Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,430 --> 00:00:04,340
In this lesson, we'll
be looking at auditing.
2
00:00:04,340 --> 00:00:07,550
So let me begin this with
a little story of something
3
00:00:07,550 --> 00:00:10,610
that happened to me
professionally as a DBA.
4
00:00:10,610 --> 00:00:13,610
So I was working for a company
who had hired a security
5
00:00:13,610 --> 00:00:17,420
company to attempt to penetrate
our databases and, really,
6
00:00:17,420 --> 00:00:19,190
our entire network.
7
00:00:19,190 --> 00:00:21,440
And the report came back.
8
00:00:21,440 --> 00:00:23,120
It was very brief.
9
00:00:23,120 --> 00:00:25,040
It didn't go into
a lot of detail
10
00:00:25,040 --> 00:00:28,040
for a very particular purpose
because that was really
11
00:00:28,040 --> 00:00:31,190
why they had assigned a
security company to attempt
12
00:00:31,190 --> 00:00:33,650
to penetrate the databases--
13
00:00:33,650 --> 00:00:36,140
that said that one
of the databases, one
14
00:00:36,140 --> 00:00:38,900
that I was not working
with or responsible for,
15
00:00:38,900 --> 00:00:40,170
had been penetrated.
16
00:00:40,170 --> 00:00:43,340
And so the company was,
obviously, upset about this.
17
00:00:43,340 --> 00:00:46,430
And so it showed that
the security in place
18
00:00:46,430 --> 00:00:50,750
was not adequate to protect
it from outside actions.
19
00:00:50,750 --> 00:00:54,110
And so they really had
no incident response
20
00:00:54,110 --> 00:00:55,680
as to what to do.
21
00:00:55,680 --> 00:00:58,310
And so they talked to
me and asked me, well,
22
00:00:58,310 --> 00:00:59,210
what should we do?
23
00:00:59,210 --> 00:01:01,160
We have almost no information.
24
00:01:01,160 --> 00:01:04,400
We know which database it
was that they penetrated.
25
00:01:04,400 --> 00:01:06,650
But we don't know what
information they had.
26
00:01:06,650 --> 00:01:09,860
We don't know where they came
from, so on and so forth.
27
00:01:09,860 --> 00:01:13,700
And I simply said, well,
is auditing turned on?
28
00:01:13,700 --> 00:01:16,130
And because auditing
was turned on,
29
00:01:16,130 --> 00:01:19,310
we were able to look
at the audit trail
30
00:01:19,310 --> 00:01:23,300
and find out that the would-be
attackers had penetrated
31
00:01:23,300 --> 00:01:25,280
the database at
such and such time,
32
00:01:25,280 --> 00:01:27,350
that they'd used this
account, that they'd
33
00:01:27,350 --> 00:01:30,290
come from this machine,
and these are the actions
34
00:01:30,290 --> 00:01:31,670
that they did.
35
00:01:31,670 --> 00:01:33,680
So that's the
importance of auditing.
36
00:01:33,680 --> 00:01:37,130
And auditing is very, very
important in the security world
37
00:01:37,130 --> 00:01:40,580
because you may not be able
to prevent every attempt
38
00:01:40,580 --> 00:01:43,910
to penetrate your defenses or
even the operations that might
39
00:01:43,910 --> 00:01:46,310
occur should you be penetrated.
40
00:01:46,310 --> 00:01:49,160
But you can have some
sort of incident response.
41
00:01:49,160 --> 00:01:52,640
You can have a log
of what occurred.
42
00:01:52,640 --> 00:01:55,610
And then you can take
action after that point.
43
00:01:55,610 --> 00:01:58,460
So auditing goes back to
the security principle
44
00:01:58,460 --> 00:02:01,850
that every action should be
traceable to one and only one
45
00:02:01,850 --> 00:02:02,900
user.
46
00:02:02,900 --> 00:02:05,900
Auditing is a history
of recorded operations
47
00:02:05,900 --> 00:02:07,220
in the database.
48
00:02:07,220 --> 00:02:08,750
So there are two
things that must
49
00:02:08,750 --> 00:02:12,770
occur in order for auditing
to be working as it should.
50
00:02:12,770 --> 00:02:14,330
It must be enabled.
51
00:02:14,330 --> 00:02:16,770
And then auditing
must be assigned.
52
00:02:16,770 --> 00:02:19,850
So that is to say we
must assign auditing
53
00:02:19,850 --> 00:02:23,490
to record certain operations.
54
00:02:23,490 --> 00:02:28,170
So we enable auditing using the
database parameter AUDIT_TRAIL.
55
00:02:28,170 --> 00:02:30,690
And the AUDIT_TRAIL can
have several values.
56
00:02:30,690 --> 00:02:33,820
The most common are
here on the screen.
57
00:02:33,820 --> 00:02:36,750
So the possible values
are NONE or FALSE.
58
00:02:36,750 --> 00:02:39,090
Both of those values
do the same thing.
59
00:02:39,090 --> 00:02:41,100
And they turn off auditing.
60
00:02:41,100 --> 00:02:44,370
So even if we have
assigned various operations
61
00:02:44,370 --> 00:02:47,190
to be audited, no
record will occur
62
00:02:47,190 --> 00:02:49,200
because the
parameter AUDIT_TRAIL
63
00:02:49,200 --> 00:02:51,330
is set to NONE or FALSE.
64
00:02:51,330 --> 00:02:53,850
Another possible value is OS.
65
00:02:53,850 --> 00:02:58,020
If that is set to OS,
AUDIT_TRAIL equal OS,
66
00:02:58,020 --> 00:03:01,260
then any audit records
will be written to the file
67
00:03:01,260 --> 00:03:04,320
system of the operating system.
68
00:03:04,320 --> 00:03:08,060
In Windows, this will actually
go to the security log.
69
00:03:08,060 --> 00:03:09,870
And in Unix and Linux,
they'll actually
70
00:03:09,870 --> 00:03:14,070
be written out to files
in a particular directory.
71
00:03:14,070 --> 00:03:17,220
This is not really
advisable, in my opinion,
72
00:03:17,220 --> 00:03:19,140
because the amount
of information
73
00:03:19,140 --> 00:03:22,980
that could be generated by
auditing is substantial.
74
00:03:22,980 --> 00:03:26,790
And having it out in hundreds of
thousands or tens of thousands
75
00:03:26,790 --> 00:03:30,750
of files in the operating system
makes it very, very difficult,
76
00:03:30,750 --> 00:03:34,290
if you do have a break
or a breach in security,
77
00:03:34,290 --> 00:03:37,230
to try to piece
together what occurred.
78
00:03:37,230 --> 00:03:39,840
The advisable value
for AUDIT_TRAIL
79
00:03:39,840 --> 00:03:43,110
is DB, which means that
it goes to the database.
80
00:03:43,110 --> 00:03:45,810
And it's actually stored
in a database table.
81
00:03:45,810 --> 00:03:48,390
This is highly
preferable, in my opinion,
82
00:03:48,390 --> 00:03:53,160
because you can use just
regular SQL commands to find
83
00:03:53,160 --> 00:03:55,050
information in the audit trail.
84
00:03:55,050 --> 00:03:57,030
So if you want to
look at everything
85
00:03:57,030 --> 00:04:00,690
that happened within a
particular 24-hour period,
86
00:04:00,690 --> 00:04:03,690
you can write a query, a
simple SELECT statement,
87
00:04:03,690 --> 00:04:08,010
against the audit trail that
will give you that information.
88
00:04:08,010 --> 00:04:09,770
So once we've
enabled auditing, we
89
00:04:09,770 --> 00:04:11,980
have to assign audit actions.
90
00:04:11,980 --> 00:04:14,570
For that, we use
the AUDIT command.
91
00:04:14,570 --> 00:04:18,200
We can audit a system privilege
or an object privilege.
92
00:04:18,200 --> 00:04:22,610
And we simply tell Oracle
to audit the CREATE TABLE
93
00:04:22,610 --> 00:04:24,320
privilege, for instance.
94
00:04:24,320 --> 00:04:28,310
We have the option of auditing
kind of on a finer grained
95
00:04:28,310 --> 00:04:29,330
level.
96
00:04:29,330 --> 00:04:32,150
We can say audit a
particular privilege
97
00:04:32,150 --> 00:04:36,170
or a particular object
privilege whenever successful
98
00:04:36,170 --> 00:04:38,730
or whenever not successful.
99
00:04:38,730 --> 00:04:43,770
So we could say, AUDIT CREATE
TABLE WHENEVER NOT SUCCESSFUL.
100
00:04:43,770 --> 00:04:47,300
So if somebody attempts to
create a table unsuccessfully,
101
00:04:47,300 --> 00:04:49,820
maybe because they
don't have the privilege
102
00:04:49,820 --> 00:04:52,880
or because they don't have
privileges on the storage,
103
00:04:52,880 --> 00:04:54,170
that gets written.
104
00:04:54,170 --> 00:04:57,860
But anytime someone
successfully creates a table,
105
00:04:57,860 --> 00:05:01,520
we could deem that as
not a problem situation
106
00:05:01,520 --> 00:05:03,200
because they have the privilege.
107
00:05:03,200 --> 00:05:04,730
And they used it.
108
00:05:04,730 --> 00:05:08,030
And so we don't need to audit
whenever it is successful.
109
00:05:08,030 --> 00:05:10,730
We audit whenever
not successful.
110
00:05:10,730 --> 00:05:14,630
We can also audit by
access or by session.
111
00:05:14,630 --> 00:05:17,300
When we audit by
access, we're saying
112
00:05:17,300 --> 00:05:21,620
that we will record an
audit record every time
113
00:05:21,620 --> 00:05:24,560
a particular privilege is used.
114
00:05:24,560 --> 00:05:31,130
So if we say AUDIT INSERT
on the table scott.emp
115
00:05:31,130 --> 00:05:36,290
and we say BY ACCESS, every
time an INSERT statement occurs,
116
00:05:36,290 --> 00:05:38,630
there will be an audit
record written for that.
117
00:05:38,630 --> 00:05:41,570
And that could generate way
more auditing than we really
118
00:05:41,570 --> 00:05:42,560
want to.
119
00:05:42,560 --> 00:05:44,840
So we might audit by session.
120
00:05:44,840 --> 00:05:47,240
And if we audit it by
session, then we're
121
00:05:47,240 --> 00:05:50,660
saying that anytime
within a session
122
00:05:50,660 --> 00:05:54,350
that the INSERT into
scott.emp occurs,
123
00:05:54,350 --> 00:05:57,080
we'll record one audit record.
124
00:05:57,080 --> 00:06:00,050
And it makes the management
of the audit data
125
00:06:00,050 --> 00:06:02,860
much more manageable.
126
00:06:02,860 --> 00:06:05,650
When we want to know auditing
information about what's
127
00:06:05,650 --> 00:06:09,130
occurred in our recorded
operations in the database,
128
00:06:09,130 --> 00:06:11,830
we look at DBA_AUDIT_TRAIL.
129
00:06:11,830 --> 00:06:14,350
And DBA_AUDIT_TRAIL
is simply a view
130
00:06:14,350 --> 00:06:16,720
that overlays a system table.
131
00:06:16,720 --> 00:06:19,150
So the system tables
are owned by SYS.
132
00:06:19,150 --> 00:06:23,020
So we can call that
table SYS.AUD$.
133
00:06:23,020 --> 00:06:26,830
And the AUD$ table is
the Oracle-based table
134
00:06:26,830 --> 00:06:29,920
that actually holds
auditing information.
135
00:06:29,920 --> 00:06:34,670
So to take a look at this, we
have our system connection.
136
00:06:34,670 --> 00:06:39,780
And we're going to open a
connection for kara as well.
137
00:06:39,780 --> 00:06:41,150
The first thing
we should look at
138
00:06:41,150 --> 00:06:44,910
is to see if
auditing is enabled--
139
00:06:44,910 --> 00:06:47,450
show parameter audit trail.
140
00:06:47,450 --> 00:06:50,850
And it states that
audit_trail is set to DB.
141
00:06:50,850 --> 00:06:52,560
And that's the default
when you create
142
00:06:52,560 --> 00:06:55,830
a database using the Database
Configuration Assistant.
143
00:06:55,830 --> 00:06:58,030
And that is what we want.
144
00:06:58,030 --> 00:07:04,390
So let's select star
from dba_audit_trail.
145
00:07:04,390 --> 00:07:06,190
So auditing is turned on.
146
00:07:06,190 --> 00:07:10,660
But as of this moment, we have
no actions that we're auditing.
147
00:07:10,660 --> 00:07:11,620
So let's set a few.
148
00:07:15,530 --> 00:07:19,890
We will audit select
on the scott.emp table.
149
00:07:19,890 --> 00:07:30,910
Now we'll audit select on
scott.dept whenever successful.
150
00:07:30,910 --> 00:07:39,430
And we'll audit delete on
scott.bonus whenever not
151
00:07:39,430 --> 00:07:42,360
successful by session--
152
00:07:45,630 --> 00:07:46,620
misspell there.
153
00:07:53,550 --> 00:07:57,180
So we need it in this order,
audit delete on scott.bonus
154
00:07:57,180 --> 00:07:59,880
by session whenever
not successful.
155
00:07:59,880 --> 00:08:03,460
Now we had a successful audit.
156
00:08:03,460 --> 00:08:05,290
Again, looking from
the audit_trail,
157
00:08:05,290 --> 00:08:07,870
none of these
actions has occurred.
158
00:08:07,870 --> 00:08:11,780
So let's have our kara
user do a few of these.
159
00:08:11,780 --> 00:08:18,340
And so kara is going to
select star from scott.emp
160
00:08:18,340 --> 00:08:31,520
and select star from scott.dept
and delete from scott.bonus.
161
00:08:31,520 --> 00:08:32,800
Let's take a look at it first.
162
00:08:42,360 --> 00:08:45,630
So that should generate
some audit information.
163
00:08:45,630 --> 00:08:49,020
So we look at select star
from dba_audit_trail.
164
00:08:49,020 --> 00:08:51,670
And we get some information.
165
00:08:51,670 --> 00:08:54,350
We see that the OS
username is listed here.
166
00:08:54,350 --> 00:08:57,130
So that's the name
of the account
167
00:08:57,130 --> 00:08:59,680
that logged in to the database.
168
00:08:59,680 --> 00:09:01,650
And this is their OS username.
169
00:09:01,650 --> 00:09:04,150
So this is their
login on the machine
170
00:09:04,150 --> 00:09:06,650
that that client
connection came from.
171
00:09:06,650 --> 00:09:09,680
The username they
connected with was KARA.
172
00:09:09,680 --> 00:09:13,070
Their hostname time stamp
for when it occurred,
173
00:09:13,070 --> 00:09:15,860
the objects involved,
and the actions--
174
00:09:15,860 --> 00:09:19,910
so it was scott.emp and
scott.dept and select on them--
175
00:09:23,470 --> 00:09:25,000
lots of other information.
176
00:09:25,000 --> 00:09:30,120
This extended time stamp
gives more time information.
177
00:09:30,120 --> 00:09:32,160
But a lot of what we're
really interested in here
178
00:09:32,160 --> 00:09:34,290
is in the first few columns.
179
00:09:34,290 --> 00:09:37,380
So notice that there
are two records.
180
00:09:37,380 --> 00:09:40,680
Kara did the select
from emp and dept.
181
00:09:40,680 --> 00:09:42,180
But she also did a delete.
182
00:09:42,180 --> 00:09:44,460
And we were auditing delete.
183
00:09:44,460 --> 00:09:48,420
But kara successfully
deleted from the bonus table.
184
00:09:48,420 --> 00:09:51,730
And we audited whenever
not successful.
185
00:09:51,730 --> 00:09:54,690
So no entry was written
into the log for that
186
00:09:54,690 --> 00:09:58,170
because we had specifically
indicated that we did not
187
00:09:58,170 --> 00:10:02,310
want to record that event,
the delete of bonus,
188
00:10:02,310 --> 00:10:04,840
only when it was not successful.
189
00:10:04,840 --> 00:10:06,750
So this is an
example of auditing
190
00:10:06,750 --> 00:10:10,320
and how we can use it to track
occurrences in the database
191
00:10:10,320 --> 00:10:14,990
and keep a full record of what's
occurred for security purposes.
15397
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.