Call: +44 (0)1904 557620 Call
Blog
Home / Archives / April 2007 / 3 new papers on Oracle forensics

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Argeniss have released a simple Oracle root kit"] [Next entry: "Oracle Assessment Toolkit"]

3 new papers on Oracle forensics

April 4th, 2007 by Pete


David Litchfieldhas released three new papers on Oracle forensics. These are:

Oracle Forensics Part 1: Dissecting the redo logs

This paper includes quite a detailed analysis of the redo log binary file structures and a C program to calculate the block checksums, a C program to decode redo block timestamps, a C program to dump an insert entry plus detailed analysis of the dumps

Oracle Forensics Part 2:Locating Dropped Objects

This paper discusses how fragments of evidence can remain in place after a database object has been dropped.

Oracle Forensics Part 3: Isolating Evidence of Attacks Against the authentication mechanism

Quite an interesting paper that discusses how to spot attempts to brute force database sids, user enumeration attacks, password guessing attacks, spotting brute force attempts against SYS, spotting attempts to abuse the imperva bug (DB18 - Jan 2006 CPU) and attempts to log into the XML DB.

David spotted a gotcha in using database audit to audit connections, he saw that the logoff overwrote the LOGON action in SYS.AUD$ in 8i and 9i. This is not an issue as you can get the logon time from the timestamp column of dba_audit_session and the logoff time is recorded in the logoff_time column. the data is not lost. See "Introduction to Simple Oracle Auditing" a paper i wrote for Security Focus in 2003. An example is here:


SQL> select count(*) from sys.aud$;

COUNT(*)
----------
1

SQL> audit create session by access;

Audit succeeded.

SQL> connect scott/tiger
Connected.
SQL> connect system/manager
Connected.
SQL> select count(*) from sys.aud$
2 ;

COUNT(*)
----------
3

SQL> select username,terminal,action_name,to_char(timestamp,'DDMMYYY:HHMISS') ti
mestamp,to_char(logoff_time,'DDMMYYYY:HHMISS') logoff,returncode
2 from dba_audit_session;

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------
SCOTT
PETERFIN
LOGOFF 0404007:090339 04042007:090348 0

SYSTEM
PETERFIN
LOGON 0404007:090349 0

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------


SQL>

April 2007

Archives

Weblog Home
Weblog Archives

Syndication

RSS 1.0 FEED RSS 2.0 FEED Atom 0.3 FEED Powered by gm-rss 2.0.0