Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
May 28th, 2024, 3:23pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Auditing
(Moderator: Pete Finnigan)
   Query Rewrite not working with FGA
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Query Rewrite not working with FGA  (Read 11267 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Query Rewrite not working with FGA
« on: Jul 16th, 2014, 4:32pm »
Quote | Modify

We are using oracle 11g.  We have a requirement to record the user id and SQL statement every time a query is run that returns confidential columns. In my tests FGA (Fine Grained Auditing) appears to work as documented and do what we need except where query-rewrite is concerned.  
 
In our data warehouse we have many materialized view aggregates build on top of large fact tables. The MVs are enabled for query rewrite and transparently speed up queries issued by our BI tools.  However if I create an FGA policy on a base table, then summary queries always result in base table access operations and never rewrite to use the materialized views. These are queries that previously always resulted in a materialized view rewrite operation (as proven by explain plan and sql monitor), the only change is the addition of the FGA policy. The FGA policy is being triggered, because audit rows appear in DBA_FGA_AUDIT_TRAIL, but the queries will not rewrite.
 
I can’t find anything in the Oracle documentation that says query rewrite will not work with FGA policies, and I can’t find any mention of this problem in any online forums.
 
Why does query re-write not work with FGA, is this a known problem or  bug?
 
Is there anything ‘special’ I have to do to get query re-write to work with FGA?  
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Query Rewrite not working with FGA
« Reply #1 on: Jul 18th, 2014, 12:20pm »
Quote | Modify

Our databases are 11.2.0.4.0 and I still find that a query will not rewrite if there is an FGA policy on any of the tables in the query. Note queries rewrite ok with Oracle Standard Auditing.
 
From a reply to my post on OTN I have been pointed in the direction of Oracle bug 7433976. However the details in the bug report are rather confusing; it states that a bug preventing query rewrite with FGA was fixed in 11.2, but it also quotes the 11.2 readme “text match rewrite will not take place if FGA is enabled on a table reference by the query”.  
 
The readme for 12.1 is more comprehensive:
 
“1.22.1.1 Fine Grained Auditing (FGA)
 
If Fine Grained Auditing (FGA) is enabled on a table in the query, then Query Rewrite will not occur for this query.”
 
…so my conclusion is if you need to use query rewrite (for performance reasons typically in a data warehouse) then you can use Oracle Standard Auditing, but not FGA, which is a bit irritating, but that’s the way it is.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Query Rewrite not working with FGA
« Reply #2 on: Jul 23rd, 2014, 9:51am »
Quote | Modify

Thanks for your posts Phil,
 
I was not aware of this bug. I have used FGA with a number of clients on some very big systems and also a small system but not on a data warehouse.
 
The problem with standard audit and sql capture is that its not row level but at the statement level. Also the performance impact is bigger when SQL is captured and also its global for all audit and cannot be targetted onto just the statements that you need.
 
Did you test whether you could create a view over the access and then add FGA to the view not the base table? There is a risk that direct access to the base table would bypass the audit but you could create RBAC to prevent this access. Its not ideal but combined with standard audit on the base table perhaps without SQL capture which would then have less performance impact.
 
A more convoluted approach; maybe you could convert the table to make the important data an object and then the type body could write the audit for you; in this way you can achieve FGA without FGA.
 
cheers
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues