Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Designing Good Audit Trails for an Oracle Database

I have been asked to speak at the UKOUG Autumn Tech event. This is an online conference event and the agenda grid is live and I will speak at 15:00 to 15:45 BUT the link to the details of my talk is incorrect as it points to a Graham Spicers talk. I have asked UKOUG to fix this but it doesn't matter for now as I can discuss the contents of the talk here.

The talk is all about building a good audit trail for your Oracle database. What I mean by good is a well designed audit trail and not one simply based on a set of technical settings BUT a well designed and thought out audit trail. First, who are you trying to satisfy? external regulations or even internal ones; do you want to be reactive - i.e. simply collect and store, do you want to be pro-active - i.e. use the audit trail in real time or semi real time to react to an incident and block or stop it. If you have to comply with regulations to gather certain audit trail evidence then there is no reason that you should simply comply with the regulations - often they are not good enough to use the audit to investigate a breach or to detect a breach. This is because they are designed by committee not designed by you and for your business.

One area I will focus on, then, of course is the good design. The audit trail needs to be designed first in terms of events; the events that you want to capture and we discuss these first as well as some sample events that I feel should be included. These are at a business level in a table in an MS Word document; these are not audit settings in the database. Once we have the list of events we can then decide what the technical solution is going to be (standard audit, unified audit, FGA, third party... ) and as part of this we decide what raw audit to be collected and how, then how to mine that raw audit to see if the event has occurred and we also bring in reporting and escalation and alerts. This is a designed audit not a list of random settings recommended by someone else.

I will also show the results of some hacking and what is captured with the base standard audit settings from Oracle and then implement a good set of policies in my database and show that the hacking is now captured in the audit trail.

Come along and learn about audit trails and good designs for capturing activity in the core database engine.

Happy 17th Birthday to this Oracle Security Blog

It is almost 17 years since I started this blog on the 20th of September 2004. I had actually already been sort of blogging without blog software before that since 10th February 2004 with my ramblings section of my website. The ramblings section was a list of posts/articles so was the forerunner to my blog when I installed but the site in general was a site to promote Oracle Security articles and papers.

The first post on the ramblings section was how to disable iSQLPlus which is not relevant anymore.

The first post to the blog in September 2004 was a simple introduction and why I wanted to blog and what i would include in this blog. The post was titled A new Oracle Security based weblog.

I was late to the party in blogging as the first blog is reputedly said to be by Justin Hall who recorded his life on his personal website but it was known as a blog and the term weblog was not used until 1997; first by Jorn Barger. WordPress did not launch until 2003, one year before my Oracle security blog but I used Greymatter blog software which was one of the first proper blog softwares to be released in 2000. The Wikipedia page even mentions me twice as I created some of the mods and also hosted the software for download as well as helped develop it for a while with Coldstone. I chose Greymatter because it is static and does not use a database unlike other popular blog packages of the time such as WordPress and Typepad and Movable Type. I liked Greymatter because it was configurable and because it was static and therefore not SQL Injectable.

I have posted some 1484 posts (including this post) during the 17 years; not as many in recent years as I did at the start. That is 87 posts a year on average, not bad! For quite some time at the start I managed to do a post a day but that dropped off in recent years and now I am trying to build that back up a bit again - but not to one post a day; I will never do that again as I am too busy with other work.

There are not many people who blog about Oracle Security and very few who did/do blog about Oracle security specifically that's why I keep covering this subject that is still very interesting to me especially in the times of data breaches and identity theft and more.

I also post to our social media profiles so also please feel free to visit these as well and also share, like and follow us there on these profiles:

Register for a Free Webinar with PFCLForensics for Breached Oracle Databases

I will be giving a free webinar hosted with our reseller/distributer in Slovenia and the Balkans region - Palsit. The free webinar is at 09:00 UK time or 10:00 CET time on the 22nd September 2021. In this webinar I am going to do a live walk through and do a live demonstration of our new product PFCLForensics. This will show the three core areas of the product:

  • Manage the Oracle database incident: The incident team can use the easy to use checklist to manage the response to any potential breach of the Oracle database

  • Live Response on an Oracle Database: Extract evidence and artefacts from the targeted Oracle database using our built in tools so that the most volatile data can be extracted first so making less impact on the database and future evidence. All extracted data is checksummed to allow a consistent view of the data

  • Forensic Analysis of an Oracle Database: Analyse all of the extracted evidence and create a timeline of events and artefacts. Also create a supporting timeline to allow surrounding data to be extracted. Use the time sync feature to ensure that all evidence is aligned with wall time. Use the reporting features to create a report of the attack



PFCLForensics is suitable for internal security teams, external investigators who are responsible to provide support and analysis during a breach response. Consulting companies can also use this toolset to provide support during a breach of an Oracle database for their clients.

PFCLForensics is also useful for internal and external teams to test and practice your response to a potential breach of your Oracle databases

To join this free webinar please visit the registration page. The webinar is in English.

PFCLForensics is released a tool for forensic analysis of a breached database

We have had a very busy year despite the Covid pandemic. I personally managed to catch covid last January and was very unwell for weeks with coviid and then many many weeks recovering after that. Then I managed to get problems with my kidneys that resulted in some surgery a couple of months ago. I am very well now. Despite these set backs we have written a new product to do live response and forensic analysis of a breached Oracle database and we made some major updates to one of our other products PFCLObfuscate to add new features as well as we added updates and fixes to other products as well

PFCLForensics showing a simple open project


Today we have released a new product - PFCLForensics. This is a product aimed at helping customers do three things in the event of a breach or potential breach of their Oracle database:

  • Manage the breach: with a built in check list of actions for the responder to follow. The product is project based so you can work on multiple breaches and tasks at the same time

  • Perform live response: with built in policies that allow the most transient data to be gathered first from an Oracle database or a Unix/Linux server. There are also built in policies to get less transient data from the breached systems. The product also allows files to be loaded that could be part of the breach and allow sthe user to define rules for their own file types and load additional data as necessary. The tool also takes checksums of each piece of data and validates those every time the project is loaded or on demand by the user to ensure that the raw data has not changed

  • Forensic analysis: with lots of built in tools. The user can filter and sort the input data gathered and look for issues related to the breach. Potential evidence can be added to the timeline for the attack and even comments added to each artefact. The timeline can be viewed as a drillable graph of evidence over time or a complete end to end graph of the even distinctly showing how the attack occurred. Supporting evidence can be added to a separate time line. The tool also includes a built in word processor and sample report template so that you can easily write your report and have direct access to evidence and artefacts as well as timelines. The timelines can also be sync'd to wall time easily so that all disparate evidence is correlated on the same time; each piece of evidence as it is added is also correlated with all previous evidence


This is a great tool to help follow a process if a breach occurs and also to collect and analyse and report on any breach that may have occurred. The product details start here and you can follow the links there to learn more. There is also a 2 page flyer that can be downloaded.

Our engagement licenses are the best value for 30 days and just £145 per product. Contact us to purchase a license or to ask to see a demo before buying.