Skip to content

1z0-060 Q7

Which Oracle Database component is audited by default if the unified Auditing option is enabled?

A.Oracle Data Pump

B.Oracle Recovery Manager (RMAN)

C.Oracle Label Security

D.Oracle Database Vault

E.Oracle Real Application Security

answer

ANSWER B

audited by default

enable unified audit

check A:

23:07:12 (1)[PDBORCL]c##admin@orcl> create user test1 identified by test1;
23:07:14 (1)[PDBORCL]c##admin@orcl> alter user test 1 quota 10m on users;
23:07:16 (1)[PDBORCL]c##admin@orcl> grant create session to test1;
23:07:30 (1)[PDBORCL]c##admin@orcl> create table test1.tt as select sysdate as date# from dual; 
Table created.

SQL> alter session set container=pdborcl;
SQL> create directory dump as '/ora01/dump';
SQL> ! mkdir /ora01/dump
SQL> ! expdp system/passwd@ora12ee  directory=dump file=exp.dmp logfile=exp.log schemas=test1
.....
Job "SYS"."SYS_EXPORT_SCHEMA_01" successfully completed at Wed Nov 4 15:30:11 2015 elapsed 0 00:00:57
SQL> select audit_type,action_name,sql_text from UNIFIED_AUDIT_TRAIL where event_timestamp in (select max(event_timestamp) from UNIFIED_AUDIT_TRAIL ) ;

AUDIT_TYPE ACTION_NAME		     SQL_TEXT
---------- ------------------------- --------------------------------------------------------------------------------
Standard   CREATE DIRECTORY	     create directory dump as '/ora01/dump'

A. wrong

check B:

[oracle@oel7-2 admin]$ rman target sys/passwd@ora12ee
...
RMAN> backup datafile 1;

and

23:39:54 (1)[PDBORCL]c##admin@orcl> select audit_type,action_name from UNIFIED_AUDIT_TRAIL where event_timestamp in (select max(event_timestamp) from UNIFIED_AUDIT_TRAIL );

AUDIT_TYPE           | ACTION_NAME
-------------------- | --------------------
RMAN_AUDIT           | RMAN ACTION

Bingo =)
B is correct

check C:
Implementing Label Security ( Oracle Database 12c: Security 13 — 2 D81599GC10 )
first of all we need to enable OLS
after check audit:

01:24:09 (1)[PDB1]sys@p00db1> select audit_type,action_name,sql_text from UNIFIED_AUDIT_TRAIL order by event_timestamp desc fetch first 3 rows only;

AUDIT_TYPE      | ACTION_NAME          | SQL_TEXT
--------------- | -------------------- | --------------------------------------------------
Standard        | ALTER USER           | alter user hr identified by * account unlock
Standard        | LOGON                | <NULL>
Standard        | ALTER USER           | alter user hr identified by *

C is wrong

i will skip detailed answer for d and e option because they are too time consuming.. sorry for that.
so they are wrong because by default we have active only failed logins policy and ORA_SECURECONFIG

12:38:54 (1)[PDBORCL]c##admin@orcl> select * from AUDIT_UNIFIED_ENABLED_POLICIES ;

USER_NAME            | POLICY_NAME          | ENABLED_OPT              | SUCCESS   | FAILURE
-------------------- | -------------------- | ------------------------ | --------- | ---------
ALL USERS            | ORA_SECURECONFIG     | BY                       | YES       | YES
ALL USERS            | ORA_LOGON_FAILURES   | BY                       | NO        | YES

ORA_SECURECONFIG is audit only:

2:40:40 (1)[PDBORCL]c##admin@orcl> select POLICY_NAME, AUDIT_OPTION,OBJECT_NAME, AUDIT_OPTION_TYPE from   AUDIT_UNIFIED_POLICIES where  policy_name =  'ORA_SECURECONFIG'  order by 2 ;

POLICY_NAME          | AUDIT_OPTION                             | OBJECT_NAME                              | AUDIT_OPTION_TYPE
-------------------- | ---------------------------------------- | ---------------------------------------- | ------------------------------------------------------
ORA_SECURECONFIG     | ADMINISTER KEY MANAGEMENT                | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER ANY PROCEDURE                      | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER ANY SQL TRANSLATION PROFILE        | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER ANY TABLE                          | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER DATABASE                           | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER DATABASE LINK                      | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | ALTER PLUGGABLE DATABASE                 | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | ALTER PROFILE                            | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | ALTER ROLE                               | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | ALTER SYSTEM                             | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | ALTER USER                               | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | AUDIT SYSTEM                             | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ANY JOB                           | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ANY LIBRARY                       | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ANY PROCEDURE                     | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ANY SQL TRANSLATION PROFILE       | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ANY TABLE                         | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE DATABASE LINK                     | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | CREATE DIRECTORY                         | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | CREATE EXTERNAL JOB                      | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE PLUGGABLE DATABASE                | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | CREATE PROFILE                           | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | CREATE PUBLIC SYNONYM                    | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE ROLE                              | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | CREATE SQL TRANSLATION PROFILE           | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | CREATE USER                              | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | DROP ANY PROCEDURE                       | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | DROP ANY SQL TRANSLATION PROFILE         | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | DROP ANY TABLE                           | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | DROP DATABASE LINK                       | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | DROP DIRECTORY                           | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | DROP PLUGGABLE DATABASE                  | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | DROP PROFILE                             | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | DROP PUBLIC SYNONYM                      | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | DROP ROLE                                | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | DROP USER                                | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | EXECUTE                                  | DBMS_RLS                                 | OBJECT ACTION
ORA_SECURECONFIG     | EXEMPT ACCESS POLICY                     | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | EXEMPT REDACTION POLICY                  | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | GRANT ANY OBJECT PRIVILEGE               | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | GRANT ANY PRIVILEGE                      | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | GRANT ANY ROLE                           | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | LOGMINING                                | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | PURGE DBA_RECYCLEBIN                     | NONE                                     | SYSTEM PRIVILEGE
ORA_SECURECONFIG     | SET ROLE                                 | NONE                                     | STANDARD ACTION
ORA_SECURECONFIG     | TRANSLATE ANY SQL                        | NONE                                     | SYSTEM PRIVILEGE

ps: EXEMPT ACCESS POLICY — database users granted the EXEMPT ACCESS POLICY privilege, either directly or through a database role, are exempt from VPD enforcements.

[свернуть]

Oracle Database 12c Security: New Unified Auditing

https://blogs.oracle.com/imc/entry/oracle_database_12c_new_unified
Oracle Database 12c Security: New Unified Auditing
By Tarek Salama on Mar 01, 2014

According to the 2012 Data Breach Investigations Report from the Verizon RISK Team, more than 1 billion database records were breached around the world from 2004 to 2011. As companies endeavor to secure sensitive data within the enterprise, the need has emerged for cost-effective, easy-to-use tools that can be quickly deployed company wide. To that end, Oracle has merged and advanced two proven security solutions—Oracle Audit Vault and Oracle Database Firewall — into a single software appliance-based platform: Oracle Audit Vault and Database Firewall.
(source: http://www.oracle.com/technetwork/issue-archive/2013/13-mar/o23news-1906468.html)

With the introduction of Oracle Database 12c, we have a plethora of new security features, as listed in the Oracle Database 12c Security Guide, amongst which we now have a brand new Unified Audit Data Trail, enabling selective and even more effective auditing inside the Oracle database using policies and conditions. A consolidated audit data trail has many advantages, especially when it’s integrated with Audit mining tools.

In previous releases of Oracle Database, there were separate audit trails for individual components:
*SYS.AUD$ for the database audit trail,
*SYS.FGA_LOG$ for fine-grained auditing,
*DVSYS.AUDIT_TRAIL$ for Oracle Database Vault, Oracle Label Security,
*and so on.
In this release, these audit trails are all unified into one, viewable from the UNIFIED_AUDIT_TRAIL data dictionary view for single-instance installations or Oracle Database Real Application Clusters environments.

On Oracle Database 12c, with Unified Auditing and Conditional Auditing, you get the ability to configure precise, context-dependant logging which should reduce the performance overhead associated with database auditing and enable more effective analysis of audit logs.

Conditional Auditing supports highly selective logging policies that minimize log entries to specific events such as particular SQL statements including the actions CREATE or ALTER originating from outside specific application servers identified by IP address. Other variables include programs, time periods and connection types.

With Unified Auditing you can now run analysis reports on an entire set of audit data in one operation, rather than having to first gather them into one location before performing the analysis. Audit mining tools such as Oracle Audit Vault now can look at one location rather than several in order to gather audit records. A unified audit trail ensures that the audit information is consistently formatted and contains consistent fields. Database auditing in 12c can be integrated with the Oracle Audit Vault and Database Firewall, used to control and monitor SQL network activity. Unlike standard packet filter firewalls that operate at layers 3 and 4 of the OSI model, the Oracle Database Firewall performs highly accurate analysis of SQL traffic at layer 7 and can block SQL injection attacks.
Screen Shot 2015-11-04 at 22.32.28

Unified Audit — SYS

The ability to configure precise, context-dependant logging should reduce the performance overhead associated with database auditing and enable more effective analysis of audit logs. Conditional Auditing supports highly selective logging policies that minimize log entries to specific events such as particular SQL statements including the actions CREATE or ALTER originating from outside specific application servers identified by IP address. Other variables include programs, time periods and connection types. Conditional Auditing also introduces AUDIT_ADMIN and AUDIT_VIEWER roles to better protect the integrity of policies and logs which are now part of single unified architecture.

Significant Redesign in Auditing Functionality

For this release, the auditing functionality has been significantly redesigned from the functionality used in previous releases. When you install a new Release 12 Oracle database, the full sets of auditing enhancement features (unified auditing) are automatically available. If you upgrade from a previous release, then you are given the option of using some of the new audit features and the audit functionality from the release that you upgraded from. Oracle strongly recommends that you migrate to the full set of latest audit features.

New Schema for the Unified Audit Trail

As part of the unified audit trail enhancement, a new schema, AUDSYS, will be used solely for storage of the unified audit trail data table. The existing audit data in the AUD$ and FGA_LOG$ system tables, audit metadata, and audit PL/SQL packages, will continue to reside in the SYS schema.

Screen Shot 2015-11-04 at 22.32.34

Unified Auditing — Fast Audit

Separation of Duties for Audit Administration

For better separation of duty, two new database roles are now available for use with auditing: AUDIT_ADMIN, for audit configuration and audit trail administration, and AUDIT_VIEWER, for viewing and analyzing audit data.

Faster Audit Performance

This release provides a much faster audit performance than in previous releases of Oracle Database. You also can control how the audit records are written to the audit trail, whether immediately or queued to memory.

Auditing In 12c
Ability to Audit Any Role.
Auditing Application Context Values.
Auditing Oracle Database Real Application Security Events.
Auditing Oracle Recovery Manager Events.
Auditing Oracle Database Vault Events.
Auditing Oracle Label Security Events.
Auditing Oracle Data Mining Events.
Auditing Oracle Data Pump Events.
Auditing Oracle SQL*Loader Direct Load Path Events.
Moving Operating System Audit Records into the Unified Audit Trail.
Checkout the «Auditing with Unified Auditing» for further information how to audit operations of all RDBMS and other components like RMAN, Oracle Data Pump using the new 12c Unified Auditing feature, consolidating all audit trails into a single unified audit trail table

[свернуть]

good tutorial

Auditing with Unified Auditing

[свернуть]

Primary Sidebar

Яндекс.Метрика