1 Auditing the DBA: Auditing the DBA: What non-technical managers What non-technical managers and auditors should know. and auditors should know. Presented By Presented By Cam Larner Cam Larner President President Absolute Technologies, Inc. Absolute Technologies, Inc. January 17, 2007 Version 1 January 17, 2007 Version 1
34
Embed
Auditing the DBA: What non-technical managers and auditors should know.
Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner President Absolute Technologies, Inc. January 17, 2007 Version 1. Intro. You are a manager or project lead You need to secure E-Biz Suite for SOX compliance purposes - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
11
Auditing the DBA:Auditing the DBA:What non-technical managers What non-technical managers
and auditors should know.and auditors should know.
Presented ByPresented By Cam LarnerCam Larner PresidentPresidentAbsolute Technologies, Inc.Absolute Technologies, Inc.January 17, 2007 Version 1January 17, 2007 Version 1
22
IntroIntro
You are a manager or project leadYou are a manager or project lead You need to secure E-Biz Suite for SOX You need to secure E-Biz Suite for SOX
compliance purposescompliance purposes You have or are implementing controls You have or are implementing controls
for application end usersfor application end users Your DBA has the access and power to Your DBA has the access and power to
overcome or tamper with these overcome or tamper with these controls without detectioncontrols without detection
You need to mitigate DBA riskYou need to mitigate DBA risk
33
BackgroundBackground
In the context of SOX, external In the context of SOX, external auditors are beginning to scrutinize auditors are beginning to scrutinize DBA access and requesting controls DBA access and requesting controls and systematic proof of such to attain and systematic proof of such to attain compliance.compliance.
After all, the systematic controls you After all, the systematic controls you have established for application end have established for application end users will have little impact on your users will have little impact on your DBA’s ability to overcome them.DBA’s ability to overcome them.
44
OutlineOutline
Database BasicsDatabase Basics Auditing the DBAAuditing the DBA IssuesIssues RecommendationsRecommendations
– Users Users Connect to the databaseConnect to the database
– PrivilegesPrivilegesProvide access to specific data or objectsProvide access to specific data or objects
– RolesRolesBundle privileges for easy assignment to usersBundle privileges for easy assignment to users
User
Privilege
Role
Privilege
User User vs vs
Schema?Schema?
Return
99
Database OperationsDatabase Operations
– Select Data from Tables and ViewsSelect Data from Tables and Views– DML: Insert, Update and Delete RecordsDML: Insert, Update and Delete Records– DDL: Create, Alter and Drop ObjectsDDL: Create, Alter and Drop Objects– Startup and Shutdown DatabaseStartup and Shutdown Database
Return
1010
DBA Access in Oracle DBA Access in Oracle 9i / E Biz Suite 9i / E Biz Suite
– SYSDBA (Default schema is SYS)SYSDBA (Default schema is SYS) Database creationDatabase creation Instance startup and shutdownInstance startup and shutdown Archive and RecoveryArchive and Recovery Can Access any User’s DataCan Access any User’s Data
– SYSOPER (Default schema is PUBLIC)SYSOPER (Default schema is PUBLIC) Same as above, but…Same as above, but… Can’t Access other User’s DataCan’t Access other User’s Data Return
1313
Administrative RolesAdministrative Roles
– DBA DBA (All system privileges WITH ADMIN OPTION)(All system privileges WITH ADMIN OPTION)
– Oracle Operating System Account GroupsOracle Operating System Account Groups OSDBA (dba in unix)OSDBA (dba in unix) OSOPER (oper in unix)OSOPER (oper in unix)
– O7_DICTIONARY_ACCESSIBILITY = TRUEO7_DICTIONARY_ACCESSIBILITY = TRUE Users may be granted access to SYSUsers may be granted access to SYS Users may logon to SYS remotely and without Users may logon to SYS remotely and without
OS authenticationOS authenticationReturn
1515
File System Entry File System Entry Points to the Points to the DatabaseDatabase
(Change an application user’s password (Change an application user’s password as changed by the FND “anonymous” as changed by the FND “anonymous” user)user)
– SYSADMIN via APPS UserSYSADMIN via APPS User– EXAMINE via APPS UserEXAMINE via APPS User– All underlying tables of E-Biz SuiteAll underlying tables of E-Biz Suite
Return
1717
Approaches to Approaches to Auditing the DBAAuditing the DBA
Common MisconceptionCommon MisconceptionShould we audit at the Application or Should we audit at the Application or Database level?Database level?
Application
Database
Operating System
End User
DBA
Data is not stored in the application layer, but in the database layer.
On Commit
2121
Issues / DiscussionIssues / Discussion
When is SYSDBA access necessary?When is SYSDBA access necessary?SYSDBA has control over SYS objects, AUD$ (the SYSDBA has control over SYS objects, AUD$ (the SQL Audit table) and Initialization ParametersSQL Audit table) and Initialization Parameters
Alternatives to Support DBA roleAlternatives to Support DBA role– SYSOPER (Startup and Shutdown)SYSOPER (Startup and Shutdown)– SYSTEM (Maintenance, Security)SYSTEM (Maintenance, Security)– NAMED ACCOUNT w/ DBA Role NAMED ACCOUNT w/ DBA Role
(Maintenance, Security)(Maintenance, Security)
2222
Issues / DiscussionIssues / Discussion
Securing audit mechanisms from the Securing audit mechanisms from the DBADBA
– TriggersTriggers– Logminer views, redo and archive logsLogminer views, redo and archive logs– SYS.AUD$ audit trail tableSYS.AUD$ audit trail table– File system audit directoriesFile system audit directories– Database initialization parametersDatabase initialization parameters
““Operating system authentication takes Operating system authentication takes precedence over password file precedence over password file authentication. Specifically, if you are a authentication. Specifically, if you are a member of the OSDBA or OSOPER group for member of the OSDBA or OSOPER group for the operating system, and you connect as the operating system, and you connect as SYSDBA or SYSOPER, you will be connected SYSDBA or SYSOPER, you will be connected with associated administrative privileges with associated administrative privileges regardless of the regardless of the username/passwordusername/password that that you specify.” you specify.” Oracle9Oracle9ii Database Administrator's Guide Database Administrator's Guide
2424
RecommendationsRecommendations
Segregate DBA duties and accessSegregate DBA duties and access– Database and Application SupportDatabase and Application Support– Security, Access and AuditingSecurity, Access and Auditing
Limit use of SYSDBALimit use of SYSDBA Limit OS user assignment of the Limit OS user assignment of the
“dba” group“dba” group Utilize named accounts when Utilize named accounts when
possiblepossible
2525
RecommendationsRecommendations
Audit DBA activity on Key Application Audit DBA activity on Key Application ObjectsObjects
Protect the AUDIT_FILE_DEST log directory Protect the AUDIT_FILE_DEST log directory from the DBAfrom the DBA
– Copy audit log files to secure directoriesCopy audit log files to secure directories Rsync (unix)Rsync (unix) Unison (unix)Unison (unix)
Ask how App Auditor can help you secure the
audit trail.
2626
RecommendationsRecommendations
““It is suggested that you create at least one It is suggested that you create at least one additional administrator user, and grant additional administrator user, and grant that user the DBA role, to use when that user the DBA role, to use when performing daily administrative tasks. It is performing daily administrative tasks. It is recommended that you do not use SYS and recommended that you do not use SYS and SYSTEM for these purposes.” SYSTEM for these purposes.”
““To maintain the integrity of the data To maintain the integrity of the data dictionary, tables in the SYS schema are dictionary, tables in the SYS schema are manipulated only by Oracle. They should manipulated only by Oracle. They should never be modified by any user or database never be modified by any user or database administrator, and no one should create administrator, and no one should create any tables in the schema of user SYS.” any tables in the schema of user SYS.”
It may be said by many DBAs that the DBA role is a It may be said by many DBAs that the DBA role is a trusted role, or that a good DBA could overcome almost trusted role, or that a good DBA could overcome almost any restrictions or audit trail deployed for control and any restrictions or audit trail deployed for control and compliance purposes. compliance purposes.
Whether that is true or not, is not the point. Whether that is true or not, is not the point.
The reality is that external auditors are starting to The reality is that external auditors are starting to scrutinize DBA access and requesting controls and scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. Any systematic proof of such to attain compliance. Any particular approach may not be ‘bullet proof’, but each particular approach may not be ‘bullet proof’, but each hurdle or preventive measure deployed reduces the hurdle or preventive measure deployed reduces the overall risk as assessed by the auditor. overall risk as assessed by the auditor.
2929
Hurdles to Mitigate Hurdles to Mitigate RiskRisk
DBA Fraud
UseNamed
Accounts
AuditAccess
AuditTransactions
SecureAudit Trail
LimitSYSDBA
Usage
3030
Application AuditorApplication Auditor
Audit/Alert/Prevent Audit/Alert/Prevent – DML transactionsDML transactions– DDL operationsDDL operations– DBA activityDBA activity– IT Staff activityIT Staff activity– Application user activity Application user activity
Audit Session ConnectionsAudit Session Connections Audit Server ErrorsAudit Server Errors Secure the Audit Schema from the DBASecure the Audit Schema from the DBA
Visit Visit www.absolute-tech.comwww.absolute-tech.com to lean more. to lean more.