Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 27 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » April 2007 » 3 new papers on Oracle forensics

[Previous entry: "Argeniss have released a simple Oracle root kit"] [Next entry: "Oracle Assessment Toolkit"]

3 new papers on Oracle forensics

April 4th, 2007 by Pete

Post to del.icio.us   Post to Furl   Digg!

David Litchfieldhas released three new papers on Oracle forensics. These are:

Oracle Forensics Part 1: Dissecting the redo logs

This paper includes quite a detailed analysis of the redo log binary file structures and a C program to calculate the block checksums, a C program to decode redo block timestamps, a C program to dump an insert entry plus detailed analysis of the dumps

Oracle Forensics Part 2:Locating Dropped Objects

This paper discusses how fragments of evidence can remain in place after a database object has been dropped.

Oracle Forensics Part 3: Isolating Evidence of Attacks Against the authentication mechanism

Quite an interesting paper that discusses how to spot attempts to brute force database sids, user enumeration attacks, password guessing attacks, spotting brute force attempts against SYS, spotting attempts to abuse the imperva bug (DB18 - Jan 2006 CPU) and attempts to log into the XML DB.

David spotted a gotcha in using database audit to audit connections, he saw that the logoff overwrote the LOGON action in SYS.AUD$ in 8i and 9i. This is not an issue as you can get the logon time from the timestamp column of dba_audit_session and the logoff time is recorded in the logoff_time column. the data is not lost. See "Introduction to Simple Oracle Auditing" a paper i wrote for Security Focus in 2003. An example is here:


SQL> select count(*) from sys.aud$;

COUNT(*)
----------
1

SQL> audit create session by access;

Audit succeeded.

SQL> connect scott/tiger
Connected.
SQL> connect system/manager
Connected.
SQL> select count(*) from sys.aud$
2 ;

COUNT(*)
----------
3

SQL> select username,terminal,action_name,to_char(timestamp,'DDMMYYY:HHMISS') ti
mestamp,to_char(logoff_time,'DDMMYYYY:HHMISS') logoff,returncode
2 from dba_audit_session;

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------
SCOTT
PETERFIN
LOGOFF 0404007:090339 04042007:090348 0

SYSTEM
PETERFIN
LOGON 0404007:090349 0

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------


SQL>


April 2007
SMTWTFS
1234567
891011121314
15161718192021
22232425262728
2930     

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!