So last week I promised to provide more tips on securing and monitoring Oracle E-Business Suite (11i). I wasn’t able to get it all in during the week but I’ll make up for it this week.
One of the key concerns of any security or audit professional is tracking actions which have been taken by end users. This is especially true for tracking administrative access. If you’ve properly provided for separation of duties and limited end user access, a malicious user can only get so far before they need to rely on others to make their planned attack successful.
As soon as you add collusion to the mix of requirements for a successful attack, the risk typically drops for two reasons. The first is you have to have two bad apples. The second is that with more people involved, the larger the footprint. These both lead to a higher chance of discovering the attack and possibly even thwarting it.
Administrators on the other hand have the keys to the kingdom. End-to-end access in some rare (and never recommended) cases. Separation of duties on the technical side is just as important as on the business side. Developers should never have access to move code to production; system administrators shouldn’t have the ability to modify security monitors, and so on.
When configuring Oracle databases there is an easy way to get some basic security auditing information about what your users have done. Running the command SELECT * FROM SYS.DBA_STMT_AUDIT_OPTS; will help you identify if actions taken by DBA or other sensitive accounts are being monitored. If they are not, your first order of business is to turn auditing on. Be careful though as auditing can eat up disk space and processor time quickly.
Another good idea is to run SELECT * FROM SYS.DBA_ROLE_PRIVSWHERE ADMIN_OPTION = ‘YES’; to see which roles have been created with the WITH ADMIN option. This option allows those who have been granted a specific privilege to grant that to others. This is an easy way to let your access security get out of control before you even know the problem exists.
By checking to ensure auditing of privilege account access is turned on and that only very specific roles are able to grant access you are able to lock down your environment and have a small window into the core security of your system.