Security Audit Applications

Hi all,
having recently attended a very good presentation by Pete Finnegan on the subject of Oracle security audits I have been investigating what products are available and found threre is a lot of choice, the main two commercial ones being NGS SQuirrel and AppDetective.
I was wondering what experiences and opinions anyone has regarding the products and their functionality and whether thay are much better than freeware utilities such as OScanner written by Patrik Karlsson or the CIS Oracle database security benchmark tool?
Any feedback is much appreciated
Cheers
Phil

Phil,
My company has not released for the general public, an Oracle scanning tool which reports based on GRC mandates like SCAP, PCI, etc. Let me know if you would like some information. [email protected]

Similar Messages

  • Multiple security audit failures a second

    A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
    to login. 
    Keywords Date and Time Source Event ID Task Category
    Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
    Subject
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: <ommited from forum post>
    Logon ID: 0x3e7
    Process:
    Process ID: 0x10d4
    Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name: ServiceModel 4.0.0.0
    Event Source ID: 0x262070f0"
    Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
    Subject :
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: < ommited from forum post >
    Logon ID: 0x3e7
    Process:
    Process ID: 0x10d4
    Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name: ServiceModel 4.0.0.0
    Event Source ID: 0x262070f0"
    Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
    Subject:
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: <ommited from forum post>
    Logon ID: 0x3e7
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064
    Process Information:
    Caller Process ID: 0x24c
    Caller Process Name: C:\Windows\System32\lsass.exe
    Network Information:
    Workstation Name: SBS
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process: Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    Subject
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Process:
    Process ID:
    0x131c
    Process Name:
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name:
    ServiceModel 4.0.0.0
    Event Source ID:
    0x26206ef4"
    Audit Success 6/18/2014 1:50:32 PM
    Microsoft-Windows-Security-Auditing
    4904 Audit Policy Change
    "An attempt was made to register a security event source.
    Subject :
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Process:
    Process ID:
    0x131c
    Process Name:
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name:
    ServiceModel 4.0.0.0
    Event Source ID:
    0x26206ef4"
    Audit Failure 6/18/2014 1:50:32 PM
    Microsoft-Windows-Security-Auditing
    4625 Logon
    "An account failed to log on.
    Subject:
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID:
    NULL SID
    Account Name:
    Account Domain:
    Failure Information:
    Failure Reason:
    Unknown user name or bad password.
    Status:
    0xc000006d
    Sub Status:
    0xc0000064
    Process Information:
    Caller Process ID:
    0x24c
    Caller Process Name:
    C:\Windows\System32\lsass.exe
    Network Information:
    Workstation Name:
    SBS
    Source Network Address:
    Source Port:
    Detailed Authentication Information:
    Logon Process:
    Schannel
    Authentication Package:
    Kerberos
    Transited Services:
    Package Name (NTLM only):
    Key Length:
    0
    Jerry T

    Hi Jerry,
    Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
    related to share folders, printers, IIS and so on.
    Would you please let me confirm whether you had installed some third-party applications?
    Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
    Audit
    Failure - Event 4625
    If any update, please feel free to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Consultancy Services for RAC installation and  Internet Security Audit

    Dear All,
    "Warm greetings from Venkatesh"
    We are proud to announce that, we have started a leading Database, Networking and Internet security Consulting organization at PUNE with a global presence through which we offers a focused, Excellence Solutions for Database, Networking and internet security for vulnerabilities and ethical hacking to the organizations to achieve a sustainable performance and results, and to contribute to the delivery of Quality Product, Solutions and Services to transform the human lives every day.
    We offer a customized Consulting and Corporate Training Services at competitive sizes of organization in all major verticals for Performance Excellence as under with six months maintenance support after RAC installation
    Design and Implementation of Oracle RAC (Real Application Cluster)
    - Oracle solution for High Availability & Grid Computing
    - Versions: Oracle 10gR2, 11gR1 & 11gR2
    - Operating System: Linux, Windows, Solaris, AIX
    - Storage: ASM, OCFS2
    - ASM Cluster File System (ACFS) in Oracle 11gR2
    - Building RAC setup in VMware Environment
    - Feature: Load Balancing, Failover, Dynamic addition of Nodes to Grid
    Design and Implementation of Oracle Data Guard
    - Oracle solution for Disaster Management
    - Primary & Secondary Sites
    - Logical & Physical Standby Database
    Internet Security Audit for Vulnerabilities and Ethical Hacking
    - Penetration testing
    - Source code audit
    - Information security training
    - Website design and development
    - Data Centre audit
    - ISO 27701 consultancy
    We also offer Corporate Trainings for
    - Oracle RAC Administration
    - Automatic Storage Management (ASM)
    - Data Guard
    Please feel free to revert back for any queries.
    Regards
    Venkatesh
    mail: [email protected]
    Edited by: vjpune on Apr 17, 2010 4:44 AM

    Hi! keyur,
    Greetings from venkatesh
    Sorry for delay, i was busy with some assignments.
    Actually, we are consultancy service provider for those organization who needs to Install Oracle RAC server. We provide entire services i.e. from designing to implementation of RAC server, provide solution for load balancing, desaster management and so on.. what i had mention in the earlier post.
    Also we offer corporate training to the organization in RAC administration, ASM, Data Guard.
    I think this info will get you to understand our services..
    we welcome inquires if any from your end.
    Regards
    Venkatesh
    mail: [email protected]

  • Security Audit Log SM19 and Log Management external tool

    Hi all,
    we are connecting a SAP ECC system with a third part product for log management.
    Our SAP system is composed by many application servers.
    We have connected the external tool with the SAP central system.
    The external product gathers data from SAP Security Audit Log (SM19/SM20).
    The problem is that we see, in the external tool,  only the data available in the central system.
    The mandatory parameters have been activated and the system has been restarted.
    The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
    In our scenario, we do not use SM20 since we want read the collected data in the external tool.
    Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
    Thanks in advance.
    Andrea Cavalleri

    I am always amazed at these questions...
    For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
    However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
    Cheers,
    Julius

  • Performance issue of Security Audit log

    Hello,
              My client would like to activate the Security Audit log on his system. However he will like to know whether there could be any performance issue when activating it. Since I do not have any prior experience, can you please give me your general feedback on this subject. Have any of you experience performance issue when implementing security audit log and what can be done to minimize its effect?

    Hai,
    Activating Security Audit logs will not affect the performance of your SAP system. Since SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server. This is the only thing you really need to take care since they might fill up the disk space if you dont archive or delete them on regular basis. Also since the data is very sensitive you should take extra care to protect the data.
    Please follow the below links for more details.....
    http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e36d6611d1a5700000e835363f/frameset.htm
    http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log/
    Regards,
    Yoganand.V

  • Security Audit Enable.

    Dear all,
    we had enabled the security sometime back and it was working fine. after a month, the security log (sm20) says : "The result set for this selection was empty".
    I thought that the audit logs had exceeded the storage size, thus i deleted 30 days log using sm18. On returning back to sm20, i am still encountering the same error.
    I would like to know that will i need to restart my application server in order to make it active again(btw its already active, in sm19).
    I need my sm20 active again!
    Kindly help me clear my confusion please.
    Thanks in advance.

    Thanks for the prompt replies.
    Dear Happy,
    I understand that I don't need to restart the server but then how can i make my security audit work ? Can U guide me to the solution please?  Cuz if i change my profile parameter (as said by Rakesh) then It will be necessary for me to restart the application server.
    Thanks.

  • Security Audit Log FULL. What happens??

    Hi there,
    Can anyone tell me what will happen when the Security audit Log file is full on OS-level. Will the system stop? Is the file overwritten?
    Best regards,
    Joris

    Hello Joris ,
    1 ) Is the file overwritten? -> No
    2 ) Will the system stop? -> Yes , if there will no free space on drive / file system SAP system will stop.
    How to delete :
    1.      To access the Security Audit Log reorganization tool from the SAP standard menu, choose Administration à System Administration à Monitor à Security Audit Log à Reorganization.
    The Security Audit: Delete Old Audit Logs screen appears.
           2.      Enter the Minimum age of files to delete (default = 30 days).
    This value must be > 3.
           3.      Activate the To all active instances indicator to delete the audit files from all application servers. Leave the indicator blank if you only want to delete the files from the local application server.
           4.      Activate the Simulation only indicator if you do not actually want to delete the files. In this case, the action is only simulated.
           5.      Choose Audit Log à Continue
    Regards ,
    Santosh Karadkar

  • Security Audit Log Profile Parameter

    Hello People,
    I have been trying to find some information about the System Profile Parameters that are required for Security Audit Logs.
    Can someone please explain what the parameter rsau/max_diskspace/per_day means? All that the SAP documentation says is that it is the Maximum size of all security audit files per day
    My understanding was that the audit files are stored on the application server itself and only 1 file is generated everyday. How then, is this parameter used?
    Regards
    Joy

    Hi Joy,
    I do not think this parameter should have any adverse effect. Depends on your server's hard disk space availability.
    rsau/max_diskspace/local gives space for a single security audit file. When we say that rsau/max_diskspace/per_day
    gives space for all, by my understanding we are limiting the total space that these files can take up.
    The max size of single audit file is 2GB and total space for all i.e. rsau/max_diskspace/per_day is 1024 GB
    When maximum space limit is reached, logging terminated. Next day new file is created.
    Couldn't find more explanation.
    regards, Sean.

  • Oracle Security Audit Advisory Q2

    Hi All,
    My boss give me the security audit check, review guidelines from Oracle.
    He wants me to validate it with our existing PROD database setup.
    Have you done this security check in your PROD databases?
    1.
    1.1.1 Ensure the following are not installed by default
    1.1.1.1 Spatial
    1.1.1.2 OLAP
    1.1.1.3 Data Mining
    1.1.1.4 Real Application Testing
    1.1.2 Do not install sample schemas
    How do I know if they were installed by defualt? And how do I deinstall them?
    2.
    1.1 Disallow remote OS authentication
    Does this mean I can allow local OS authentication?
    By the way, we have an  issue of hiding the passwords in batch job scripts.
    And I suggested to the security officer to use the OS authentication ( I mean local)
    But he disapproved it because for the reason mentioned item above.
    So, can I reason with him that he misunderstood it?
    Thanks,
    zxy

    Thanks Justin Sir, your ideas has been so sensible.
    The docs Im referring to is > ORACLE-BASE - OS Authentication
    I am sure the IT security officer is just referring the guidelines as he is not good in oracle as he is a network guy.
    One thing he insist is, the batch operator who handles running of batch scripts every night must not have access to the database? or he/she has no database login?
    What he means is in OS Aix he has only "oper01" login id, but it does not have a counterpart of "oper01" in the database. So he will run batch scripts the has connection
    to "appadmin" database user, and the the password for this db userid is hidden or encrypted. Of which I suggest to be identified externally.
    Can this setup be done for security compliance? I mean can an operator run a batch job that is connecting to the database of which he does not know what userid&password is,
    and can not be seen in the shell script even if he opens it? I know if it is a compiled perl It is possible. But using perl for batch need deep expertise.
    Can you share me how do u secure your prod database from operators that handles the batch jobs?
    Thanks a lot

  • Enable Security Audit Log

    Hi All,
    If we will enable Security Audit Log, does it affect the performance of the SAP System.
    Please clarify my doubt.
    Thanks

    Hello Anil, Security audit log is creates archive log file on daily basis. No performance issues will come if you take care of some parameters
    The system does not delete or overwrite audit files from previous days, it keeps them until manually deleted. Due to the amount of information that may accumulate, we should archive these files on a regular basis and delete the originals from the application server.
    You define the name and location of the files in the profile parameter haanrsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information.
    We can define the maximum size of the audit file in the profile parameter rsau/maxdiskspace/local_. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
    Hope it helps.
    Regards, Amber S | ITL

  • Security Audit Log / Logging of downloads from query results?

    Hi everybody,
    our data protection team has raised the requirement to log all data downloads from our BW system. As far as I know, it is possible to log downloads in SAP GUI using Security Audit Log, but does this also cover "Export to Excel" functionality of query results executed in the portal? And what about execution of queries with BEx Analyzer? I doubt, if that tool would log this. Are there any other tools available to cover that requirement?
    Any comment and idea is welcome. Thanks in advance!
    Regards,
    Carsten

    If restricted to ALV I think it can be done, but even there... if the user executes it in background and mails or prints the spool request then the cat is out of the box...
    Moral of the story: Do not grant access if the user should not be able to see the data (regardless where they log on from).
    That you cannot monitor / log all (mass) download events is however a bit unfortunate, however once the data is outside of the system for those whom you do trust then you anyway need to train them not to park sensitive files on project or public file servers.
    IMO the main problem here is front-end computing tools (like Excel, etc) which the users feel more confortable with to analyze data than the server side analytics tools (e.g. in the ALV task bars, or even the BOBJ Dashboards which are very "user-sentric").
    In German it is known as "Bauern mentalität" (farmer mentality) which generally resides at the application surphase layer in the greater scheme of things:
    -> You do not eat anything you have not slaughtered yourself... 
    Specifically regarding tokenization, you can consider not displaying the data in the portal. If the user wants to display these fields they have to navigate in their own context into the backend system to retrieve the token and then only display individual values.
    --> A download of a list via the portal or BEX excludes these fields which the user can access, but not mass download.
    I think this is possible, but it will be a challenge depending on whether the fields support tockenization. Credit Card numbers as mentioned my Martin is fairly vanilla and already used.
    Custom fields&types, insufficiently critical elements and older programs will be a bigger challenge.
    Please provide more details, as the generic answers are not well take care of IMO. If you cannot provide mre details, then SDN discussions speculating on answers is not efficient either...
    Cheers,
    Julius

  • SM19/SM20 Security Audit Log

    I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
    Thanks!

    If you set the dynamic filters, then you do not need to restart the server.
    If you set static filters, then you do need to restart the server for them to take effect.
    This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing.

  • 10G RAC security auditing

    Hi,
    I was asked to prepare a database security audit in my company. The target system is 10G RAC configuration with two nodes. What should my checklist contain? Which elements of the system must I verify?
    On Oracle's web pages I've found the following document:
    http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
    Is it enough? Can you advice me? Any help will be appreciated.
    Regards,
    Tim

    Hi,
    What is the purpose of this audit? Do you have any criteria? Or are you allowed to make up your own list?
    My experience is databases hosting third party apps are usually completely unprotected because
    - the application owner has the connect, resource and dba roles (or even more)
    - the account has the password set to the user name.
    Also if an application is not using bind variables, the system is sensitive to 'SQL injection'.
    The document you posted outlines some basic measures, but it doesn't go into sufficient detail. It doesn't mention the password_verify function you can set up. It doesn't mention system privileges at all. It doesn't mention you should disallow telnet access, and disallow root to login remotely (ie one should su to root).
    Etc, etc.
    There is a whitepaper on OTN called 'Project Lockdown' written by Arup Nanda. It implements 3 or 4 times more measures.
    Sybrand Bakker
    Senior Oracle DBA

  • How to schedule a batch job to generate security audit log (SM20)

    May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
    Regards
    Nirmal

    > May be this is a repeat question for this forum. Apologize, if it is.
    You don't need to apologize. You only need to do a very simple search...
    > Total Questions:  18 (16 unresolved) 
    Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
    Please do the needfull.
    Cheers,
    Julius

  • "logon time" between USR41 and security audit log

    Dear colleagues,
    I got a following question from customer for security audit reason.
    > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
    > logon history of Security Audit Log(Tr-cd:SM20)?
    Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
    And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
    at the time when user logged on, the security audit log is recorded .
    I tried to check SAP GUI logon program:SAPMSYST several ways, however,
    I could not check it because the program is protected even for read access.
    I want to know about specification of "logon time" between USR41 and security audit log,
    or about how to look into the program:SAPMSYST and debug it.
    Thank you.
    Best Regards.

    Hi,
    If you configure Security Audit you can achieve your goals...
    1-Audit the employees how access the screens, tables, data...etc
    Answer : Option 1 & 3
    2-Audit all changes by all users to the data
    Answer : Option 1 & 3
    3-Keep the data up to one month
    Answer: No such settings, but you can define maximum log size.
    4-Log retention period can be defined.
    Answer: No !.. but you can define maximum log size.
    SM19/SM20 Options:
    1-Dialog logon
    You can check how many users logged in and at what time
    2-RFC login/call
    Same as above you can check RFC logins
    3-Transaction/report start
    You can see which report or transaction are executed and at what time
    (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
    4-User master change
    (You can see user master changes log with this option)
    5-System/Other events
    (System error can be logged using this option)
    Hope, it clear the things...
    Regards.
    Rajesh Narkhede

Maybe you are looking for