Audit and Security of Oracle database systems

Auditors are often led to believe that the review of an Oracle database management system must be a highly specialised task that can be carried out only by database experts, using specialised software tools.

In practice an effective baseline Oracle audit can be carried out using only the concepts covered in this 2-day course. It teaches the basic principles of the Oracle Database Management System (DBMS), and the development tools that come with it. It also provides key information on how to use Oracle's own built in tools and functions to extract the data required for the audit review. For auditors in a client-server Oracle environment, instruction is available on the use of the Microsoft Windows Open Database Connectivity (ODBC) software to link MS Office products and other audit software direct to an Oracle system.

A full set of student notes is provided, and an Oracle audit programme. With the ‘hands-on’ option, students will be provided with a client workstation equipped with Oracle database administrator tools, and will be given low-level access to an Oracle database server. A series of Oracle audit automation scripts will be used to explore the structure of Oracle, and extract the information required for an audit review. All the current versions of Oracle will be covered, up to version 11g, with explanations of how their built-in security is evolving.

Suggested duration: 2 days, but can be customised to your requirements.

Agenda

Introduction
How Oracle works

Components of the Oracle system
Protection of the Oracle physical files
Tablespaces and clusters
How Oracle and operating system interact

Database Objects
The data dictionary
Tables and views – why they matter
Virtual Private Databases
Forms
PL/SQL
Stored procedures
Form and database triggers
Structured Query Language

Database Security Controls
User account management
Database and OS authorisation
User and Database Roles
System privileges
Table privileges
Oracle row-level security

Oracle networking controls
SQL*Net and its control files
The Oracle TNS listener – how to secure it
Oracle and the web – ISQL*Plus and the Oracle Enterprise Manager

Auditing Oracle Databases
How to access the Oracle Data Dictionary
Where to look for control information in Oracle
Access rights and privileges needed for an Oracle audit
Auditing Oracle components with Oracle SQL queries
Listing user information
Listing database profiles
Listing Oracle roles
Listing system privileges
Listing Oracle objects
Listing table constraints
How to distinguish a table from a view
Auditing stored procedures
Listing trigger details
Listing Oracle audit settings
Examining the Oracle start-up configuration file
Extracting information from the Oracle audit trail
The Oracle audit trail and how it works
New audit features – Oracle Fine Grained Auditing
Database triggers and their audit uses
How to use SQL and ODBC to extract audit information

Oracle audit scripts

Oracle audit software