Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,430 --> 00:00:04,340 In this lesson, we'll be looking at auditing. 2 00:00:04,340 --> 00:00:07,550 So let me begin this with a little story of something 3 00:00:07,550 --> 00:00:10,610 that happened to me professionally as a DBA. 4 00:00:10,610 --> 00:00:13,610 So I was working for a company who had hired a security 5 00:00:13,610 --> 00:00:17,420 company to attempt to penetrate our databases and, really, 6 00:00:17,420 --> 00:00:19,190 our entire network. 7 00:00:19,190 --> 00:00:21,440 And the report came back. 8 00:00:21,440 --> 00:00:23,120 It was very brief. 9 00:00:23,120 --> 00:00:25,040 It didn't go into a lot of detail 10 00:00:25,040 --> 00:00:28,040 for a very particular purpose because that was really 11 00:00:28,040 --> 00:00:31,190 why they had assigned a security company to attempt 12 00:00:31,190 --> 00:00:33,650 to penetrate the databases-- 13 00:00:33,650 --> 00:00:36,140 that said that one of the databases, one 14 00:00:36,140 --> 00:00:38,900 that I was not working with or responsible for, 15 00:00:38,900 --> 00:00:40,170 had been penetrated. 16 00:00:40,170 --> 00:00:43,340 And so the company was, obviously, upset about this. 17 00:00:43,340 --> 00:00:46,430 And so it showed that the security in place 18 00:00:46,430 --> 00:00:50,750 was not adequate to protect it from outside actions. 19 00:00:50,750 --> 00:00:54,110 And so they really had no incident response 20 00:00:54,110 --> 00:00:55,680 as to what to do. 21 00:00:55,680 --> 00:00:58,310 And so they talked to me and asked me, well, 22 00:00:58,310 --> 00:00:59,210 what should we do? 23 00:00:59,210 --> 00:01:01,160 We have almost no information. 24 00:01:01,160 --> 00:01:04,400 We know which database it was that they penetrated. 25 00:01:04,400 --> 00:01:06,650 But we don't know what information they had. 26 00:01:06,650 --> 00:01:09,860 We don't know where they came from, so on and so forth. 27 00:01:09,860 --> 00:01:13,700 And I simply said, well, is auditing turned on? 28 00:01:13,700 --> 00:01:16,130 And because auditing was turned on, 29 00:01:16,130 --> 00:01:19,310 we were able to look at the audit trail 30 00:01:19,310 --> 00:01:23,300 and find out that the would-be attackers had penetrated 31 00:01:23,300 --> 00:01:25,280 the database at such and such time, 32 00:01:25,280 --> 00:01:27,350 that they'd used this account, that they'd 33 00:01:27,350 --> 00:01:30,290 come from this machine, and these are the actions 34 00:01:30,290 --> 00:01:31,670 that they did. 35 00:01:31,670 --> 00:01:33,680 So that's the importance of auditing. 36 00:01:33,680 --> 00:01:37,130 And auditing is very, very important in the security world 37 00:01:37,130 --> 00:01:40,580 because you may not be able to prevent every attempt 38 00:01:40,580 --> 00:01:43,910 to penetrate your defenses or even the operations that might 39 00:01:43,910 --> 00:01:46,310 occur should you be penetrated. 40 00:01:46,310 --> 00:01:49,160 But you can have some sort of incident response. 41 00:01:49,160 --> 00:01:52,640 You can have a log of what occurred. 42 00:01:52,640 --> 00:01:55,610 And then you can take action after that point. 43 00:01:55,610 --> 00:01:58,460 So auditing goes back to the security principle 44 00:01:58,460 --> 00:02:01,850 that every action should be traceable to one and only one 45 00:02:01,850 --> 00:02:02,900 user. 46 00:02:02,900 --> 00:02:05,900 Auditing is a history of recorded operations 47 00:02:05,900 --> 00:02:07,220 in the database. 48 00:02:07,220 --> 00:02:08,750 So there are two things that must 49 00:02:08,750 --> 00:02:12,770 occur in order for auditing to be working as it should. 50 00:02:12,770 --> 00:02:14,330 It must be enabled. 51 00:02:14,330 --> 00:02:16,770 And then auditing must be assigned. 52 00:02:16,770 --> 00:02:19,850 So that is to say we must assign auditing 53 00:02:19,850 --> 00:02:23,490 to record certain operations. 54 00:02:23,490 --> 00:02:28,170 So we enable auditing using the database parameter AUDIT_TRAIL. 55 00:02:28,170 --> 00:02:30,690 And the AUDIT_TRAIL can have several values. 56 00:02:30,690 --> 00:02:33,820 The most common are here on the screen. 57 00:02:33,820 --> 00:02:36,750 So the possible values are NONE or FALSE. 58 00:02:36,750 --> 00:02:39,090 Both of those values do the same thing. 59 00:02:39,090 --> 00:02:41,100 And they turn off auditing. 60 00:02:41,100 --> 00:02:44,370 So even if we have assigned various operations 61 00:02:44,370 --> 00:02:47,190 to be audited, no record will occur 62 00:02:47,190 --> 00:02:49,200 because the parameter AUDIT_TRAIL 63 00:02:49,200 --> 00:02:51,330 is set to NONE or FALSE. 64 00:02:51,330 --> 00:02:53,850 Another possible value is OS. 65 00:02:53,850 --> 00:02:58,020 If that is set to OS, AUDIT_TRAIL equal OS, 66 00:02:58,020 --> 00:03:01,260 then any audit records will be written to the file 67 00:03:01,260 --> 00:03:04,320 system of the operating system. 68 00:03:04,320 --> 00:03:08,060 In Windows, this will actually go to the security log. 69 00:03:08,060 --> 00:03:09,870 And in Unix and Linux, they'll actually 70 00:03:09,870 --> 00:03:14,070 be written out to files in a particular directory. 71 00:03:14,070 --> 00:03:17,220 This is not really advisable, in my opinion, 72 00:03:17,220 --> 00:03:19,140 because the amount of information 73 00:03:19,140 --> 00:03:22,980 that could be generated by auditing is substantial. 74 00:03:22,980 --> 00:03:26,790 And having it out in hundreds of thousands or tens of thousands 75 00:03:26,790 --> 00:03:30,750 of files in the operating system makes it very, very difficult, 76 00:03:30,750 --> 00:03:34,290 if you do have a break or a breach in security, 77 00:03:34,290 --> 00:03:37,230 to try to piece together what occurred. 78 00:03:37,230 --> 00:03:39,840 The advisable value for AUDIT_TRAIL 79 00:03:39,840 --> 00:03:43,110 is DB, which means that it goes to the database. 80 00:03:43,110 --> 00:03:45,810 And it's actually stored in a database table. 81 00:03:45,810 --> 00:03:48,390 This is highly preferable, in my opinion, 82 00:03:48,390 --> 00:03:53,160 because you can use just regular SQL commands to find 83 00:03:53,160 --> 00:03:55,050 information in the audit trail. 84 00:03:55,050 --> 00:03:57,030 So if you want to look at everything 85 00:03:57,030 --> 00:04:00,690 that happened within a particular 24-hour period, 86 00:04:00,690 --> 00:04:03,690 you can write a query, a simple SELECT statement, 87 00:04:03,690 --> 00:04:08,010 against the audit trail that will give you that information. 88 00:04:08,010 --> 00:04:09,770 So once we've enabled auditing, we 89 00:04:09,770 --> 00:04:11,980 have to assign audit actions. 90 00:04:11,980 --> 00:04:14,570 For that, we use the AUDIT command. 91 00:04:14,570 --> 00:04:18,200 We can audit a system privilege or an object privilege. 92 00:04:18,200 --> 00:04:22,610 And we simply tell Oracle to audit the CREATE TABLE 93 00:04:22,610 --> 00:04:24,320 privilege, for instance. 94 00:04:24,320 --> 00:04:28,310 We have the option of auditing kind of on a finer grained 95 00:04:28,310 --> 00:04:29,330 level. 96 00:04:29,330 --> 00:04:32,150 We can say audit a particular privilege 97 00:04:32,150 --> 00:04:36,170 or a particular object privilege whenever successful 98 00:04:36,170 --> 00:04:38,730 or whenever not successful. 99 00:04:38,730 --> 00:04:43,770 So we could say, AUDIT CREATE TABLE WHENEVER NOT SUCCESSFUL. 100 00:04:43,770 --> 00:04:47,300 So if somebody attempts to create a table unsuccessfully, 101 00:04:47,300 --> 00:04:49,820 maybe because they don't have the privilege 102 00:04:49,820 --> 00:04:52,880 or because they don't have privileges on the storage, 103 00:04:52,880 --> 00:04:54,170 that gets written. 104 00:04:54,170 --> 00:04:57,860 But anytime someone successfully creates a table, 105 00:04:57,860 --> 00:05:01,520 we could deem that as not a problem situation 106 00:05:01,520 --> 00:05:03,200 because they have the privilege. 107 00:05:03,200 --> 00:05:04,730 And they used it. 108 00:05:04,730 --> 00:05:08,030 And so we don't need to audit whenever it is successful. 109 00:05:08,030 --> 00:05:10,730 We audit whenever not successful. 110 00:05:10,730 --> 00:05:14,630 We can also audit by access or by session. 111 00:05:14,630 --> 00:05:17,300 When we audit by access, we're saying 112 00:05:17,300 --> 00:05:21,620 that we will record an audit record every time 113 00:05:21,620 --> 00:05:24,560 a particular privilege is used. 114 00:05:24,560 --> 00:05:31,130 So if we say AUDIT INSERT on the table scott.emp 115 00:05:31,130 --> 00:05:36,290 and we say BY ACCESS, every time an INSERT statement occurs, 116 00:05:36,290 --> 00:05:38,630 there will be an audit record written for that. 117 00:05:38,630 --> 00:05:41,570 And that could generate way more auditing than we really 118 00:05:41,570 --> 00:05:42,560 want to. 119 00:05:42,560 --> 00:05:44,840 So we might audit by session. 120 00:05:44,840 --> 00:05:47,240 And if we audit it by session, then we're 121 00:05:47,240 --> 00:05:50,660 saying that anytime within a session 122 00:05:50,660 --> 00:05:54,350 that the INSERT into scott.emp occurs, 123 00:05:54,350 --> 00:05:57,080 we'll record one audit record. 124 00:05:57,080 --> 00:06:00,050 And it makes the management of the audit data 125 00:06:00,050 --> 00:06:02,860 much more manageable. 126 00:06:02,860 --> 00:06:05,650 When we want to know auditing information about what's 127 00:06:05,650 --> 00:06:09,130 occurred in our recorded operations in the database, 128 00:06:09,130 --> 00:06:11,830 we look at DBA_AUDIT_TRAIL. 129 00:06:11,830 --> 00:06:14,350 And DBA_AUDIT_TRAIL is simply a view 130 00:06:14,350 --> 00:06:16,720 that overlays a system table. 131 00:06:16,720 --> 00:06:19,150 So the system tables are owned by SYS. 132 00:06:19,150 --> 00:06:23,020 So we can call that table SYS.AUD$. 133 00:06:23,020 --> 00:06:26,830 And the AUD$ table is the Oracle-based table 134 00:06:26,830 --> 00:06:29,920 that actually holds auditing information. 135 00:06:29,920 --> 00:06:34,670 So to take a look at this, we have our system connection. 136 00:06:34,670 --> 00:06:39,780 And we're going to open a connection for kara as well. 137 00:06:39,780 --> 00:06:41,150 The first thing we should look at 138 00:06:41,150 --> 00:06:44,910 is to see if auditing is enabled-- 139 00:06:44,910 --> 00:06:47,450 show parameter audit trail. 140 00:06:47,450 --> 00:06:50,850 And it states that audit_trail is set to DB. 141 00:06:50,850 --> 00:06:52,560 And that's the default when you create 142 00:06:52,560 --> 00:06:55,830 a database using the Database Configuration Assistant. 143 00:06:55,830 --> 00:06:58,030 And that is what we want. 144 00:06:58,030 --> 00:07:04,390 So let's select star from dba_audit_trail. 145 00:07:04,390 --> 00:07:06,190 So auditing is turned on. 146 00:07:06,190 --> 00:07:10,660 But as of this moment, we have no actions that we're auditing. 147 00:07:10,660 --> 00:07:11,620 So let's set a few. 148 00:07:15,530 --> 00:07:19,890 We will audit select on the scott.emp table. 149 00:07:19,890 --> 00:07:30,910 Now we'll audit select on scott.dept whenever successful. 150 00:07:30,910 --> 00:07:39,430 And we'll audit delete on scott.bonus whenever not 151 00:07:39,430 --> 00:07:42,360 successful by session-- 152 00:07:45,630 --> 00:07:46,620 misspell there. 153 00:07:53,550 --> 00:07:57,180 So we need it in this order, audit delete on scott.bonus 154 00:07:57,180 --> 00:07:59,880 by session whenever not successful. 155 00:07:59,880 --> 00:08:03,460 Now we had a successful audit. 156 00:08:03,460 --> 00:08:05,290 Again, looking from the audit_trail, 157 00:08:05,290 --> 00:08:07,870 none of these actions has occurred. 158 00:08:07,870 --> 00:08:11,780 So let's have our kara user do a few of these. 159 00:08:11,780 --> 00:08:18,340 And so kara is going to select star from scott.emp 160 00:08:18,340 --> 00:08:31,520 and select star from scott.dept and delete from scott.bonus. 161 00:08:31,520 --> 00:08:32,800 Let's take a look at it first. 162 00:08:42,360 --> 00:08:45,630 So that should generate some audit information. 163 00:08:45,630 --> 00:08:49,020 So we look at select star from dba_audit_trail. 164 00:08:49,020 --> 00:08:51,670 And we get some information. 165 00:08:51,670 --> 00:08:54,350 We see that the OS username is listed here. 166 00:08:54,350 --> 00:08:57,130 So that's the name of the account 167 00:08:57,130 --> 00:08:59,680 that logged in to the database. 168 00:08:59,680 --> 00:09:01,650 And this is their OS username. 169 00:09:01,650 --> 00:09:04,150 So this is their login on the machine 170 00:09:04,150 --> 00:09:06,650 that that client connection came from. 171 00:09:06,650 --> 00:09:09,680 The username they connected with was KARA. 172 00:09:09,680 --> 00:09:13,070 Their hostname time stamp for when it occurred, 173 00:09:13,070 --> 00:09:15,860 the objects involved, and the actions-- 174 00:09:15,860 --> 00:09:19,910 so it was scott.emp and scott.dept and select on them-- 175 00:09:23,470 --> 00:09:25,000 lots of other information. 176 00:09:25,000 --> 00:09:30,120 This extended time stamp gives more time information. 177 00:09:30,120 --> 00:09:32,160 But a lot of what we're really interested in here 178 00:09:32,160 --> 00:09:34,290 is in the first few columns. 179 00:09:34,290 --> 00:09:37,380 So notice that there are two records. 180 00:09:37,380 --> 00:09:40,680 Kara did the select from emp and dept. 181 00:09:40,680 --> 00:09:42,180 But she also did a delete. 182 00:09:42,180 --> 00:09:44,460 And we were auditing delete. 183 00:09:44,460 --> 00:09:48,420 But kara successfully deleted from the bonus table. 184 00:09:48,420 --> 00:09:51,730 And we audited whenever not successful. 185 00:09:51,730 --> 00:09:54,690 So no entry was written into the log for that 186 00:09:54,690 --> 00:09:58,170 because we had specifically indicated that we did not 187 00:09:58,170 --> 00:10:02,310 want to record that event, the delete of bonus, 188 00:10:02,310 --> 00:10:04,840 only when it was not successful. 189 00:10:04,840 --> 00:10:06,750 So this is an example of auditing 190 00:10:06,750 --> 00:10:10,320 and how we can use it to track occurrences in the database 191 00:10:10,320 --> 00:10:14,990 and keep a full record of what's occurred for security purposes. 15397