Showing posts with label PeopleSoft Fine Grained Auditing. Show all posts
Showing posts with label PeopleSoft Fine Grained Auditing. Show all posts

Monday 3 March 2008

PeopleSoft Fine Grained Auditing – Part II

Now, letlet’s test this policy. Log on to PeopleSoft environment using the browser and create a PRIVATE query referring to the above table. The query will not have any criteria and will fetch all rows (this table only had 1002 rows).
After executing the query, the audit data is populated in DBA_FGA_AUDIT_TRAIL.
select timestamp, db_user, client_id, object_name from dba_fga_audit_trail where object_name = ‘PS_ABC_COMPANY_TBL’
/
TIMESTAMP DB_USER CLIENT_I OBJECT_NAME
——— ——– ——– ———————
21-MAY-07 SYSADM NPAI PS_ABC_COMPANY_TBL
21-MAY-07 SYSADM NPAI PS_ABC_COMPANY_TBL

We can also, select the actual TEXT executed by the user by selecting the SQL_TEXT column in the above data dictionary view.
Summary:
I have shown a small example utilizing FGA for auditing the PeopleSoft database. FGA is a neat feature and allows us to audit specific rowset instead of auditing all the rows in the table. This is very useful when there exists a table which has sensitive + non-sensitive information, and you want to audit any un-authorized access to the sensitive column or rowset.
Note 1:
* As of 9i, FGA feature only allows auditing SELECT. 10g supports SELECT, DELETE, UPDATE and INSERT statements.
Note 2:
If you need to drop the policy then use the below SQL
begin
dbms_fga.drop_policy (
object_schema=>’SYSADM’,
object_name=>’PS_ABC_COMPANY_TBL’,
policy_name=>’ABC_COMPANY_TBL_ACCESS’
);
end;
Bug Note:
Do not forget to check out the bug related to FGA
http://www.red-database-security.com/advisory/oracle-fine-grained-auditing-issue.html

Tuesday 5 February 2008

PeopleSoft Fine Grained Auditing – Part I

We all know how critical it is to enable Oracle Database Auditing for our production environment. It is equally important to monitor the audit results and take actions. Though enabling auditing using the AUDIT_TRAIL initialization parameter plus using the AUDIT statements to enable different auditing options is the common approach, with the availability of FGA feature, it is time to take the next step.
FGA allows us to audit more specific business rules. Today, I will walk you through the steps to implement FGA for PeopleSoft.
Ensure that EnableDBMonitoring is set to 1 in psappsrv.cfg. This will enable PeopleSoft to populate CLIENT_INFO column in V$SESSION.
Identify the table and the criteria that we need to set for the policy. In this example, I will use the custom table PS_ABC_COMPANY_TBL. I need to audit any SELECT* statements on PS_ABC_COMPANY_TBL when user selects data related to
abc_company = ‘ABC Confidential’
We need to create a procedure that will populate the CLIENT_INFO so that we can identify the OPRID.
CREATE OR REPLACE PROCEDURE GET_OPRID (OBJECT_SCHEMA VARCHAR2, OBJECT_NAME VARCHAR2, POLICY_NAME VARCHAR2)
AS
V_CLIENT_INFO VARCHAR2(1000);
V_OPRID VARCHAR2(32);
BEGIN
V_CLIENT_INFO := SYS_CONTEXT(‘USERENV’,'CLIENT_INFO’);
IF ( LENGTH(V_CLIENT_INFO) IS NULL ) THEN
V_OPRID := ‘NOOPRID’;
ELSIF ( SUBSTR(V_CLIENT_INFO,1,1) = ‘,’ ) THEN
V_OPRID := ‘NOOPRID’;
ELSE
V_OPRID := SUBSTR(V_CLIENT_INFO, 1, INSTR(V_CLIENT_INFO,’,',1)-1);
END IF;
DBMS_SESSION.SET_IDENTIFIER (V_OPRID);
END;
Create a policy as shown below
begin
dbms_fga.add_policy (
object_schema=>’SYSADM’,
object_name=>’PS_ABC_COMPANY_TBL’,
policy_name=>’ABC_COMPANY_TBL_ACCESS’,
audit_column => ‘ABC_COMPANY’,
audit_condition => ‘ABC_COMPANY = ”ABC Confidential”’,
handler_module => ‘GET_OPRID’
);
end;
That’s it!!
In my next post I will share the results of enabling this feature.
 
Read More About PeopleSoft Fine Grained Auditing