Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
Sep 26th, 2023, 4:55pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Performance Impact of Auditing
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Performance Impact of Auditing  (Read 14563 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Performance Impact of Auditing
« on: Mar 8th, 2006, 9:11pm »
Quote | Modify

Background: Due to SOX and regulatory compliance, the database operations group will be asked to enable auditing of certain events. Here are the things that the auditor will be recommending:
 
Authentication Success/Failure
Authorization Failure (object access)
Grant/Revoke roles, privileges
Grant/Revoke object access
Use of admin privileges (start/stop database, changing global params, etc.)
 
The db ops group has been asked to implement a subset of these auditing items before, but have claimed that there is too much of an impact on performance. My experience has shown me differently, but I would like an objective 3rd party to point at.
 
Can anyone point me in the direction of articles that discuss the performance impact of enabling auditing features in Oracle 8/9/10, SQL Server 7/2k/2k5 and Sybase 12.x?  
 
Please remember that this will not involve auditing DML.
 
Thanks.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Performance Impact of Auditing
« Reply #1 on: Mar 9th, 2006, 1:56pm »
Quote | Modify

Hi,
 
I don't know of any documents that discuss the performance impact of enabling audit on Oracle, SQL and Sybase. I have seen discussions about performance of enabling audit before but cannot immediately find any links.  
 
I know from personal experience that as long as you dont audit actions that occur frequently the performance impact is negligable. For instance auditing connections should occur once per session and the additional time is not noticable.  
 
For the use of system privileges, applications should not be using system privileges at any rate that should cause a performance issue.  
 
The same should be true for failure to access an object - i.e. the user does not have permissions. This should not happen often if the application is configured correctly.
 
The same is true of granting, revoking and use of admin privileges.
 
The audit you mention, i always advocate and from experience auditing these things does not incur performance penalities.
 
If you audit DML then there can be issues but this depends on what you are auditing and is very specific to each site/application
 
hth
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Performance Impact of Auditing
« Reply #2 on: Mar 13th, 2006, 3:05pm »
Quote | Modify

Hi
 
My experience matches yours and Pete's.
 
If you are auditing functions that by definition do not occur often then the performance hit is low.
 
Given the range of database's you are talking about I should point out that there is a different issue with each of them.  
 
With Oracle, you need to be sure you are writting the audit trail to a secure location. SOX requires an audit trail that DBA's can not modify. Oracle can either audit to a DB table, not recommended for performance, or to an external file, you need to be sure of access controls to the OS based file.
 
On SQL, there is more of a performance degredation than on any of the others for these functions, and you need to be sure where the authentication is happening for the auditors to believe the audit trail, i.e. is it Windows/SQL or mixed mode authentication.
 
On Sybase, auditing is done to a seperate db, but make sure you know who the owner is, otherwise DBA's can turn it off very easily.
 
Hope this helps.
 
Kevin
NoFools
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Performance Impact of Auditing
« Reply #3 on: Mar 15th, 2006, 12:34am »
Quote | Modify

"or to an external file, you need to be sure of access controls to the OS based file. "
 
Presumably if the oracle process is writing the audit records, the file must be enabled for read/write for that oracle process. In that case, doesn't it follow that, using CREATE DIRECTORY and UTL_FILE, the audit file is accessible and amendable through the database ?
I guess you can set up an OS process that copies the audit file such that the copy is not writable by oracle.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Performance Impact of Auditing
« Reply #4 on: Mar 17th, 2006, 11:09am »
Quote | Modify

This is the age old problem of how do you protect an audit trail to prevent the people you are trying to audit from modifying it.......
 
It's why I am now tending to use network appliance based tools on the solutions I am designing. These have two advantages.
 
1/ No performance hit on the DB.
2/ Easy segregation of duties, allowing audit to get to the trail, while still protecting it from modification.
 
The problem is that there are not many auditors that understand SQL yet, and the in built knowledge on these appliances varies greatly.
 
Regards
 
Kevin.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues