Three Tier Oracle Security in London ~ Paul M. Wright

Auditing using DB EXTENDED

DB EXTENDED adds two extra columns to the SYS.AUD$ table which includes sqltext and sqlbind:

SQLBIND CLOB
SQLTEXT CLOB
SQLTEXT is the actual text that the user typed in. This could be very useful to trace back unauthorised access. One problem is that because the audit is from the database then an attacker could easily delete select rows in SYS.AUD$.

An interesting fact is that the auditing inserts into SYS.AUD$ are also recorded in the redo logs which are of course OS based. This gives a second place to read the audit if the DB audit was deleted. The full text of the attackers SQL is also recorded to the redo logs as can be seen in the screenshot. Auditing using DB EXTENDED

March 19th, 2007 | Category: Uncategorized | Subscribe to comments | You can skip to the end and leave a response. Pinging is currently not allowed

Leave a Reply

You must be logged in to post a comment.

CREATE_DIRECTORY package is here

paul.wright at oracleforensics.com

First book on Database Forensics

ACM Review of my book
IOUG Journal publication of my Oracle Security Monitoring Paper

UKOUG DAMS Journal Article

IOUG Journal publication of my Oracle password paper

NGS Oracle password paper

July 2011 CPU
July 2010 CPU
April 2008 CPU
July 2007 CPU
April 2007 CPU

First paper on database forensics
First GIAC Qualified Oracle Security Analyst with Honors Paper
Oracle Forensics In A Nutshell

Oracle Password Paper in Japanese
SYSDBA Backdoor Paper
CREATE ANY DIRECTORY TO SYSDBA
CREATE USER TO SYSDBA

SANS Forensics
Slavik's Blog

David Litchfield's site
David's book on the way

SQL Server Forensics Paper
SQL Server Forensics Book