle.db_monitor_report r where d.db_id = r.db_id group by d.db_name; BEGIN /* Open HTML document and print header */ htp.htmlopen; htp.headopen; htp.title('security Evaluation Summary Reports'); htp.headclose; /* Open the body of the HTML document. You may want to change default colors, etc. */ htp.bodyopen('','bgcolor="#000066" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff"'); htp.header(1,'security Evaluation Summary Reports'); htp.hr; /* Open the form with the drop down list. You may have to change the URL below to conform to your local web site. */ htp.formopen('/webaudit/owa/guard_dog_web.print_web','post'); htp.print('<b>select Report Criteria:</B><P>'); htp.tableopen; /* Create drop down list from query on database table */ htp.print('<tr><td WIDTH="150">Database Name:</TD><TD>'); htp.formselectopen('dbid'); for dc in dblist loop htp.formselectoption(dc.db_name,'','value="' dc.db_id '"'); end loop; htp.formselectclose; htp.print('</td></tr>'); htp.tableclose; htp.para; /* Place form buttons and close form */ Mini-Lesson M6, Scripts & Source Code / Page 76

77 htp.formsubmit('','submit'); htp.formreset('reset'); htp.formclose; htp.hr; /* Create tabular score summary from query on db_monitor_report */ htp.tableopen('border'); htp.tablerowopen; htp.tableheader('database Name'); htp.tableheader('score'); htp.tablerowclose; for sum_rec in score_sum loop /* Print formatted report data for current monitor */ htp.tablerowopen; htp.tabledata(sum_rec.db_name); htp.tabledata(sum_rec.totscore); htp.tablerowclose; end loop; htp.tableclose; /* Insert your generic page footer here. Mine is included as an example. */ htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.print('webmaster: Mr. Pete Magee<br>'); htp.print(' <A htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); /* Close body and HTML document */ htp.bodyclose; htp.htmlclose; END QUERY_RPT_WEB; /* Procedure SUMMARY_WEB presents the user with a bar chart list of all databases listed in the db_monitor_report table with their total scores. The user selects the Mini-Lesson M6, Scripts & Source Code/ Page 77

78 desired database from the list and clicks on its name (the name is a link). This calls the PRINT_WEB procedure which prints a detailed report for the selected database. */ PROCEDURE SUMMARY_WEB AS cursor dblist is select distinct db_id, db_name from eagle.database order by db_name; cursor score_sum is select d.db_name, sum(r.score) totscore from eagle.database d, eagle.db_monitor_report r where d.db_id = r.db_id group by d.db_name; querystr varchar2(2000); BEGIN /* Open HTML document and print header */ htp.htmlopen; htp.headopen; htp.title('audit Evaluation Summary Reports'); htp.headclose; /* Open the body of the HTML document. You may want to change default colors, etc. */ htp.bodyopen('','bgcolor="#000066" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff"'); htp.header(1,'audit Evaluation Summary Reports'); /* Open the table that will frame the bar chart */ htp.tableopen('border','','','','width="100%"'); htp.tablerowopen; htp.print('<td>'); /* Define the query string that will be used to generate the bar chart from OWA_CHART. You may want to change the URL embedded in the query to fit your local web site. */ querystr := 'select ''/webaudit/owa/guard_dog_web.print_web?dbid='' d.db_id the_link, d.db_name the_text, sum(r.score) the_value from eagle.database d, eagle.db_monitor_report r where d.db_id = r.db_id group by ''/webaudit/owa/guard_dog_web.print_web?dbid='' d.db_id, d.db_name'; Mini-Lesson M6, Scripts & Source Code / Page 78

79 /* Call OWA_CHART. You may have to change the schema, depending on your local configuration and which user owns the OWA_CHART package. It works best if all of these packages are owned by the same user. */ eagle.owa_chart.show_chart ( chart_type => 'HBAR', bar_image => 'grey.gif', show_summary => '', axis => font_size => 'ZERO', '+0', chart_title =>'Total Scores for each Database', q => querystr); htp.print('</td>'); htp.tablerowclose; htp.tableclose; /* Insert your generic page footer here. Mine is included as an example. */ htp.hr; htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); htp.anchor('/admin/index.html','<img BORDER=0 SRC="/images/up-b.jpg">'); htp.anchor('mailto:[email protected]','<img BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.print('webmaster: Mr. Pete Magee<br>'); htp.print(' <A HREF="mailto:[email protected]">'); htp.print('[email protected]</a><br></cite></font><p>'); htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); /* Close body and HTML document */ htp.bodyclose; htp.htmlclose; END SUMMARY_WEB; /* */ Procedure PRINT_WEB prints the detailed evaluation report for the selected database. PROCEDURE PRINT_WEB (DBID in VARCHAR2) AS Mini-Lesson M6, Scripts & Source Code/ Page 79

80 cursor C_DB_MONITOR_SECTION is select distinct substr(m.comment_text,1,500) from eagle.monitor m, eagle.db_monitor d where m.monitor_id = d.monitor_id and d.active_yn='y'; cursor C_DB_MONITOR_PARA (COMMENT_TXT VARCHAR2) is select * from eagle.monitor where substr(comment_text,1,500)=comment_txt; cursor C_DB_MONITOR_REPORT (DBID VARCHAR2, MON_ID VARCHAR2) is select * from eagle.db_monitor_report where db_id=dbid and monitor_id=mon_id and comment_text <> 'No evaluation criteria exist for this parameter'; cursor C_DB_MONITOR_SUPRESS (DBID VARCHAR2, MON_ID VARCHAR2) is select * from db_monitor_criteria where db_id=dbid and monitor_id=mon_id and criteria_type='suppressed'; monitor_rec MONITOR%ROWTYPE; report_rec DB_MONITOR_REPORT%ROWTYPE; supress_rec DB_MONITOR_CRITERIA%ROWTYPE; section_header varchar2(500); pos number; dbname varchar2(10); monitorname varchar2(20); rpt_date varchar2(30); audit_score number; BEGIN /* Open HTML document and print header */ htp.htmlopen; htp.headopen; htp.title('audit Evaluation Summary Report'); htp.headclose; /* Open the body of the HTML document. You may want to change default colors, etc. */ htp.bodyopen('','bgcolor="#000066" TEXT="#ffffe8" LINK="#ccffff" VLINK="#33ccff"'); htp.header(1, 'Audit Evaluation Summary Report'); /* Get the last run timestamp from db_monitor_report for the specified database */ select to_char(max(run_time),'dd-mon-yy HH24:MI:SS') into rpt_date from eagle.db_monitor_result where db_id=dbid; /* Print report header */ htp.header(2,'database: ' DBID); Mini-Lesson M6, Scripts & Source Code / Page 80

81 htp.bold('as of: ' rpt_date); htp.para; /* Get list of section headers (comments in monitor table) */ open C_DB_MONITOR_SECTION; loop fetch C_DB_MONITOR_SECTION into section_header; exit when C_DB_MONITOR_SECTION%NOTFOUND; htp.tableopen('border','','','','width="100%"'); /* Print section header */ htp.tablerowopen; htp.tabledata(htf.bold('<pre>' section_header '</PRE>'),'left','','','','4'); htp.tablerowclose; htp.tablerowopen; htp.tableheader('parameter'); htp.tableheader('value1'); htp.tableheader('value2'); htp.tableheader('comment'); htp.tablerowclose; /* Get list of monitors that belong in section */ open C_DB_MONITOR_PARA(section_header); loop fetch C_DB_MONITOR_PARA into monitor_rec; exit when C_DB_MONITOR_PARA%NOTFOUND; /* Get report data for each monitor */ open C_DB_MONITOR_REPORT (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_REPORT into report_rec; exit when C_DB_MONITOR_REPORT%NOTFOUND; /* Print formatted report data for current monitor */ htp.tablerowopen; htp.tabledata(report_rec.parameter); htp.tabledata(report_rec.value1); htp.tabledata(report_rec.value2); htp.tabledata(report_rec.comment_text); htp.tablerowclose; Mini-Lesson M6, Scripts & Source Code/ Page 81

82 end loop; close C_DB_MONITOR_REPORT; open C_DB_MONITOR_SUPRESS (DBID, monitor_rec.monitor_id); loop fetch C_DB_MONITOR_SUPRESS into supress_rec; exit when C_DB_MONITOR_SUPRESS%NOTFOUND; /* Print formatted report data for current monitor */ htp.tablerowopen; htp.tabledata(supress_rec.parameter); htp.tabledata(supress_rec.value1); htp.tabledata(supress_rec.value2); htp.tabledata(supress_rec.comment_text); htp.tablerowclose; end loop; close C_DB_MONITOR_SUPRESS; end loop; close C_DB_MONITOR_PARA; /* Display section total vulnerability score */ select sum(score) into audit_score from eagle.db_monitor_report r, monitor m where r.db_id=dbid and r.monitor_id=m.monitor_id and m.comment_text=section_header; htp.tablerowopen; htp.tabledata(htf.bold('section Score: ' nvl(audit_score,'0')), 'left','','','','4'); htp.tablerowclose; htp.tableclose; htp.para; end loop; /* Display database total vulnerability score */ select sum(score) into audit_score from eagle.db_monitor_report where db_id=dbid; htp.header(3,'total Score: ' audit_score); /* Insert your generic page footer here. Mine is included as an example. */ htp.hr; Mini-Lesson M6, Scripts & Source Code / Page 82

83 htp.print('<p><font SIZE=2><CITE>'); htp.anchor('/','<img BORDER=0 SRC="/images/home-b.jpg">'); htp.anchor('/webaudit/owa/guard_dog_web.summary_web', '<IMG BORDER=0 SRC="/images/up-b.jpg">'); BORDER=0 SRC="/images/mail-b.jpg">'); htp.para; htp.print('webmaster: Mr. Pete Magee<br>'); htp.print(' <A htp.img('/images/tag1.gif','bottom','generated by Oracle WebServer'); /* Close body and HTML document */ htp.bodyclose; htp.htmlclose; END PRINT_WEB; END GUARD_DOG_WEB; Mini-Lesson M6, Scripts & Source Code/ Page 83